[Owasp-leaders] [balint:7407] Re: [OWASP-chapters] Proposal for OWASP Global Chapters Committee

Carlos Allendes carlos.allendes at owasp.org
Fri Sep 14 15:53:36 UTC 2018

Dear Matt

With great concern I read your comment.* (Please excuse the brevity -
having worked yesterday from ~8 AM to 4 AM the next day,)*
Working 20 hours straight is not a good thing and it affects your physical
and technical abilities and your discernment ... But look at yourself, here
you are answering emails when you should be sleeping.

*Points to keep in mind*

   - From an INFOSEC point of view, you are not complying with a great
   number of good practices and information security recommendations. In
   simple you are contravening many of the recommendations that OWASP defines
   and recommends.

   - From a labor point of view, you must be breaking a number of labor
   laws and regulations. (Owasp 501 (c) (3) should even be more regulated)

   - From an economic point of view, OWASP must be paying a lot of money in
   overtime that I assume should be avoidable, (  ...it will be possible to
   know that expense item / project costs.? )

   - From a project planning point of view, it seems that there should be
   other options. I would like to ask you to share with us the roadmap of jobs
   and objectives that you hope to fulfill.

I hope you are resting now and read this later, but I would like to have
answers from Karen Stanley about the points indicated.

Thanks in advance.

Carlos Allendes Droguett
OWASP Chile, chapter leader.
Enlaces  e-List <http://goo.gl/LBELa>www <http://goo.gl/9wuFX>correo
<carlos.allendes at owasp.org>vinculado
<http://cl.linkedin.com/in/carlosallendes>   <http://goo.gl/9wuFX>
<carlos.allendes at owasp.org>   <http://cl.linkedin.com/in/carlosallendes>

El jue., 13 sept. 2018 a las 18:38, Matt Tesauro (<matt.tesauro at owasp.org>)

> Note: Please excuse the brevity - having worked yesterday from ~8 AM to 4
> AM the next day, I'm quite tired and will be brief.  Also, for full
> disclosure, I stopped looking at this thread days ago as it wasn't
> providing constructive, helpful and gracious suggestions.  I choose to
> spend my time helping the community in other constructive ways.  I got this
> reply earlier today so apparently, that was a wise choice:
> *No need to thank me, we're all working to make OWASP great again (as a
> brand new chapter leader I'm a bit surprised about all the discussions
> going on, but happy to put in some work to make things great/smooth again).*
> Timor:  You should know better then your post seems to indicate.  The
> DEFAULT method that staff uses when interacting with the community is
> "Assume no ill intent".  I wish the community shared that perspective
> consistently.  You and I spoke in Krakow if memory serves me well - do you
> think any staff member would actively work against Chapters?
> I took a few minutes to look into OWASP Hungary - pretended I had just
> moved there and wanted to check out if OWASP has something there.
> Google'ing "OWASP Hungary" the first page of results includes
> (1) The Chapter Wiki page <https://www.owasp.org/index.php/Hungary>:
> Looking at the history of that wiki page
> <https://www.owasp.org/index.php?title=Hungary&action=history>, there are
> only two periods of edits in 2018 so it doesn't appear all that active.  It
> does say on that page:
>> This page is in *ARCHIVE* status, the current chapter page is on
>> *MEETUP.com*. Please jump to the *meetup.com
>> <http://www.meetup.com/OWASP-HU/>* page for the meetups schedule,
>> community and contacts.
> Ok, lets look at the Meetup page - its apparently the official place for
> OWASP Hungary...
> (2)The OWASP HU meetup page <https://www.meetup.com/OWASP-HU/>: There are
> no upcoming meetups <https://www.meetup.com/OWASP-HU/events/> and the most
> recent past event <https://www.meetup.com/OWASP-HU/events/past/> is from
> November 21, 2017
> I would conclude this is a dead chapter.  I think most reasonable people
> would reach the same conclusion.
> Dawn initially marked the chapter inactive -per the Chapter Handbook
> requirement of 4 meetings per year.  Tiffany reversed that and reactivated
> the chapter.  There were some wiki edits but there's still no easily
> discover able way to know the chapter is having meetings.  It sure appears
> dead from the outside.  Officially, Hungary is still listed as an Active
> Chapter.
> The broader AppSec community isn't served when we have stale or dead
> resources on our wiki - I did the same thing for our Github org - I archived
> dead projects <https://github.com/owasp-archives> so they weren't listed
> with the 'live' ones.
> I'm sorry if you are actually having meetings but the staff has no way of
> knowing that short of posting to your wiki or meetup page - some place the
> staff (or anyone on the Internet) can find without great effort.  I'd love
> to be corrected and find out that you're having loads of great meetings -
> nothing would make me happier.
> BTW, if you are using Meetup on the Foundation's account, all you need to
> do to get your meetup info automatically posted on the wiki page is include
> the one wiki markup tag:
> <meetup group="OWASP-HU" />
> Anyone can be a Barbarian.  It requires a terrible effort to remain a
>> civilized man -- Leonard Woolf [1]
>> <https://www.goodreads.com/quotes/944654-anyone-can-be-a-barbarian-it-requires-a-terrible-effort>
> Cheers!
> --
> -- Matt Tesauro
> *OWASP Foundation*
> Director of Community and Operations
> matt.tesauro at owasp.org
> On Thu, Sep 13, 2018 at 1:26 PM Timur 'x' Khrotko [owasp] <timur at owasp.org>
> wrote:
>> Ofer, while there maybe an issue that there are some cases of people
>> parazitizing on the owasp goodwill. But how high is this issue on the list
>> of the current owasp issues? I hear voices that owasp/foundation is/are in
>> crises, and there are high priority/critical issues to deal with.
>> On the other hand what does foundation do in addressing the problem you
>> mentioned? My experience is that Dawn did shut down the Hungary chapter
>> around christmas wo any prior notice. The notice came from wiki that our
>> page was deactivated. Formally they didn't see recent meetups on the wiki
>> page. Practically they didn't click on the meetup.com link there to see
>> the meetup activity. And it was only Tiffany who apologized for that.
>> Now i had a formal letter from Dawn that our chapter will be shut down as
>> we didn't do any meetups this year (true). Maybe she could ask first how
>> may the foundation help us in doing meetups?!
>> So my observation is that besides many great things )) the foundation
>> also makes nonsense repressive moves, sends nonsense long replies, and they
>> send some of our requests to dev/null.
>> Respect,
>> Timur
>> On Thu, 13 Sep 2018 at 15:32, Ofer Maor <ofer.maor at owasp.org> wrote:
>>> Hey Tony,
>>> There have been some issues where chapters were created, a lot of work
>>> was done, funds were drawn, but no actual progress was made. I don't think
>>> I can tell what were the reasons behind each such incident. I am pretty
>>> sure in some cases it is just poor execution, but at the same time it feels
>>> as if there are cases were people are more after the "title" on their
>>> LinkedIn page than about driving the community. In any case - even if its
>>> all good intent but with no actual followup, this creates a burden on the
>>> Foundation staff, without helping the cause. Therefore there is room for a
>>> "meritocracy" type of structure - where you first do something, and only
>>> then get others to carry some of the weight. When I became the chapter
>>> leader of #Israel a decade ago or so, I didn't even rely on the Foundation
>>> for funds - we did originally everything by getting each sponsor to pay for
>>> something, only later we've went to the foundation to manage funds and
>>> sponsorships. Those were different times, and the Foundation today can
>>> provide more support than back then, but I'd still like to see the
>>> community driving this thing forward first, and rely on the foundation for
>>> support, than the other way around.
>>> Anyway - just my .02...
>>> Ofer.
>>> On Thu, Sep 13, 2018 at 1:55 PM, Tony Turner <tony.turner at owasp.org>
>>> wrote:
>>>> Ofer, is that really a problem that needs to be solved? Bogus chapters
>>>> I mean. I hadn’t heard that was an issue. I’m not sure I’m crazy about that
>>>> much governance around forming chapters. We need to make it easy, not
>>>> create restrictions around the process.
>>>> Tony Turner | OWASP Orlando Chapter Lead
>>>> On Sep 12, 2018, at 2:30 PM, Ofer Maor <ofer.maor at owasp.org> wrote:
>>>> Hey All,
>>>> Jumping in a little late into this discussion (but having read through
>>>> most of it....) - a few of my thoughts:
>>>> Yes, OWASP was easier to manage in the "good old days" when we were
>>>> smaller, more idealistic, and less commercial. But that type of
>>>> reminiscence will not get us anywhere today. OWASP Has grown, considerably,
>>>> and as any other organization, as it grows, and more money gets involved,
>>>> there are more and more pressures on it, and this means we need the right
>>>> structure to support that, finding the way to keep the community spirit and
>>>> vendor neutrality, while managing pressures - both financially and
>>>> "politically". I am all in favor for Josh's call for Committee. I know the
>>>> previous committees have "derailed" into insufficient progress, but I think
>>>> they had their good times too, and I think there's room to bring them back
>>>> to life.
>>>> Moreover, pulling from some of the discussion we had on the slack
>>>> channel, I think as the organization grows, and as the "value" of being a
>>>> "Chapter Leader" is growing (people want that on their resume now....), we
>>>> need to find a better way to vet new chapters. One of my suggestions (which
>>>> of course needs more hashing out from its initial thought) is to create a
>>>> tiered, merit based approach, where people will have some framework to
>>>> create a "chapter candidate" - which requires them to put in effort and
>>>> deliver results (i.e. create meetings with enough attendance etc), but
>>>> without giving them too much credit upfront, and without invoking the
>>>> "heavy" operational side. These chapter-candidates will not have a budget,
>>>> they can not have members allocate it to them, nor will they get any
>>>> financial support. They will only get some basic rights to use the name and
>>>> logo of OWASP for the meetup. Once they have passed through certain barrier
>>>> requirements (to be defined by the chapters committee and approved by the
>>>> board if needed), they will be able to become a chapter.
>>>> This will provide individuals, from one hand, an easier way to start-up
>>>> a local OWASP activity without going through the entire process, but will
>>>> also limit the load on the foundation staff, and also make it harder for
>>>> people to abuse the system for their personal gain (free conference
>>>> admission, bogus titles, etc.).
>>>> Bottom line - I'm all for it.
>>>> Ofer.
>>>> On Sun, Sep 2, 2018 at 12:28 AM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>> Dear OWASP Leaders,
>>>>> As per the OWASP Committees 2.0 Operational Model
>>>>> <https://www.owasp.org/index.php/Governance/OWASP_Committees>,
>>>>> approved by a vote of the OWASP Board of Directors on July 16, 2014, I
>>>>> would like to formally propose the creation of a new "OWASP Global Chapters
>>>>> Committee".
>>>>> My rationale for the creation of this new committee is that our
>>>>> community has made a number of observations about inadequacies in the ways
>>>>> our Chapters interact with the OWASP Foundation, it's Staff, and the
>>>>> Board.  This committee would serve as a new form of governance within the
>>>>> OWASP Foundation, cutting red tape and empowering our chapter leaders to
>>>>> better serve the mission of OWASP while still adhering to the OWASP Core
>>>>> Values of openness, innovation, being a global community, and integrity.
>>>>> We will focus on strengthening the OWASP Chapters through education,
>>>>> networking, and driving value to our members.
>>>>> Topics that are within scope for the OWASP Global Chapters Committee
>>>>> include, but are not limited to:
>>>>>    - *Leadership Requirements: *The committee will be responsible for
>>>>>    defining requirements for new chapter leaders and create a community
>>>>>    vetting process.
>>>>>    - *Activity Requirements: *The committee will be responsible for
>>>>>    defining the minimum activity requirements for chapters and will
>>>>>    periodically review chapters for meeting those minimum requirements.
>>>>>    - *Mentorship: *Programs will be created to pair new chapter
>>>>>    leaders together with more experienced ones.  Budgets will be established
>>>>>    in order to facilitate mentees attendance of mentor chapter meetings.
>>>>>    - *Projects Partnership Tours: *To emphasize the importance of
>>>>>    projects, a budget will be established for projects to hold regional tours
>>>>>    of chapters where they will speak and show off their projects.
>>>>>    - *Budgets: *The committee will be a resource for OWASP policies
>>>>>    and procedures when it comes to the budget process and ensuring that it is
>>>>>    being followed.  The committee will help identify opportunities for chapter
>>>>>    leaders to spend their money.
>>>>>    - *Policy: *The committee will review and revise the Chapter
>>>>>    Leader Handbook on a periodic basis.  They will assess gaps in existing
>>>>>    policies and help to create new policies or redefine existing policies to
>>>>>    address gaps.
>>>>>    - *Guidance: *The committee will serve to help guide other leaders
>>>>>    with any questions that they have.  They will assist with finding
>>>>>    speakers.  They will help to recommend topics for presentations.
>>>>>    - *Feedback: *The committee will survey chapter leadership on
>>>>>    pertinent topics and be a listening outlet for chapter needs.
>>>>>    - *Conflict Resolution: *The committee will serve as a tribunal
>>>>>    for conflicts among and between chapters.
>>>>>    - *Local and Regional Events: *The committee will help to guide
>>>>>    chapter leaders on how to start and run local and regional events.  A
>>>>>    "startup" budget will be formed from existing event revenues in order to
>>>>>    seed investment in more events, helping additional chapters to be able to
>>>>>    raise enough money to cover their expenses and innovate.
>>>>>    - *Board Guidance: *The committee will work with the Board on any
>>>>>    initiatives they have as they relate to chapter policies, governance,
>>>>>    budgets, or otherwise.
>>>>> This scoping was developed by myself and Tiffany Long in an effort to
>>>>> cover many of the issues our chapters face on a routine basis.  It is not a
>>>>> comprehensive list and I'd certainly welcome suggestions from others in our
>>>>> community.  Moreso, it is my hope that others will be interested in
>>>>> participating in and contributing to this committee.
>>>>> Per the Committee Creation section of the Committees 2.0 Operational
>>>>> Model, this is now up for a community discussion with a Board vote to
>>>>> follow.  I hereby formally request that this be added as a topic for vote
>>>>> at the September 19th OWASP Board meeting.  Thank you.
>>>>> Sincerely,
>>>>> Josh Sokol
>>>>> OWASP Board Member 2014-2017
>>>>> OWASP Austin Chapter Leader
>>>>> OWASP LASCON Conference Co-Founder
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> _______________________________________________
>>>> Owasp-chapters mailing list
>>>> Owasp-chapters at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-chapters
>>> This message may contain confidential information - you should handle it
>>> accordingly.
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> secmachine․net #wepowersecdev
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180914/5fa02e08/attachment-0001.html>

More information about the OWASP-Leaders mailing list