[Owasp-leaders] Identifying Improvement Opportunities at OWASP - How to make OWASP a better place

Sherif Mansour sherif.mansour at owasp.org
Wed Dec 27 21:05:57 UTC 2017

Dear all,

Many thanks for all your input to the improvements to OWASP
you have added for the last week or so. I have recently received the
documents which I need to sign to join the board, and I'm slowly going
through the required reading.

I am really excited for next year, there are many, many things to work on.
At the beginning of the year Karen Staley our new Executive Director will
outline here 6-months and 1 year strategy. the board will work together
with Karen to set a strategy to take on these initiatives that makes sense
and use those goals to assess the foundation's performance for the year.

Where are we right now?

With that said it would be a good time to chat about the current state of
OWASP and where things are so we know where we need to go.

At the heart of OWASP is the community, the community works together to
improve the state of application security whether it's by writing best
practices, research papers, cheat sheets or developing software to help

We then have conferences such AppSec which celebrates what we do at OWASP.
However the conferences are one step removed from what we do. As a result
it's not particularly health to have the conferences as the primary focus
of OWASP as opposed to the projects and chapters. This is why the OWASP
Summit is a step in the right direction since it is a week dedicated to
working on projects (you can see the full list of outcomes here
<https://owaspsummit.org/Outcomes/>). I personally feel we should be
looking into how we can improve our support for the chapters and projects
in order to improve membership and sponsorship there, and have that as what
we do primarily, conferences will always be there but it is one step
removed from there we are.

Issues with invoices

Currently there are rooms for improvement for management of the OWASP. A
perfect example is the thousands of dollars that have not been invoiced
that have been discovered. The good news is that it is being taken care of,
and sponsors/third parties are very helpful and happy to hear from us,
regardless this is something we can work on.

Issues with project chapter budgets

I lead the London chapter with Sam. For a while now we couldn't get why it
takes ages for a response regarding budgets, I finally understand now.
OWASP as an entity has one set of accounts, so all funds allocated for
chapters and projects are also managed by the same team responsible for the
rest of the foundation and staff etc.. The problem comes from a concept
called "working capital", that is to say sometimes you end up with a gap
between investing in something (say money to put on an event) and
generating revenue (making your money back). Well for OWASP in between to
keep the lights on, we do have cash reserves (mainly chapter/project)
funds, so the foundation temporary uses these funds to pay for the expenses
they returns the funds once the revenue is generated. this means that the
chapters and projects still are allocated the funds, but from time to time
the foundation has temporarily used them to keep the lights on.

However that is not going to well with often times it is been hard to tell
what the budgets for the chapters and projects actually are. This is why
Karen is looking to overhaul this process entirely.

OWASP Summit

Invoices are things the OWASP Summit could also work on, since they have
let attendees enter the conference without paying! Some attendees wanted to
be charged to their companies (which is fine), but the summit team did not
invoice them so they never paid. This was a contentious issue between the
foundation and the summit team, and finally got to the bottom of it,
because for the longest time the foundation could not figure out the summit
team's claims that the summit had turned a broken even / made a small
profit... it made a profit if you count the invoices that have not been
made, which (let's face) it is not how money works.

Off the back of it the foundation will provide some guidelines / best
practices to the summit team for the 2018 event.


This right now an important issue for me, I have had OWASP leaders recount
events to me in tears, and I can see aggression on a constant basis. I
think bullying has lead to many members to leave OWASP and it is a death by
a thousand cuts so it’s something we should not tolerate and do something
about. One suggestion the compliance committee has made is to hire an
independent company to perform investigations and to provide
recommendations for the foundation to enforce.

AppSec Conferences

This brings us to AppSec conferences, for that past few events there have
been some issues, but one thing glaring that Karen picked up was the lack
of data. No one could tell for example the number of people who attended
both the training AND the conference. This makes it really hard to make
data driven decisions and to improve the events. As Karen kept digging she
highlighted concerns with how the conferences are run in general and
AppSecEU in particular, since very few contracts had been signed (if any at
the time), she recommended to the board that the foundation to step in and
if necessary look for an alternative location for the event such as the UK.
The board highlighted that this must be handled with care to to respectful
the the local chapters effort and hard work. Despite these best intentions
there has been tension and miscommunication. After the newsletter has been
sent out in my opinion there were a few things that could have been
improved with respect to communication:

1) Major changes like moving a conference (or a vote for ED to step in),
needs explicit communication with the relevant community members & to ask
them to attend the relevant board discussion. None of this can be
“assumed”. It must be communicated and expressed clearly.

2)Time. The decision and review must be given enough time for the community
to accept and feel that their case has been made.

3) Manage the message. Make sure the right links/sites have been edited,
the relevant people have been reached out to personally, the relevant
access granted/revoked. Not to mention making sure the foundation reacts to
community’s concerns appropriately. Sending an email is not enough.

Going forward so this is not repeated the foundation is going to add better
support for the chapters so they do not do most of the admin and heavy
lifting and focus on what they do best. Equally there will be some some
hosting requirements to ensure there is a level of quality for these major

What doesn’t help is people abusing official communication channels that
they have been entrusted with. I think bullying has lead to many members to
leave OWASP and it is a death by a thousand cuts, equally not listening to
the community and not treating it as a conversation doesn’t help.

On Mon, Dec 18, 2017 at 1:28 PM, Sherif Mansour <sherif.mansour at owasp.org>

> Dear all,
> I am excited and looking forward to joining the OWASP Board in 2018.
> To that end I want to make sure that as a board member I keep my ear close
> to the ground, take a lot of your exciting ideas & passion for AppSec and
> see what we can do to make OWASP a better place.I want read all you
> feedback and ideas.
> I have created the following google document to initiate this conversation
> and for all of you to include your thoughts and suggestions:
> https://docs.google.com/document/d/16z59SKXbNEwDi1bLobswye1QxryNNdjOdGHdqZ4t-wQ
> I have sat down with a bunch of community leaders including current/former
> board members to get their feedback and I have already included some of
> their thoughts in the document. However this is for *you.*
> All of you have full access to the page to edit it as you see fit or add
> comments.
> One thing I learned over the years is that you don't need  reason to help
> people. All you need is empathy, and OWASP has that in spades.
> Most of the great work is down to the community and the chapters, not the
> board, in fact the board is composed of community members to ensure the
> foundation is built by the community for the community.
> Regardless of who you are or where you are from if you are interested in
> AppSec and are respectful to others, OWASP is your *home.*
> I cannot wait to read your ideas and see which ones we can make a reality.
> --
> Sherif Mansour
> OWASP Global Board Member & OWASP London Chapter Leader
> Site: https://www.owasp.org/index.php/London
> Email: sherif.mansour at owasp.org
> Follow OWASP London Chapter on Twitter: @owasplondon  <https://twitter.com/OWASPLondon>
> "Like" us on Facebook: https://www.facebook.com/OWASPLondon
> Subscribe to our (lightweight) mailing list: https://lists.owasp.org/mailman/listinfo/owasp-london


Sherif Mansour
OWASP Global Board Member & OWASP London Chapter Leader
Site: https://www.owasp.org/index.php/London
Email: sherif.mansour at owasp.org
Follow OWASP London Chapter on Twitter: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Subscribe to our (lightweight) mailing list:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171227/f35d173f/attachment-0001.html>

More information about the OWASP-Leaders mailing list