[Owasp-board] Business Plan outline - project and consulting work

Samantha Groves samantha.groves at owasp.org
Wed Apr 30 00:35:03 UTC 2014

Hello All,

Sarah has asked me to review the business proposal in more detail, and I
just wanted to share my thoughts on the situation and the proposed SWAMP
integration agreement.

As you know, Kevin and I have been working on this proposal for some time.
Originally, this discussion started with SWAMP wanting to sponsor a project
summit based on our tools projects, but it slowly evolved into more of a
consulting type of engagement. I then shared my concerns with Sarah, and
asked for her help as the scope of this agreement had changed into one
where OWASP could potentially find itself liable.

Now, after reading Sarah’s business proposal, I have to say, that I am in
total agreement with what she recommends. I do not believe we should move
forward with this opportunity as it stands, or opening up a consultancy
business for us under the foundation umbrella at this point in time. Here
is why:

1). Infrastructure: We do not have the appropriate operational
infrastructure set up to run a consultancy. It is a very different type of
business, and it requires dedicated resources to build and run it.

2). Human Resources: We do not have the staff or the funds to hire the
staff we would need to open this new line of business. You will need to
hire your project, operations, and sales staff to start, as Sarah pointed

Moreover, I HIGHLY recommend we not rely on volunteer efforts to complete
contracted work. As I mentioned, consulting is a very different type of
business with different risks and liabilities, and to rely on volunteers to
complete your contractual obligations is not a very good business decision.
You need dedicated resources that are directly accountable for delivery as
the statements of work and project plans are rigid. There is very little
flexibility, and from my experience, volunteers need flexibility when
working on projects as this work is not their primary source of income.

Now, I realize that we have won several grants for our projects that give
them the funding they need to complete project milestones. However, I would
like to clarify and stress that receiving grant funds, and entering into a
business contract, are two very different endeavors. Grants are far more
flexible, and they are a donation for a very particular purpose made to an
organization. This is why having volunteers work on projects with grant
funding is far more reasonable as the timeline, milestones, and
deliverables are flexible. They are more inline with the innovation type of
platform we currently have.

3). Legal Liabilities: Now, I am not legal council by any stretch of the
imagination, but I have been trained in basic international business law
and IP. Sarah outlines the legal risks to our business perfectly in section
VII of her proposal. As I mentioned, getting into a contractual agreement
with another organization, whether the products are open-source or not,
still makes us liable for delivery of whatever is specified in the
contract. I have read Jim’s comment about OWASP providing no-warranty as
the product is open source, and that is correct. The products are without
warranty (open-source); however, our legal liability to produce what is in
the contract, is not. They are two separate things.

These are only three of quite a few other concerns I have about this new
line of business, and entering into an agreement with the SWAMP team at
this point in time. The way I see it, we have two questions:

1. Should we enter into the proposed agreement with SWAMP?

2. Should we start a new line of business: Consulting?


1. I do not believe we should enter into the agreement with SWAMP as the
contract makes us liable for the work produced, as it stands. Now, if Kevin
and team are ok working with the project leaders directly, then I see no
issue with that. However, I highly recommend that the foundation not enter
into a contract with another organization (SWAMP) on a consultancy basis as
we are fully aware we do not have the infrastructure to deliver what is
promised in the Statement of Work. We are taking a big risk, and while I am
very comfortable with risks and recommend them in business, we must make
sure to take calculated risks. This, to me, is not a calculated risk. It is
a reactive one based on an opportunity that we might not be able to make
good on.

2. I do not recommend we do this at this time. I think it is an excellent
idea to consider in a year’s time, but we are not in a position where we
can take this on right now. It requires quite a bit of investment, and as I
see it, we are not even in a position to make appropriate business
decisions when it comes to starting lines of business like this. The fact
that we were even entertaining the idea that we should run this consultancy
under the OWASP non-profit umbrella makes it clear to me that we are not
ready to take this on. We cannot run it as a separate program. As Sarah
suggested, we will need to start a new organization, such as a for-profit
subsidiary of our non profit, so we can shift liability to that entity in
case anything goes wrong. This way, if we are sued into bankruptcy, we
still have the mother-ship intact.

These are just my 2 cents after briefly reviewing the situation and scope.
I hope it is helpful.

Thank you, Sarah and Board.


On Mon, Apr 28, 2014 at 6:03 PM, Sarah Baso <sarah.baso at owasp.org> wrote:

> All -
> Here is the (brief) business plan I put together on the project and
> consulting work such as that being requested by DHS Swamp.  Admittedly, I
> stopped with with the details on what rolling out a plan would like this
> would look like after doing some initial research on the legal and tax
> repercussions for us.  Additionally, I don't think this exact model is in
> alignment with the charity work we are trying to accomplish.
> This is not to say we shouldn't look for funding opportunities to develop
> our projects - but i don't think this model is the right one for us.
> https://docs.google.com/document/d/1S3J8Krkysqr0m5U9-NLefMCOGvmGFw30oJU-8IMH4zQ/edit?usp=sharing
> I look forward to hearing your thoughts.
> Sarah Baso
> --
> Executive Director
> OWASP Foundation
> sarah.baso at owasp.org
> +1.312.869.2779
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board


*Samantha Groves, MBA*

*OWASP Projects Manager*

The OWASP Foundation

Phoenix, USA

Email: samantha.groves at owasp.org

Skype: samanthahz

OWASP Global Projects<https://www.owasp.org/index.php/Category:OWASP_Project>

Book a Meeting with Me <http://goo.gl/mZXdZ>

OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>

New Project Application Form <http://www.tfaforms.com/263506>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140429/a44eb1bc/attachment.html>

More information about the Owasp-board mailing list