[Owasp-leaders] OWASP Board, Rebooted

Matt Tesauro mtesauro at gmail.com
Sun Jan 9 17:11:48 EST 2011


Feel free to poke you proboscis into anything at OWASP - O is for Open
after all.

Much of this I was queuing for the Summit so consider this a sneak preview.

First, thanks for channeling your natural tendencies and raising this
issue on the leaders list.  I suspect many more thought similar things
but didn't speak up.

Also, I gave a read to the link you provided and think its spot on.

To that end, I have been pushing for a while for the board to establish
some specific direction for OWASP.  I felt a lack of direction when I
was on the GPC - I felt like we were doing the right thing from the
*GPC's perspective* but wasn't confident it fit into OWASP's overall goals.

Recently the board voted to hire a consultant to assist in establishing
concrete core values, purpose and long term vision for OWASP (aka BHAG).
 FULL DISCLOSURE: The consultant is my father.  He's done this work for
20+ years for many large companies (e.g. Coca Cola, The Gap, ...).  He
knew the value I placed in OWASP and offered his services at a very
steeply discounted rate.  Ping me directly if you want more info.

Here's the wiki page setup to track the progress of this work:

We originally thought that an aggressive schedule would get us done with
all three phases by the summit.  As you can see, we're still on Phase 1
so I don't see completion by the summit without Herculean effort.

The idea was to have a draft of the Core Values, Purpose and Vision
Statement for the community to review at the summit. Then, the boards
work + the communities input would be combined into the final version.

I'm not sure where this will end up but please read that page and bring
your ideas to the Summit.  This is, to me, a fundamental thing that I
believe OWASP _has to have_ to truly grow into OWASP 4.0.  I am
personally not content with the status quo - I want OWASP to continue to
grow as a positive force in application security.

The one exception I would take with the linked article (call it a
slightly different angle of approach) is part of my vision for the board
is to establish the fertile soil where the community can grow and
flourish.  I think this was reflected in the long term goals I listed
when I ran for the board:

We've had RFP's out and I'm actively working on finalizing the
establishment of a new hosting infrastructure for OWASP.  As I've looked
into this, I really believe OWASP needs virtual machine hosting aka
Cloud (ug!) for our infrastructure.  Why?
* Allows for easy backup and restore of entire servers
* Allows for experimentation [1] e.g. copy the wiki and try stuff out,
If it fails, delete the copy.  No harm done.
* Reducing the administration burden and hosting expenses.
* Try things like Forums, etc.

Finally, the other bit I'm going to focus on post-Summit:  The
organization's ByLaws.  They are old and completely outdated.  I worked
with an Boeing employee to get a project donated (and the copyright
assigned to OWASP) and when their legal people looked at OWASP, their
reaction was "Who are you?  You're no where in the ByLaws.  Let me speak
to someone who is really on the board"

Its shameful that our ByLaws are so divergent from reality.
Post-Summit, I plan on working on the ByLaws to have them at least
reflect the current reality.  Yes, writing ByLaws is boring, tedious,
unexciting, sleep-inducing, painful...

HOWEVER, I'm more then willing to take one for the team if it means we
can demonstrate publicly that OWASP is truly open as expressed in the
document that governs how we behave as an organization.

Wow, that' probably enough for now.

Be seeing you at the Summit!

[1] Currently one of the core values here:

-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site

On 01/09/2011 11:09 AM, Jim Manico wrote:
> One of the things I do at OWASP is poke my nose into several committees
> to see what they are up to.  
> Lately, there has been a great deal of anger directed at the board, and
> I think it’s time for a board policy reboot. 
> I have experience working in non-profits prior to OWASP. Board/volunteer
> conflict is very common in non-profits, and it’s easier to fix these
> kinds of problems from the top-down.
> First of all, what is the primary role of any non-profit board member?
> Fundraising and more fundraising. At least 80% of board members time, by
> my estimate, should be dedicated to fundraising.  Second, board members
> should not be involved in the operations of a non-profit. They should
> set policy and guidance (fiduciary oversight), but should let the
> volunteers and staff run the day to day operations.
> What I see is the exact opposite. We have board members getting deeply
> involved with operations, often over-riding committee decisions or
> dictating operational decisions without consulting with the appropriate
> committees.  This is very harmful to the organization.  But we also have
> a history where some committees do not fully execute or take
> responsibility – in these situations the board has no choice but to step in.
> I invite you to read http://www.idea.org/board.html - it mirrors some of
> my (and others) thoughts about how a non-profit board should run.
> Although I’m stating that we need to reboot the board, we also need to
> reboot clarifying committee responsibilities. This goes for me and my
> contributions to OWASP as well.
> The summit is coming up soon – I’m sure this topic will come up in a
> working session. Conflict can and will be converted into solutions
> there.  I hope you can make it, it’s going to be a great show.
> Regards,
> Jim Manico
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list