[Owasp-board] OWASP EU

dinis cruz dinis.cruz at owasp.org
Fri Jun 4 21:49:34 UTC 2010

In sequence to the 'rant' email I sent earlier this week about the lack of
focus/attention that the guidelines I proposed were receiving from the other
board members, when talking to Jeff about the problem of getting real
feedback from the board, the idea come up that we should be much more formal
on some of our Board duties.

So here is my proposal, when a board member proposes a set of guidelines or
presents a model to deal with a particular issue (like I did with the OWASP
Commercial Services and Jeff is doing below) we should trigger a formal
'RFC' process where ALL OWASP Board members have to provide 'on the record'
comments (i.e. they have to read it properly, think about the issue and
provide feedback (even if it is to say in the end 'I agree 100% with this
model')). We talk a lot about the need to have governance at OWASP, well
this is a good example of it , and in my view, the best way to deal with a
lot of the issues that pop-up at OWASP, is to have clear guidelines and
ideas about how to deal with them.

So Kate, what I would like you to do, is (from now on and starting with
these two issues), open a 'case' (or whatever name you want to call it) to
handle the RFC (Request For Comment) process.

With the focus that the objective is to: a) get feedback, b) reach a
consensus and c) vote; here is a proposed workflow:

 - Create a GoogleDoc with the original proposal (maybe on top of an RFP
template), and share it with the other board members
 - Make an announcement (to the board) about that specific RFC and the
proposed timings (for example need to provide feedback in the next 5 days,
 - Keep track of who is responding, and in the cases where there is no
feedback/attention from a particular board member, start (gently at first
and harder as time goes by) pressuring them to comment.

Part of the process should be that at the end (unless the issue is really
sensitive) all information should be published to the Wiki and made
available to our leaders (this will have the positive side effect to show
the level of discussion and care that we tend to have when dealing with key

Kate, does that make sense?

Kate, can you add this for discussion/vote at the next board meeting?



On 4 Jun 2010, at 00:53, Jeff Williams <jeff.williams at owasp.org> wrote:

 There are a few key goals for board members at an OWASP AppSec Conference.
I’d like to get your thoughts and improvements, and then capture these and
make it part of the Conference Handbook….

The OWASP Board will make every effort to have at least one OWASP Board
Member in attendance at each AppSec conference. The Board Member will…

1)      Provide a keynote or other address on OWASP, our goals, vision,
strategy, ethics, projects, membership, and progress. The goal is to
introduce attendees to OWASP and our culture, describe membership program,
attract contributors, and inspire people about the importance of application

2)      Ensure that OWASP principles and ethics are upheld in all aspects of
the prosecution of the conference. In particular, ensure that OWASP’s brand
is not misused by commercial entities.

3)      Provide logistical support and the ability to make quick decisions
on the ground (within reason) without having a formal board meeting and
decision process.

4)      Serve as a lightning rod for any issues, problems, suggestions or
praise that anyone wants to provide about OWASP and bring them to the
appropriate committee or OWASP Board.

5)      Assess the general operation of the local/regional OWASP
organization, chapters, sponsors, leaders, and contributors. The goal is to
use this information to strategize how to grow OWASP’s presence in the
region and support the local leadership.

6)      Meet with local leaders from OWASP, government, vendors, and
industry to get them to understand why application security is important and
joining with OWASP makes sense.


Jeff Williams, Chair

The OWASP Foundation

work: 410-707-1487

main: 301-604-4882

*From:* owasp-board-bounces at lists.owasp.org [mailto:
owasp-board-bounces at lists.owasp.org] *On Behalf Of *Tom Brennan
*Sent:* Thursday, June 03, 2010 9:23 AM
*To:* Eoin
*Cc:* OWASP Foundation Board List
*Subject:* Re: [Owasp-board] OWASP EU

It was decided that at our conferences
http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference  (1) board
member at every OWASP Conference for organization continuity and to deliver
a kick off. Kate pulled the straws on this.

Attached is what I delivered at OWASP Denver conference yesterday and
tomorrow at OWASP  Mexico and updated as needed at each event.

After that time should be utilized to LISTEN to the regional people of what
is going on, what is working and what is not.  We had a lively discussion
yesterday about commercial services registry, the 100k negative on the
balance sheet and many ideas about making OWASP better globally.

Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100604/cbe12292/attachment-0002.html>

More information about the Owasp-board mailing list