[Owasp-leaders] [OWASP-chapters] Updates on OWASP & The Board

Eoin Keary eoin.keary at owasp.org
Sat Sep 1 12:37:22 UTC 2018


As an ex global board member and previous chapter founder, project lead & chapter lead I can’t agree with Tony more.

The only interaction from mothership in past years has not been positive in nature.

The board and staff roles were defined to support chapters, projects and promote awareness of software insecurity. Can we say this is still core focus? Is there still focus on grass roots, chapters, project funding, & “getting people who care together” etc or is it otherwise....

-ek



@eoinkeary
OWASP since 2004!!

> On 1 Sep 2018, at 12:20, tony.clarke at owasp.org wrote:
> 
> Agree with Johanna & Carlos. From an administrative & governance perspective, interaction with the Dublin Chapter and board over the last 4 years has largely not been positive or helpful. Very often feeling like the chapter and board are two different organizations and being told of decisions that impact our chapter without (in our view) taking into account the views of the chapter volunteers or their time. It would be great to change this dynamic and we’re open to options on how to achieve this for all concerned.
> 
> Tony 
> 
> OWASP Dublin Chapter
> 
> On 1 Sep 2018, at 11:25, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> 
> Carlos and all,
> 
> I totally agree with your points. We need to have an open conversation on how to solve a problem and find solutions.
> 
> It is clear we have an administrative problem, so how can we solve it?
> 
> I suggest that the Board and the Staff meets online with volunteers members willing to help.
> 
> Right now we know there are administrative issues that need to be sort out and this requires someone looking into the accounting part of OWASP.
> So we need someone with experience in looking at administration and accountancy in order to proceed.
> 
> Another is the starting of new chapters and slow responses. We need for this part a volunteer force to work with staff creating some workflow and allowing this process to happen quicker.
> 
> Unless the Board& Staff don't work together with the volunteers to find a solution, we will keep the round about of discussions without reaching no-where.
> 
> So I kindly as The Board members and Staff to see if we can set an online meeting to discuss these issues and find possible solutions.
> When can we meet online? Who does want to volunteer to be part of this team, and gladly offer their time too.
> 
> Cheers
> 
> Johanna
> 
> 
> 
>> On Sat, Sep 1, 2018 at 5:47 AM, Carlos Allendes <carlos.allendes at owasp.org> wrote:
>> Hi ... again
>> 
>> I'm reading this thread and I still feel that the board+staff  defend themselves by remaining in the externalities of the forms and nobody gets to the bottom of the problem.
>> 
>> There is discontent in many of us, we feel lack of consideration, we do not understand why the initiatives to create new chapters are blocked  or delayed (?), We see a serious problem of governance ...
>> 
>> But we still do not see a single person from the board+staff, who stops defending or justifying the indefensible and start looking for a different way of doing things.
>> 
>> The worst attitude is to stay entrenched without hearing the community. Please start by listening to the complaints and concerns of those who have spoken and we still expect solutions and not explanations.
>> 
>> Best regards
>> 
>> ----------
>> Carlos Allendes Droguett
>> OWASP Chile, chapter leader.
>> Links  e-List   www    mail   linkedIN
>> ----------
>> 
>> 
>> 
>> 
>> 2018-08-30 14:53 GMT-03:00 Josh Sokol <josh.sokol at owasp.org>:
>>> I am going to start off by apologizing here.  We've delved into an area that I spent FOUR YEARS defending while on the OWASP Board and it's an area that I'm extremely passionate about.  When I saw the dialogue move from an occasional reminder, from Andrew, on the Board calls, about OWASP's financial state, to multiple e-mails coming from Greg and Karen on the topic, I took it as a sign that the Board had already discussed, deliberated, and decided.  I "raised the alarm" here because that is not how OWASP does things.  I expected an open and transparent discussion on the topic, involving our chapter and conference leaders, and hadn't seen any of that.  If we are, as you say, still discussing, then I apologize for my inflammatory tone of my statements.  
>>> 
>>> As I've seen several allusions to offering suggestions and helping to move forward as an organization, I'd like to be proactive here and offer a recommendation.  I have a history as a Board member, a Chapter Leader, and a Conference Founder/Chair.  We have a number of leaders around the world who are in a similar position, with a vested interest in having this discussion, but who feel like they either do not have a voice or their voice is being ignored.  Since sending my e-mail, I've spoken with several of them off-list.  Perception here is key....regardless of whether or not it is reality.  I would like to propose setting up a committee, under the Committees 2.0 guidelines, that would be scoped to vetting any recommendations coming from the Board with respect to any proposed changes on how our chapters operate and profit from their conferences.  This directly gives the Board a point of interaction on this topic and provides a much needed voice for those who are concerned about these changes.  I'm happy to lead up this effort.
>>> 
>>> That's my "civil discussion and substantive proposal".  I hope that you will give it some consideration.
>>> 
>>> Sincerely,
>>> 
>>> Josh Sokol
>>> OWASP Board Member 2014-2017
>>> OWASP Chapter Leader Since 2007
>>> 
>>>> On Thu, Aug 30, 2018 at 12:08 PM Giovanni Cruz <giovanni.cruz at owasp.org> wrote:
>>>> I'm with Johanna, if i could help in some way just let me know, i'm also agree with Carlos about to help the board with regional boards, OWASP need more hands to handle all the work that OWASP means.
>>>> 
>>>> Please count on me if i can do anything to help to organize our organization.
>>>> 
>>>> Giovanni Cruz Forero
>>>> Bogotá Chapter
>>>> 
>>>>> On Thu, Aug 30, 2018 at 10:01 AM, Matt Konda <matt.konda at owasp.org> wrote:
>>>>> Josh,
>>>>> 
>>>>> Please help us move forward as an organization.  The tone of this and several previous emails is completely unprofessional and inflammatory.  As a former board member you know exactly what you are doing.  You just became “that guy”.
>>>>> 
>>>>> It also makes me personally look really bad because I have been defending you in the board discussions and working to make sure we have the appropriate rigor on the financial side as we think about different directions - all of which will be thoroughly presented to the community, input solicited, etc. before any action is taken.
>>>>> 
>>>>> Ultimately, with budgets and finances we’re making prioritization choices.  You think one thing, we don’t all agree completely.  That’s life.  That’s not a reason to go off the deep end and start asserting that we are stealing from chapters.  I can assure you that everyone on the board appreciates chapters and wants them to thrive.  At no point have we talked about taking money from Chapters.
>>>>> 
>>>>> When you are ready to engage in a civil discussion around substantive proposals, you are welcome to rejoin us.  In the meantime, if you or anyone else out there thinks the board is "out to get you" or chapters in general, please take a deep breath and appreciate that we are all volunteers working to make OWASP better.
>>>>> 
>>>>> Matt
>>>>> 
>>>>> 
>>>>>> On Aug 29, 2018, at 8:49 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>>> 
>>>>>> Dear Martin, et al,
>>>>>> 
>>>>>> This is a HUGE cop out and a disappointment to hear you say this.  I agree that is your fiduciary duty to ensure the financial viability and stability of the OWASP Foundation, but it is clear that you haven't done your diligence in researching why we are at this stage.  To be clear, it has NOTHING to do with what the chapters spend or how much they have in their chapter accounts.  The current issue stems from budgets that allocate profits from local and regional events to the Foundation, when the funds belong to the chapters.  It stems from six figure investments in project summits that aren't sustainable.  And it comes from bureaucratic policies that lead to an over-investment in staffing.  
>>>>>> 
>>>>>> With respect to transparency, are you kidding me?  We haven't even posted the latest budget to the wiki, let alone a "plan" to address the "problem".  The community knows nothing about what the Board intends to do here because you guys don't use the owasp-board mailing list for communications.  Greg's e-mail the other day was literally the ONLY thing I've seen coming remotely close to this topic.  If the Board is open for all ideas and suggestions, open and transparent as you say, you sure have a funny way of showing it.
>>>>>> 
>>>>>> For the record, this is not about "financial gain for the chapters".  Our chapter leaders frequently spend their own money to get a chapter off the ground.  Many do this selflessly, with no intent of seeking reimbursement.  You make it sound like these people are spending their chapter funds on booze and hookers when the reality is that EVERY SINGLE DOLLAR goes directly towards furthering the OWASP mission.  Shame on any one of you who feels like you're somehow more qualified or more deserving to decide how that money should be spent than the people who busted their asses to raise those funds.
>>>>>> 
>>>>>> Please heed my word of caution.  You are making a grave mistake if you think that stealing money from the chapters is the way to fix OWASP's financial "issues".  When this topic came up several years back, I made it a point to let the Board know that LASCON would go private if such a decision was reached.  We'd still use our funds to benefit the OWASP Austin chapter as a sponsor, but the Foundation would receive nothing as a result of such a grievous overreach of power.  I would encourage the NY/NJs, SnowFROCs, AppSec California's, AppSec Israel, and similar local and regional events to speak up now and let your leadership know how you feel about losing your ability to raise funds for your chapters.  
>>>>>> 
>>>>>> Sincerely,
>>>>>> 
>>>>>> Josh Sokol
>>>>>> OWASP Board Member 2014-2017
>>>>>> OWASP Chapter Leader Since 2007
>>>>>> 
>>>>>> 
>>>>>>> On Wed, Aug 29, 2018 at 10:14 AM Martin Knobloch <martin.knobloch at owasp.org> wrote:
>>>>>>> Dear Josh, et all,
>>>>>>> 
>>>>>>> OWASP is all of us and there is no room for us, the chapters and projects, and they, the foundation and staff. The OWASP Foundation embraces all active in the whole of OWASP. 
>>>>>>> 
>>>>>>> The majority of the current board members are chapter and project leaders as well. As board of the OWASP foundation, it is our fiduciary duty to ensure the financial viability and stability of the OWASP Foundation, something we cannot guarantee at the moment. 
>>>>>>> 
>>>>>>> The board and the ED, are evaluating possibilities how to guarantee we can maintain support and invest in our missions goals. Of course this together with the OWASP community and in an open dialogue. Open for all ideas and suggestions, open and transparent!
>>>>>>> 
>>>>>>> The incentive of participating in OWASP activities as chapters and projects should be wider than financial gain for the chapters, but for the better of OWASP and achievement of our mission.
>>>>>>> 
>>>>>>> 
>>>>>>> Kind regards,
>>>>>>> -martin
>>>>>>> 
>>>>>>> Martin Knobloch
>>>>>>> _______________________
>>>>>>> OWASP Chairman of the BOD
>>>>>>> OWASP Netherlands Chapter Leader
>>>>>>> 
>>>>>>> Email:   martin.knobloch at owasp.org
>>>>>>> Mobile: +31623226933
>>>>>>> Web:    https://www.owasp.org
>>>>>>> 
>>>>>>>> On Mon, Aug 27, 2018 at 6:46 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>>>>> I'm going to add a fourth item to this list:
>>>>>>>> 
>>>>>>>> 4) By removing the incentive for running a conference, you remove the incentive to start a conference.  As I mentioned, OWASP Austin started LASCON because we were sick of being told "no" by the Foundation for the funding requests we made.  But if we put the mandate back on the Foundation to fund the chapters, then chapters no longer need to work for that money.  Now there's need to throw a conference.  So the Foundation loses out on the revenue they do get and we're back to the situation where the chapters are leaching off of the Foundation resources.  We're back to where we were a decade ago.
>>>>>>>> 
>>>>>>>> I'm really concerned that I've only had one other Chapter Leader speak up here.  You guys need to make your voices heard or you will LOSE the most effective source of funding you have, which also directly serves OWASP's mission of education.  The chapters hold the vast majority of OWASP's voting members and you guys need to speak up now, before the Board votes, and it is too late.
>>>>>>>> 
>>>>>>>> Sincerely,
>>>>>>>> 
>>>>>>>> Josh Sokol
>>>>>>>> OWASP Board Member 2014-2017
>>>>>>>> 
>>>>>>>>> On Thu, Aug 23, 2018 at 12:50 PM Josh Sokol <josh.sokol at owasp.org> wrote:
>>>>>>>>> Greg,
>>>>>>>>> 
>>>>>>>>> Various members of the OWASP Board have been trying to take funds away from the chapters for years now.  One of the things I am most proud of during my tenure serving on the OWASP Board is that I was able to prevent these funds from being touched by the Foundation.  The "financial health" issues that the Foundation is facing is NOT caused by the chapters.  It is caused by the Foundation passing budgets that include Chapter Funds as a source of revenue, but don't properly allocate it back to the chapters.  This means that the Foundation routinely spends more money than it takes in and "borrows" that money from the chapters.  
>>>>>>>>> 
>>>>>>>>> I've done a ton of research into this and am happy to share with you communications that I've had with the Board in the past.  That said, a few things worth being said out loud for everyone else:
>>>>>>>>> 
>>>>>>>>> 1) The idea that chapters aren't spending money is a fallacy.  There are a few chapters out there who aren't spending their money.  The last time I analyzed this it was one or two chapters who happened to have a large sum of money allocated to them.  If those chapters aren't using those funds, they should absolutely donate some back.  As an example, OWASP Austin made a $20k donation back to the Foundation a couple of years ago when we had a surplus of funds we weren't expecting to use.  This is why I instituted the budgeting program when I was on the Board.
>>>>>>>>> 
>>>>>>>>> 2) Changing the terms on local/regional events becomes a huge deterrent for the chapters to want to do those events.  I'll use LASCON as an example as I was the one who founded it back in 2010.  Our chapter was struggling to get resources approved from the Foundation.  Even basic things like getting pizza for our meetings.  That was back when we had like a dozen people coming to the monthly meetings.  If we struggled then, how could we ever possible scale?  The answer was to create LASCON.  With LASCON, our chapter had an event that brought in enough funds for our chapter to not only pay the bills, but also innovate.  Ever seen the OWASP Austin video channel on Vimeo?  We have videos going back to 2012 because as the chapter leader I had money to be able to buy a wireless mic, mixer, and a laptop to record.  We've evolved since then, but no other chapter has anything like that and it's all because of LASCON.  We also frequently do free and cheap trainings to educate our community.  We just did a two-day Powershell training with Ben0xa and everyone loved it.  Remember when OWASP was about education and not about making money?  That's what we do with the funds from LASCON.  In any case, if you remove the funds from hosting a conference, then you remove the incentive for chapters to do events like these.  We never started LASCON to fund the Foundation, it was just an added benefit.  I'm kinda pissed that the Foundation has decided that they should reap the benefits of our hard work.
>>>>>>>>> 
>>>>>>>>> 3) Back in 2012, the OWASP Austin chapter hosted the AppSecUSA conference.  We've bid for it (but lost) several time since then.  We didn't get any money from hosting it that year and we lost out on our LASCON revenue as well.  Wanna know why we did it?  To help the Foundation!  Wanna know why we felt confident that we could do it?  Because we had two prior years experience with running our own conference.  Remove the incentive to run conferences, then chapters won't run conferences, then the Foundation loses anyone actually qualified and experienced to run them.  History shows that chapters with conference experience have hosted much more successful AppSec conferences.
>>>>>>>>> 
>>>>>>>>> OWASP's goal is education.  It's in our mission statement.  Let's cut the BS about the Foundation not being able to pay its bills.  If it can't pay its bills, then the Foundation is overspending and overreaching.  That's a problem we should be focusing on.  Not on the amazing outreach efforts that our chapters are doing by hosting conferences.  Greg, please don't buy in to the line of crap that others are feeding you.
>>>>>>>>> 
>>>>>>>>> Sincerely,
>>>>>>>>> 
>>>>>>>>> Josh Sokol
>>>>>>>>> OWASP Board Member 2014-2017
>>>>>>>>> 
>>>>>>>>>> On Mon, Aug 20, 2018 at 11:40 AM Greg Anderson <greg.anderson at owasp.org> wrote:
>>>>>>>>>> OWASP Chapter Leaders,
>>>>>>>>>> 
>>>>>>>>>> I hope everyone is having a great week! 
>>>>>>>>>> 
>>>>>>>>>> When I was running for the OWASP Board, I did a presentation on DefectDojo and my general thoughts on how I could help improve OWASP as a board member.
>>>>>>>>>> I wanted to provide an update on the two big points of my platform: 1. Drive the org to be more agile and adapt to challenges / feedback more quickly 2. Create a network to help chapters grow and mature.
>>>>>>>>>> 
>>>>>>>>>> Overall, I believe the Board has been acting with more agility. The number one concern / question from the election was centered around compliance, bullying, and the community guidelines. To address these concerns, I have drafted and proposed an official Compliance Committee (CC) Charter which will make CC decisions binding, and also expand the number of OWASP community members on the committee. The Board voted at AppSec EU to prepare for the election of Compliance Committee Members starting this December along with new board members. The final Charter has not been voted on as I needed to make additional changes to accommodate feedback. Discussion and voting around the Charter will be held at the September Board Meeting and is open to the public. I highly encourage you to attend!
>>>>>>>>>> 
>>>>>>>>>> Regarding chapter resources, this is something I have not been able to address yet. This is because OWASP has a much larger issue that I wasn't previously aware of, OWASP's financial health. Around 2014, there was a decline in global conference attendance that has caused OWASP to start drawing from our capital reserves. At our current run rate, these reserves will be exhausted in 2 - 3.5 years (approximately). To address OWASP's financial health, the foundation has been both trimming expenses where possible and attempting to increase conference attendance. There have been some changes regarding financial health improvement that I adamantly oppose. The primary example being no longer providing chapter leaders and project leaders access to the networking event / dinner at global conferences free of charge.
>>>>>>>>>> 
>>>>>>>>>> This is something I plan to attempt to address in our September or October meeting. However, financial health is key to expanding both what OWASP can provide to the community, and what can be achieved to make open source security more accessible to the world.
>>>>>>>>>> 
>>>>>>>>>> If you have any questions or concerns, please don't hesitate to reach out.
>>>>>>>>>> 
>>>>>>>>>> Thank you for giving me the opportunity to speak at your chapter and for all you do for your local OWASP community.
>>>>>>>>>> 
>>>>>>>>>> Kind regards,
>>>>>>>>>> 
>>>>>>>>>> Greg Anderson
>>>>>>>>>> Member of the Board
>>>>>>>>>> DefectDojo Project Leader
>>>>>>>>>> greg.anderson at owasp.org
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Consider giving back, and supporting the open source community by becoming a member or making a donation today! 
>>>>>>>>>> 
>>>>>>>>>> Join us at AppSec USA 2018 8-12 October in San Jose, CA!
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-chapters mailing list
>>>>>>>> Owasp-chapters at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-chapters
>>>>>>>> 
>>>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Owasp-chapters mailing list
>>>>> Owasp-chapters at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-chapters
>>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> Giovanni Cruz Forero
>>>> Bogotá Chapter Leader
>>> 
>>> _______________________________________________
>>> Owasp-chapters mailing list
>>> Owasp-chapters at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-chapters
>>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
> 
> 
> 
> -- 
> Johanna Curiel 
> OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> Owasp-chapters mailing list
> Owasp-chapters at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-chapters
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180901/81fca793/attachment-0001.html>


More information about the OWASP-Leaders mailing list