[Owasp-board] Discussion on Proposal 6

Tobias tobias.gondrom at owasp.org
Tue Oct 13 22:13:19 UTC 2015


Josh,

Let's fix the problem instead of creating a new list, just because the 
old one was not totally uptodate. Especially as we have not even really 
tried hard to update the existing list and keep it maintained. So I 
would rather fix the problem you mention, aka "update the list", then to 
make a more complicated construct with letting people parse and search 
through a long unstructured list.

This will equally achieve the same objective, which I agree is 
important. Just with clearer structure and less searching and confusion.

Best regards, Tobias


On 13/10/15 21:10, Josh Sokol wrote:
> All,
>
> Take a look at the list of what is allowed in the project or chapter 
> handbook.  Then consider all of the things that chapters and projects 
> spend their money on today.  These lists are not kept up-to-date which 
> what is appropriate.  It's not a problem in-and-of-itself as Paul et 
> al are usually pretty quick to approve, but we have heard from a 
> number of members of our community that it is NOT CLEAR WHAT they can 
> spend their money on.  Think of the current approach as an Access 
> Control List where we have a default deny and a very short list of 
> what is allowed through.  It's secure, but the usability is 
> challenging.  This proposal allows us to dynamically expand that ACL 
> based on what others in the organization are doing.  Stuff not in the 
> list requires approval from Ops, just as it does today, but with the 
> knowledge that approval is an explicit approval for anyone to do it.  
> We should have no situation at OWASP where something is OK for one 
> chapter or project and not OK for another.  If you can think of one, 
> please let me know and prove me wrong. Liability is limited to 1) The 
> amount in a chapter or project account (ie. they are spending "their" 
> money) and 2) What has already been approved for someone else.  This 
> is VERY LOW RISK and VERY HIGH REWARD because it gets money moving.  
> If you want to propose revised language to fine-tune it, please do so, 
> but this is very much necessary to get people spending.
>
> ~josh
>
> On Tue, Oct 13, 2015 at 11:45 AM, Paul Ritchie <paul.ritchie at owasp.org 
> <mailto:paul.ritchie at owasp.org>> wrote:
>
>     To Foundation Board list.
>
>     _On this proposal #6, and the red-tape issue, or excessive effort
>     for Operations:_
>
>     On approving and paying reimbursements, we really don't have much
>     red-tape....when the expense is fully covered within the Chapter
>     or Project budget.
>     We Ask:  Does the Project/Chapt have the budget?  Does the expense
>     fit the guidelines in the Handbook? IF yes, the reimbursement is
>     paid, no problem.
>
>     _On Maintaining a list_
>     From an operations point, I'd like to keep the Project & Chapter
>     Handbooks updated as the source of the spending guidelines &
>     policy statements. Those are our "manuals" and I'd like to
>     reinforce all community members to look there first.  The current
>     lists could be updated by Noreen & Claudia.
>
>     For new listing, it is probably smart to add a list or table of
>     'approved & supported' expenses to the wiki pages for Funding,
>     Projects & Chapters.   My belief here is that it is the 'same
>     info' as found in the Handbook, its just immediately visible on
>     the main page of the Project or Chapter wiki pages.
>     Yes, some medium amount of work to create & update this list, but
>     its mostly a one-time effort.
>
>     _The only Caution:_
>
>     We have seen a couple projects or chapters ask for hardware, or
>     cloud-based software services.  My Caution is that before we just
>     auto-approve an expense for this category of 'stuff' we ask if the
>     Chapter or Project need can be solved with existing Foundation
>     Infrastructure.......or the infrastructure already owned or rented
>     by other Chapters.
>
>     Just trying to minimize redundancy on this topic. Plus, ownership
>     is a red-tape issue here as the Foundation is the only one who has
>     been signing contracts and agreements for hardware & software.
>
>     Paul
>
>
>
>
>     Best Regards, Paul Ritchie
>     OWASP Executive Director
>     paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>
>
>     On Tue, Oct 13, 2015 at 2:43 AM, Jim Manico <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>> wrote:
>
>         Been thinking about this, I think you're right Fabio and
>         Tobias. Perhaps make this bill more general and let operations
>         figure out the "how"?
>
>         It's doesn't look like this will pass as is.
>
>         --
>         Jim Manico
>         Global Board Member
>         OWASP Foundation
>         https://www.owasp.org <https://www.owasp.org/>
>         Join me in Rome for AppSecEU 2016!
>
>         On Oct 13, 2015, at 11:35 AM, Fabio Cerullo
>         <fcerullo at owasp.org <mailto:fcerullo at owasp.org>> wrote:
>
>>         I share Tobias concerns on this one. A populated list
>>         maintained by the Foundation might be a better approach IMHO.
>>
>>         Fabio Cerullo
>>         Global Board Member
>>         OWASP Foundation
>>         https://www.owasp.org
>>
>>>         On 13 Oct 2015, at 6:27 a.m., Jim Manico
>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>>
>>>>         1. Sorry for re-iterating my point from before, but I do
>>>>         think this will create more effort, compared to a list of
>>>>         pre-approved items. I think a list of pre-approved items
>>>>         will be less "red-tape" than to make everyone go through
>>>>         the list of published precedents and then let us find out
>>>>         whether they are the "same".
>>>         All that this "bill" is saying is : Keep a list of
>>>         per-approved items and add to it over time as new items get
>>>         approved. I do not see this as adding more work over time
>>>         and the effort should lessen as less new item categories get
>>>         approved over time.
>>>>
>>>>         2. I also like to point out that the current proposal text
>>>>         does not speak of the "exact same thing in the past" as
>>>>         Josh used in his explanation. The current proposal text is
>>>>         more broadly and may result in us discussing what is the
>>>>         "same" from the precedents.
>>>>
>>>>         Let me be clear, I am not against the spirit of the
>>>>         approach, only I have doubts about this specific
>>>>         implementation route. Overall, I really think the
>>>>         consolidated (updated) list of acceptable expenses is the
>>>>         best approach. As I mentioned, it is a good idea to
>>>>         populate and update this list based on previous published
>>>>         expenses, but I really prefer the consolidated list to be
>>>>         the reference point, not an unsorted list of all expenses
>>>>         from the past (that potentially lacks context information
>>>>         and what not).
>>>         Fair concerns, this is the right time to be discussing...
>>>>
>>>>         Best regards, Tobias
>>>>
>>>>
>>>>
>>>>
>>>>         On 13/10/15 06:33, Jim Manico wrote:
>>>>>         Do you see this "bill" causing harm to the foundation in
>>>>>         some way? I do not. I see this as facilitating efficiency,
>>>>>         primary, which is a good thing.
>>>>>
>>>>>         --
>>>>>         Jim Manico
>>>>>         Global Board Member
>>>>>         OWASP Foundation
>>>>>         https://www.owasp.org <https://www.owasp.org/>
>>>>>         Join me in Rome for AppSecEU 2016!
>>>>>
>>>>>         On Oct 13, 2015, at 6:22 AM, Matt Konda
>>>>>         <matt.konda at owasp.org <mailto:matt.konda at owasp.org>> wrote:
>>>>>
>>>>>>         Right.
>>>>>>
>>>>>>         Do we spend a lot of time with red tape currently?
>>>>>>
>>>>>>         Matt
>>>>>>
>>>>>>
>>>>>>         On Mon, Oct 12, 2015 at 10:59 PM, Jim
>>>>>>         Manico<jim.manico at owasp.org
>>>>>>         <mailto:jim.manico at owasp.org>>wrote:
>>>>>>
>>>>>>             The motivation here is efficiency, removal of red
>>>>>>             tape and encouragement to spend for the mission. Once
>>>>>>             an expense type is approved the goal of this "bill"
>>>>>>             is to have that expense type auto-approved.
>>>>>>
>>>>>>             --
>>>>>>             Jim Manico
>>>>>>             Global Board Member
>>>>>>             OWASP Foundation
>>>>>>             https://www.owasp.org <https://www.owasp.org/>
>>>>>>             Join me in Rome for AppSecEU 2016!
>>>>>>
>>>>>>             On Oct 13, 2015, at 4:26 AM, Matt Konda
>>>>>>             <matt.konda at owasp.org <mailto:matt.konda at owasp.org>>
>>>>>>             wrote:
>>>>>>
>>>>>>>             I'm still considering #6 as are all but Josh and Jim
>>>>>>>             based on this discussion thread.
>>>>>>>
>>>>>>>             I am supportive of the idea behind it and would vote
>>>>>>>             yes if it came to a head.
>>>>>>>
>>>>>>>             Honestly, I don't think it is risky but I don't
>>>>>>>             think I grasp the motivation - perhaps Josh and/or
>>>>>>>             Paul could elaborate on how this might help the
>>>>>>>             Foundation.
>>>>>>>
>>>>>>>             Matt
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>             On Fri, Oct 9, 2015 at 4:18 PM, Josh
>>>>>>>             Sokol<josh.sokol at owasp.org
>>>>>>>             <mailto:josh.sokol at owasp.org>>wrote:
>>>>>>>
>>>>>>>                 Andrew,
>>>>>>>
>>>>>>>                 I definitely hear you, but we have rules in
>>>>>>>                 place to even prevent that.  For exampleSection
>>>>>>>                 4.10 of the Chapter Leader Handbook
>>>>>>>                 <https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#.28Signing.29_Contracts>says
>>>>>>>                 that "Chapter leaders are not authorized to sign
>>>>>>>                 contracts or enter into any legal agreements on
>>>>>>>                 behalf of the OWASP Foundation". You will not
>>>>>>>                 have any sort of a $50k venue guarantee for
>>>>>>>                 services without a signed contract. This is the
>>>>>>>                 control that prevents abuse in that specific
>>>>>>>                 situation. There are many others.
>>>>>>>
>>>>>>>                 Also, keep in mind that they are authorized only
>>>>>>>                 so long as "*they have an account balance which
>>>>>>>                 covers that expense in full*". So, if a Chapter
>>>>>>>                 or Project has $50k in their account, and wants
>>>>>>>                 to spend it on a venue for a conference, why
>>>>>>>                 should we stand in their way or require
>>>>>>>                 additional approvals if others have done the
>>>>>>>                 exact same thing in the past?  The limiting
>>>>>>>                 factor here is their account balance and we need
>>>>>>>                 to empower them to spend it how they desire as
>>>>>>>                 long as it is in adherence with the OWASP mission.
>>>>>>>
>>>>>>>                 Tobias: This has not been motioned or seconded
>>>>>>>                 yet. I put it out there for discussion first,
>>>>>>>                 since there was not a general consensus on it.
>>>>>>>
>>>>>>>                 ~josh
>>>>>>>
>>>>>>>                 On Fri, Oct 9, 2015 at 3:49 PM,
>>>>>>>                 Tobias<tobias.gondrom at owasp.org
>>>>>>>                 <mailto:tobias.gondrom at owasp.org>>wrote:
>>>>>>>
>>>>>>>                     As our mailing-list got a bit swamped, this
>>>>>>>                     might have got lost in the hundred voting
>>>>>>>                     emails, do we have any further discussion
>>>>>>>                     elements on this one?
>>>>>>>                     And if people like vote on this, can they
>>>>>>>                     please confirm that they have at least
>>>>>>>                     acknowledged this discussion when casting
>>>>>>>                     their vote?
>>>>>>>                     Thanks, Tobias
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                     On 09/10/15 14:17, Andrew van der Stock wrote:
>>>>>>>>                     I am really keen to reduce the amount of
>>>>>>>>                     bureaucracy involved in expense management,
>>>>>>>>                     but this is a really well trodden path in
>>>>>>>>                     every single SME to major enterprise.
>>>>>>>>
>>>>>>>>                     My main concern is no upper bounds on
>>>>>>>>                     pre-approved expenses. This means that a
>>>>>>>>                     local chapter that managed to get an
>>>>>>>>                     approval for a $50k conference centre fee,
>>>>>>>>                     say AppSec AU in 2011, would mean that all
>>>>>>>>                     chapters would be automatically allowed to
>>>>>>>>                     claim that expense too. I want to enable
>>>>>>>>                     that, whilst not allowing us to be hit with
>>>>>>>>                     hundreds of large conferences being
>>>>>>>>                     organised throughout the year. We simply
>>>>>>>>                     don't have the staff bandwidth nor the
>>>>>>>>                     funds to do that today.
>>>>>>>>
>>>>>>>>                     Typical financial governance is
>>>>>>>>                     pre-approval for expenses under a certain
>>>>>>>>                     dollar value, and a single sign off within
>>>>>>>>                     the Foundation approval for expenses
>>>>>>>>                     between say the cut off and say a $10k
>>>>>>>>                     limit, and senior management approval above
>>>>>>>>                     $10k. In my view, we can hit the home run
>>>>>>>>                     we all are looking for, whilst still
>>>>>>>>                     maintaining good financial governance over
>>>>>>>>                     major expenses whilst not ruling out ANY
>>>>>>>>                     type of expense that a chapter might be
>>>>>>>>                     able to come up with.
>>>>>>>>
>>>>>>>>                     My view is that we go through all the paid
>>>>>>>>                     out expenses over the last two years, and
>>>>>>>>                     work out some limits. We can tummy tussle
>>>>>>>>                     over the exact limits, but I feel the
>>>>>>>>                     following would be a good start:
>>>>>>>>
>>>>>>>>                     $0 - $1500 should cover nearly all expenses
>>>>>>>>                     paid to date along with the above
>>>>>>>>                     proposal's list of pre-approved expenses
>>>>>>>>                     $1500 to $10k should be an approval level
>>>>>>>>                     granted to a project coordinator or
>>>>>>>>                     chapters coordinator. All expenses are
>>>>>>>>                     subject to sign off prior to incurring the
>>>>>>>>                     expense
>>>>>>>>                     $10k ... $100k is within the signing range
>>>>>>>>                     of the Executive Director, and would
>>>>>>>>                     require pre-approval before incurring the
>>>>>>>>                     expense
>>>>>>>>                     Above $100k would require Exec Dir + Board
>>>>>>>>                     approval.
>>>>>>>>
>>>>>>>>                     That way, local area conference bills of
>>>>>>>>                     $50k don't hit us without forewarning, and
>>>>>>>>                     yet we have the flexibility of allowing
>>>>>>>>                     LAScon and AppSec Cali to work without a
>>>>>>>>                     special rule or budgetary process. The
>>>>>>>>                     majority of projectors, catering, room
>>>>>>>>                     fees, and so on would never be huge amounts
>>>>>>>>                     of work for Foundation staff.
>>>>>>>>
>>>>>>>>                     I think it hits what you're trying to
>>>>>>>>                     achieve without opening us up to some
>>>>>>>>                     serious financial problems down the track.
>>>>>>>>
>>>>>>>>                     thanks,
>>>>>>>>                     Andrew
>>>>>>>>
>>>>>>>>                     On Fri, Oct 9, 2015 at 1:20 PM, Josh
>>>>>>>>                     Sokol<josh.sokol at owasp.org
>>>>>>>>                     <mailto:josh.sokol at owasp.org>>wrote:
>>>>>>>>
>>>>>>>>                         Here is the current text for proposal 6:
>>>>>>>>
>>>>>>>>                         *If a request for funding has been
>>>>>>>>                         approved for one chapter or project,
>>>>>>>>                         then it can be considered an acceptable
>>>>>>>>                         expense for all chapters or projects.
>>>>>>>>                         If they have an account balance which
>>>>>>>>                         covers that expense in full, then they
>>>>>>>>                         should be considered pre-approved for
>>>>>>>>                         spending.*
>>>>>>>>
>>>>>>>>                         _*Tobias:*_
>>>>>>>>                         I agree in spirit, but I think this
>>>>>>>>                         needs clarification and am a bit
>>>>>>>>                         concerned about liberal interpretations
>>>>>>>>                         of what is the same expense type.
>>>>>>>>                         Expenses tend to not be exactly
>>>>>>>>                         identical and I like to safe chapter
>>>>>>>>                         and project leads from searching the
>>>>>>>>                         public expense lists for precedence. As
>>>>>>>>                         one example if a flight ticket is
>>>>>>>>                         approved for a chapter leader to attend
>>>>>>>>                         the AppSec chapter leader workshop,
>>>>>>>>                         that should not mean we also approve a
>>>>>>>>                         flight ticket to Bahamas for holiday
>>>>>>>>                         for another chapter leader. Technically
>>>>>>>>                         both are flight expenses for chapter
>>>>>>>>                         leaders. (I know I am splitting hairs...)
>>>>>>>>
>>>>>>>>                         Suggested revision:
>>>>>>>>                         Proposal 6: If a request for funding
>>>>>>>>                         has been approved for one chapter or
>>>>>>>>                         project, then it can be considered an
>>>>>>>>                         acceptable expense for all chapters or
>>>>>>>>                         projects. Our operations team shall
>>>>>>>>                         periodically (at least once every 3
>>>>>>>>                         months) review the list of published
>>>>>>>>                         expenses and if new expense types come
>>>>>>>>                         up add them to the published list of
>>>>>>>>                         acceptable expenses. If the chapters or
>>>>>>>>                         projects have an account balance which
>>>>>>>>                         covers that expense in full, then they
>>>>>>>>                         should be considered pre-approved for
>>>>>>>>                         spending.
>>>>>>>>
>>>>>>>>                         _*Josh:*_
>>>>>>>>                         I think that we need to trust people to
>>>>>>>>                         do the right thing. To my knowledge, we
>>>>>>>>                         have never had a person try to request
>>>>>>>>                         reimbursement for a trip to the Bahamas
>>>>>>>>                         because someone got a flight paid for
>>>>>>>>                         to AppSec.  Also, keep in mind that
>>>>>>>>                         this is a reimbursement process so our
>>>>>>>>                         Operations Team determines whether a
>>>>>>>>                         request is legit.  To me, it would seem
>>>>>>>>                         like you're putting a lot of extra work
>>>>>>>>                         on the Ops Team with little added
>>>>>>>>                         benefit since they are still going to
>>>>>>>>                         have to find a way to write it up so
>>>>>>>>                         that it will not be misinterpreted. I
>>>>>>>>                         think we have reasonable controls in
>>>>>>>>                         place to prevent abuse and our
>>>>>>>>                         liability here is minimal.  I don't see
>>>>>>>>                         a need to revise it in this manner.
>>>>>>>>
>>>>>>>>                         _*Tobias:*_
>>>>>>>>                         Well, I don't think to maintain a list
>>>>>>>>                         of good examples is unnecessarily heavy
>>>>>>>>                         workload. And in the long run,
>>>>>>>>                         searching through a long unstructured
>>>>>>>>                         list of published expense claims will
>>>>>>>>                         be more work load for both the staff
>>>>>>>>                         and the community to check for good
>>>>>>>>                         expense precedents. If we do this one
>>>>>>>>                         time per quarter, the effort is clearly
>>>>>>>>                         limited. If we (staff and leaders) have
>>>>>>>>                         to review an unlimited year long list
>>>>>>>>                         for precedent, this seems much more effort.
>>>>>>>>
>>>>>>>>                         _*Josh:*_
>>>>>>>>                         In theory we are supposed to be
>>>>>>>>                         maintaining a list of good examples
>>>>>>>>                         already.  Some of them are listed in
>>>>>>>>                         the Chapter and Project Leader
>>>>>>>>                         Handbooks. That said, they aren't
>>>>>>>>                         anywhere close to all of the possible
>>>>>>>>                         things one would want to spend their
>>>>>>>>                         money on.  The idea here was simply to
>>>>>>>>                         maintain the running list of all
>>>>>>>>                         expenses that are approved or denied
>>>>>>>>                         (proposal 5) and use that to drive
>>>>>>>>                         spending. Again, I think this comes
>>>>>>>>                         down to a matter of trust.  We need to
>>>>>>>>                         trust our Leaders to do the right
>>>>>>>>                         thing.  We need to trust the staff to
>>>>>>>>                         ensure that the reimbursement is
>>>>>>>>                         legitimate before sending them a check.
>>>>>>>>                         With so many complaints about
>>>>>>>>                         difficulties withe the reimbursement
>>>>>>>>                         process (as much as I've never seen
>>>>>>>>                         them), we should be looking for ways to
>>>>>>>>                         strip away the red tape, not add more
>>>>>>>>                         of it.
>>>>>>>>
>>>>>>>>                         ~josh
>>>>>>>>
>>>>>>>>                         _______________________________________________
>>>>>>>>                         Owasp-board mailing list
>>>>>>>>                         Owasp-board at lists.owasp.org
>>>>>>>>                         <mailto:Owasp-board at lists.owasp.org>
>>>>>>>>                         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>                     _______________________________________________
>>>>>>>>                     Owasp-board mailing list
>>>>>>>>                     Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>>>>>>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                 _______________________________________________
>>>>>>>                 Owasp-board mailing list
>>>>>>>                 Owasp-board at lists.owasp.org
>>>>>>>                 <mailto:Owasp-board at lists.owasp.org>
>>>>>>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>>             _______________________________________________
>>>>>>>             Owasp-board mailing list
>>>>>>>             Owasp-board at lists.owasp.org
>>>>>>>             <mailto:Owasp-board at lists.owasp.org>
>>>>>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>         _______________________________________________
>>>>>         Owasp-board mailing list
>>>>>         Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>>>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>
>>>         -- 
>>>         Jim Manico
>>>         Global Board Member
>>>         OWASP Foundation
>>>         https://www.owasp.org  <https://www.owasp.org/>
>>>         _______________________________________________
>>>         Owasp-board mailing list
>>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>
>         _______________________________________________
>         Owasp-board mailing list
>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151014/04bf8a91/attachment-0001.html>


More information about the Owasp-board mailing list