[Owasp-board] Thoughts on Committee Goals, Authorities and Expectations

Jeff Williams jeff.williams at owasp.org
Thu Oct 7 20:17:02 UTC 2010

Hi Mark,


Your thoughts here are extremely timely as this exact issue is on the agenda
for the next board meeting. We absolutely want to empower our committees to
do what they think is right for OWASP.  The Board is here to help guide,
advise, and help.  But you're right that we haven't made the boundaries
clear and it's causing confusion and inefficiency.  I appreciate your candid
input and I encourage you to reach out and push the Board to move on things
as much as possible.






Jeff Williams, Chair

The OWASP Foundation

work: 410-707-1487

main: 301-604-4882


From: Mark Bristow [mailto:mark.bristow at owasp.org] 
Sent: Thursday, October 07, 2010 1:49 PM
To: jeff.williams at owasp.org
Subject: Thoughts on Committee Goals, Authorities and Expectations




I've been involved with OWASP for about 5 years now and while it was a large
organization when I got involved, I've watched OWASP grow even larger and
expand it's reach for getting the AppSec message out and help secure our web
applications, which is fantastic.  I was also a supporter of the committee
system as identified at the 2008 Summit and agree that as we grow we need to
re-define our internal organizational structure in order to support and
foster that growth.  However, as the Global Conferences Committee Chair, I
find myself a bit concerned about how OWASP currently functions as an
organization and think that with a few simple steps we could enable
ourselves to continue our trajectory of growth to further the mission.


I've been working on this email for some time and as the 2011 Global Summit
is soon approaching, and committees have been asked to provide agendas for
working sessions, I figured now was the best time to send this and put some
thought into it as the Summit would provide a great venue to address some of
these issues.


Since (somewhat unexpectedly and magically from my POV) taking the helm of
the GCC, I've tried to define some areas where we can improve conference
support for OWASP.  We implemented a system to call for AppSec conferences
(with varying success) and have made additional resources and policies
available for conference planners to help provide them the resources they
need to put on a successful event.  These initiatives, to name a few, were
dreamt up and implemented solely by the conferences committee, and while I
think they were important what is not clear on is exactly how these
initiatives and the conference committee agenda fits into the board's
overall vision for OWASP.


I think that something that is lacking in the Committee structure (at least
on the Conferences Committee) is a clear set of defined goals and
authorities.  I've had a few conversations with other committee members,
chapter leaders, and OWASP members who have somewhat echoed this point of
"what do/can the Committees do?".  To my experience there isn't a clear set
of parameters for either authorities or goals.  


As an example, lets take the upcoming OWASP 2011 Summit.  This frankly is
something that I feel clearly falls into the GCC lane to coordinate and
organize, or at a minimum provide oversight.  However I as the GCC Chair was
not even informed that the board had made the decision to start up a
committee to run the 2011 Summit (and in fact, as an AppSec DC organizer, I
had been told we would have a summit in DC, it wasn't until I was up against
the wall for requirements with our venue did someone tell me that we weren't
having it..).  


Another example is budgetary authority.  Frequently I get requests to send
SCHWAG to an OWASP supported event, or asked questions if we staff a free
booth someone wants to give us, ect.  As it stands, I have no way to do this
directly and each time I have to get Kate or someone to ask permission to
get this done with wildly varying results as it's not clear exactly who
should be approving these types of requests so we have to bug whatever board
member Kate gets hold of to get approvals.  


Also, the GCC is chartered to "determine location, frequency and to oversee
and direct global conferences, speakers and training", however some of our
efforts to do this (for example requiring budget proposals and updates et
all, are hampered as we have no actual authority over conference funds.
When a conference doesn't meet the requirements we have set forth (as an
example I have not gotten budgets from either AppSec Ireland or AppSec US,
still) we have no recourse to encourage them to do so because our authority
is not clear.  The Authorities question is  also exhibited in some of the
board's behaviors as questions about conferences are typically directly
answered (occasionally in opposition to policies) instead of forwarded to
the committees for action.  Additionally the board will occasionally require
board votes on items that appear to be committee business (such as assigning
AppSec locations) but this is not evenly applied causing much confusion. .
At this point, it's not even clear if the GCC is actually allowed to
authorize conferences and manage them as conferences will occasionally
"announce" themselves and the GCC is put into position where there is no
mechanism or requirement to point to describing how it needs to be
coordinated first.  


If the board wishes to maintain all of these authorities, I definitely
understand that, however as we grow, these functions are going to be harder
and harder to manage at that level and was the reason I thought the
committees were created.


Moving to authorities back to goals, as a Committee Chair, I'm still not
entirely clear as to what OWASP would like me to do with my committee at any
point.  This lack of clarity I feel has really hurt our ability to operate
cohesively.  I think outlining a few goals would clear up both the direction
and authorities of the committees.  As an example some 2011 GCC goals could


*	Host a an AppSec Conference in the US, Asia, Europe and South
*	Hold at least 10 regional events around the globe
*	Generate $200,000 of income for the foundation
*	Provide up to $25,000 in support for local events
*	Asses and select a system for managing OWASP events and conferences
*	Provide additional marketing and event support resources to event
*	Get at least 5,000 non-members to attend a OWASP event
*	Develop the AppSec and Regional event schedule for 2010
*	Develop policies to govern OWASP Event management

These are some clearly defined goals that the committee could work toward
and provide a bit more clarity in our mission.  These goals may even be a
bit too tactical, and may not work in the vision of the board, but at a
minimum I think they provide examples of the types of obtainable goals that
could be set.  The way I would frame it is, what do I want the Conferences
Committee to do in the next 1, 3, 4 years?  And then enable the committee to
allocate the resources and set the direction to move forward and accomplish
those goals.


I hope that this effectively communicates some of my frustrations, and I
apologize for the length however as a Committee Chair I think that if we
could manage our goals/authorities better, we could better set the
expectations for the GCC and other committees and therefore help OWASP as an
organization grow and flourish.



Mark Bristow

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
AppSec DC 2010 Organizer - https://www.appsecdc.org
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20101007/3ccc7fc3/attachment-0002.html>

More information about the Owasp-board mailing list