[Owasp-board] Clarification of OWASP Structure

Michael Coates michael.coates at owasp.org
Thu Mar 22 04:54:33 UTC 2012


We've provided guidance in the form of recommendations for a new chapters / committee policy as part of the lascon exception vote - see http://owasp.blogspot.com/2012/02/approval-of-lascon-exception.html

Two additional questions were posed by the chapters committee to clarify the board's view of the OWASP organization. The questions point to a larger issue:
Is OWASP a group of small chapters and a stronger central foundation? Or is OWASP strong chapters and a decentralized foundation?

I will state my opinion very clearly.  First, I don't believe OWASP is at either extreme but I do believe that OWASP is a single entity and should be structured as such.

The OWASP foundation was created to advance the OWASP mission.  One method that we use to advance our mission is the creation of local chapters to grow the OWASP community. We also support an incredibly important array of projects, the OWASP wiki, and various conferences and training events.  To continue be successful OWASP must maintain a strong foundation to advance the mission of OWASP while providing a structure for chapters to grow and explore various methods of success.  In the end, the combined materials that are donated to OWASP are what makes OWASP great.  We have owasp.org, not owasp-wiki-chapterX.org.

The overall message is that OWASP is a central force and a single mission. All participants contribute to advance this mission.  Policies governing chapters are intended to allow chapters to experiment and grow, but our goal is not to create an environment where the OWASP foundation suffers as a whole while individuals chapters, which are pieces of the OWASP family, succeed to the detriment of the rest.

I believe the following will setup OWASP for success:
create policies that allow flexibility
minimize unnecessary bureaucracy
design policies to empower leaders and include transparency to minimize concerns of misuse
recognize that OWASP must continue to operate as a whole and structure policies accordingly

I hope the above information, combined with guiding principles from http://owasp.blogspot.com/2012/02/approval-of-lascon-exception.html is sufficient to enable our committees to work out  an agreed upon policy. However, I do recognize that they may be unable to reach a decision. If that is the case we may need to explore the possibility of providing specific detailed requirements instead of the guiding principles that we've made thus far.

Michael Coates | OWASP
michael.coates at owasp.org | @_mwc

More information about the Owasp-board mailing list