[Owasp-leaders] [balint:7426] Re: [OWASP-chapters] Proposal for OWASP Global Chapters Committee

Matt Tesauro matt.tesauro at owasp.org
Sun Sep 16 20:11:51 UTC 2018

[Removed all the direct emails as those people are already members of this
list and I like to keep things simple were possible]

It's Sunday in Texas and I'm spending the weekend with my family.  I ran
out of time to respond on Friday and limited myself to 2 hours yesterday
mostly handling OSD requests since I can be the sole blocker on those items
(plus, I want to make sure our community and bills get paid as timely as

To properly set expectations, I'm not looking at OWASP anything today. I'll
reply to this thread sometime Monday, September 17th during "business
hours" relative to where I live in Texas aka US Central or CDT which is
currently GMT -5.

I hope the community has a great weekend and spends some quality time with
the people in your lives.


-- Matt Tesauro
*OWASP Foundation*
Director of Community and Operations
matt.tesauro at owasp.org

Consider giving back, and supporting the open source community by becoming
a member <https://www.owasp.org/index.php/Membership> or making a donation
<https://www.owasp.org/index.php/Donate> today!

Join us at AppSec USA 2018 <https://2018.appsecusa.org/> 8-12 October in
San Jose, CA!

On Sun, Sep 16, 2018 at 2:53 PM Timur 'x' Khrotko [owasp] <timur at owasp.org>

> Andy, hello, if you take my line in this thread then you may notice that
> Im complaining about the current mode of operation of the owasp foundation
> in general, and use my case as a real life illustration. Im saying that
> owasp foundation does not fulfill its role, becomes detached of the
> community, enters the stage in the maturity lifecycle of an institution
> when it cares about the survival of itself. That's my observation, maybe
> totally wrong. However this thread was started on similar grounds by
> others.
> In other words I suggest that owasp foundation is in state of crisis. The
> approach you call for, Andy, does not apply here, imo, as that applies to
> healthy situations.
> Cheers,
> Timur
> On Sun, Sep 16, 2018 at 9:16 PM Andy Willingham <andy.willingham at owasp.org>
> wrote:
>> OWASP is an open community but that doesn't mean that we need to air all
>> of our complaints to the whole mail list. If you have problems with the
>> staff then you need to try to solve it directly with them and if that
>> doesn't work then go to Karen. All of the whiling and gripping has made
>> this list practically useless. I've said it before and I'll say it again,
>> this is a leaders list. Leaders work towards solving problems not just
>> complaining about them.
>> Matt, I appetite your dedication and understand that there are times when
>> you have to work much longer hours than normal. I have pulled a 34 hour
>> shift before and it's not fun. As long as you are not working support long
>> hours all of the time then that is fine.
>> While OWASP isn't perfect and needs work let's work together to make it
>> better by actually doing something to make it better.
>> Andy Willingham
>> www.linkedin.com/in/andyitguy
>> www.owasp.org/index.php/cincinnati
>> On Sep 16, 2018, 12:47 PM -0400, Carlos Allendes <
>> carlos.allendes at owasp.org>, wrote:
>> Dear Matt
>> With great concern I read your comment. *(Please excuse the brevity -
>> having worked yesterday from ~8 AM to 4 AM the next day,)*
>> Working 20 hours straight is not a good thing and it affects your
>> physical and technical abilities and your discernment ... But look at
>> yourself, here you are answering emails when you should be sleeping.
>> *Points to keep in mind*
>>    - From an INFOSEC point of view, you are not complying with a great
>>    number of good practices and information security recommendations. In
>>    simple you are contravening many of the recommendations that OWASP defines
>>    and recommends.
>>    - From a labor point of view, you must be breaking a number of labor
>>    laws and regulations. (Owasp 501 (c) (3) should even be more regulated)
>>    - From an economic point of view, OWASP must be paying a lot of money
>>    in overtime that I assume should be avoidable, (  ...it will be possible to
>>    know that expense item / project costs.? )
>>    - From a project planning point of view, it seems that there should
>>    be other options. I would like to ask you to share with us the roadmap of
>>    jobs and objectives that you hope to fulfill.
>> I hope you are resting now and read this later, but I would like to have
>> answers from Karen Stanley about the points indicated.
>> Thanks in advance.
>> ----------
>> Carlos Allendes Droguett
>> OWASP Chile, chapter leader.
>> Enlaces  e-List <http://goo.gl/LBELa> www <http://goo.gl/9wuFX> correo
>> <carlos.allendes at owasp.org> vinculado
>> <http://cl.linkedin.com/in/carlosallendes>   <http://goo.gl/9wuFX>
>> <carlos.allendes at owasp.org>   <http://cl.linkedin.com/in/carlosallendes>
>> ----------
>> El jue., 13 sept. 2018 a las 18:38, Matt Tesauro (<matt.tesauro at owasp.org>)
>> escribió:
>>> Note: Please excuse the brevity - having worked yesterday from ~8 AM to
>>> 4 AM the next day, I'm quite tired and will be brief.  Also, for full
>>> disclosure, I stopped looking at this thread days ago as it wasn't
>>> providing constructive, helpful and gracious suggestions.  I choose to
>>> spend my time helping the community in other constructive ways.  I got this
>>> reply earlier today so apparently, that was a wise choice:
>>> *No need to thank me, we're all working to make OWASP great again (as a
>>> brand new chapter leader I'm a bit surprised about all the discussions
>>> going on, but happy to put in some work to make things great/smooth again).*
>>> Timor:  You should know better then your post seems to indicate.  The
>>> DEFAULT method that staff uses when interacting with the community is
>>> "Assume no ill intent".  I wish the community shared that perspective
>>> consistently.  You and I spoke in Krakow if memory serves me well - do you
>>> think any staff member would actively work against Chapters?
>>> I took a few minutes to look into OWASP Hungary - pretended I had just
>>> moved there and wanted to check out if OWASP has something there.
>>> Google'ing "OWASP Hungary" the first page of results includes
>>> (1) The Chapter Wiki page <https://www.owasp.org/index.php/Hungary>:
>>> Looking at the history of that wiki page
>>> <https://www.owasp.org/index.php?title=Hungary&action=history>, there
>>> are only two periods of edits in 2018 so it doesn't appear all that
>>> active.  It does say on that page:
>>>> This page is in *ARCHIVE* status, the current chapter page is on
>>>> *MEETUP.com*. Please jump to the *meetup.com
>>>> <http://www.meetup.com/OWASP-HU/>* page for the meetups schedule,
>>>> community and contacts.
>>> Ok, lets look at the Meetup page - its apparently the official place for
>>> OWASP Hungary...
>>> (2)The OWASP HU meetup page <https://www.meetup.com/OWASP-HU/>: There
>>> are no upcoming meetups <https://www.meetup.com/OWASP-HU/events/> and
>>> the most recent past event
>>> <https://www.meetup.com/OWASP-HU/events/past/> is from November 21, 2017
>>> I would conclude this is a dead chapter.  I think most reasonable people
>>> would reach the same conclusion.
>>> Dawn initially marked the chapter inactive -per the Chapter Handbook
>>> requirement of 4 meetings per year.  Tiffany reversed that and reactivated
>>> the chapter.  There were some wiki edits but there's still no easily
>>> discover able way to know the chapter is having meetings.  It sure appears
>>> dead from the outside.  Officially, Hungary is still listed as an Active
>>> Chapter.
>>> The broader AppSec community isn't served when we have stale or dead
>>> resources on our wiki - I did the same thing for our Github org - I archived
>>> dead projects <https://github.com/owasp-archives> so they weren't
>>> listed with the 'live' ones.
>>> I'm sorry if you are actually having meetings but the staff has no way
>>> of knowing that short of posting to your wiki or meetup page - some place
>>> the staff (or anyone on the Internet) can find without great effort.  I'd
>>> love to be corrected and find out that you're having loads of great
>>> meetings - nothing would make me happier.
>>> BTW, if you are using Meetup on the Foundation's account, all you need
>>> to do to get your meetup info automatically posted on the wiki page is
>>> include the one wiki markup tag:
>>> <meetup group="OWASP-HU" />
>>> Anyone can be a Barbarian.  It requires a terrible effort to remain a
>>>> civilized man -- Leonard Woolf [1]
>>>> <https://www.goodreads.com/quotes/944654-anyone-can-be-a-barbarian-it-requires-a-terrible-effort>
>>> Cheers!
>>> --
>>> -- Matt Tesauro
>>> *OWASP Foundation*
>>> Director of Community and Operations
>>> matt.tesauro at owasp.org
>>> On Thu, Sep 13, 2018 at 1:26 PM Timur 'x' Khrotko [owasp] <
>>> timur at owasp.org> wrote:
>>>> Ofer, while there maybe an issue that there are some cases of people
>>>> parazitizing on the owasp goodwill. But how high is this issue on the list
>>>> of the current owasp issues? I hear voices that owasp/foundation is/are in
>>>> crises, and there are high priority/critical issues to deal with.
>>>> On the other hand what does foundation do in addressing the problem you
>>>> mentioned? My experience is that Dawn did shut down the Hungary chapter
>>>> around christmas wo any prior notice. The notice came from wiki that our
>>>> page was deactivated. Formally they didn't see recent meetups on the wiki
>>>> page. Practically they didn't click on the meetup.com link there to
>>>> see the meetup activity. And it was only Tiffany who apologized for that.
>>>> Now i had a formal letter from Dawn that our chapter will be shut down
>>>> as we didn't do any meetups this year (true). Maybe she could ask first how
>>>> may the foundation help us in doing meetups?!
>>>> So my observation is that besides many great things )) the foundation
>>>> also makes nonsense repressive moves, sends nonsense long replies, and they
>>>> send some of our requests to dev/null.
>>>> Respect,
>>>> Timur
>>>> On Thu, 13 Sep 2018 at 15:32, Ofer Maor <ofer.maor at owasp.org> wrote:
>>>>> Hey Tony,
>>>>> There have been some issues where chapters were created, a lot of work
>>>>> was done, funds were drawn, but no actual progress was made. I don't think
>>>>> I can tell what were the reasons behind each such incident. I am pretty
>>>>> sure in some cases it is just poor execution, but at the same time it feels
>>>>> as if there are cases were people are more after the "title" on their
>>>>> LinkedIn page than about driving the community. In any case - even if its
>>>>> all good intent but with no actual followup, this creates a burden on the
>>>>> Foundation staff, without helping the cause. Therefore there is room for a
>>>>> "meritocracy" type of structure - where you first do something, and only
>>>>> then get others to carry some of the weight. When I became the chapter
>>>>> leader of #Israel a decade ago or so, I didn't even rely on the Foundation
>>>>> for funds - we did originally everything by getting each sponsor to pay for
>>>>> something, only later we've went to the foundation to manage funds and
>>>>> sponsorships. Those were different times, and the Foundation today can
>>>>> provide more support than back then, but I'd still like to see the
>>>>> community driving this thing forward first, and rely on the foundation for
>>>>> support, than the other way around.
>>>>> Anyway - just my .02...
>>>>> Ofer.
>>>>> On Thu, Sep 13, 2018 at 1:55 PM, Tony Turner <tony.turner at owasp.org>
>>>>> wrote:
>>>>>> Ofer, is that really a problem that needs to be solved? Bogus
>>>>>> chapters I mean. I hadn’t heard that was an issue. I’m not sure I’m crazy
>>>>>> about that much governance around forming chapters. We need to make it
>>>>>> easy, not create restrictions around the process.
>>>>>> Tony Turner | OWASP Orlando Chapter Lead
>>>>>> On Sep 12, 2018, at 2:30 PM, Ofer Maor <ofer.maor at owasp.org> wrote:
>>>>>> Hey All,
>>>>>> Jumping in a little late into this discussion (but having read
>>>>>> through most of it....) - a few of my thoughts:
>>>>>> Yes, OWASP was easier to manage in the "good old days" when we were
>>>>>> smaller, more idealistic, and less commercial. But that type of
>>>>>> reminiscence will not get us anywhere today. OWASP Has grown, considerably,
>>>>>> and as any other organization, as it grows, and more money gets involved,
>>>>>> there are more and more pressures on it, and this means we need the right
>>>>>> structure to support that, finding the way to keep the community spirit and
>>>>>> vendor neutrality, while managing pressures - both financially and
>>>>>> "politically". I am all in favor for Josh's call for Committee. I know the
>>>>>> previous committees have "derailed" into insufficient progress, but I think
>>>>>> they had their good times too, and I think there's room to bring them back
>>>>>> to life.
>>>>>> Moreover, pulling from some of the discussion we had on the slack
>>>>>> channel, I think as the organization grows, and as the "value" of being a
>>>>>> "Chapter Leader" is growing (people want that on their resume now....), we
>>>>>> need to find a better way to vet new chapters. One of my suggestions (which
>>>>>> of course needs more hashing out from its initial thought) is to create a
>>>>>> tiered, merit based approach, where people will have some framework to
>>>>>> create a "chapter candidate" - which requires them to put in effort and
>>>>>> deliver results (i.e. create meetings with enough attendance etc), but
>>>>>> without giving them too much credit upfront, and without invoking the
>>>>>> "heavy" operational side. These chapter-candidates will not have a budget,
>>>>>> they can not have members allocate it to them, nor will they get any
>>>>>> financial support. They will only get some basic rights to use the name and
>>>>>> logo of OWASP for the meetup. Once they have passed through certain barrier
>>>>>> requirements (to be defined by the chapters committee and approved by the
>>>>>> board if needed), they will be able to become a chapter.
>>>>>> This will provide individuals, from one hand, an easier way to
>>>>>> start-up a local OWASP activity without going through the entire process,
>>>>>> but will also limit the load on the foundation staff, and also make it
>>>>>> harder for people to abuse the system for their personal gain (free
>>>>>> conference admission, bogus titles, etc.).
>>>>>> Bottom line - I'm all for it.
>>>>>> Ofer.
>>>>>> On Sun, Sep 2, 2018 at 12:28 AM, Josh Sokol <josh.sokol at owasp.org>
>>>>>> wrote:
>>>>>>> Dear OWASP Leaders,
>>>>>>> As per the OWASP Committees 2.0 Operational Model
>>>>>>> <https://www.owasp.org/index.php/Governance/OWASP_Committees>,
>>>>>>> approved by a vote of the OWASP Board of Directors on July 16, 2014, I
>>>>>>> would like to formally propose the creation of a new "OWASP Global Chapters
>>>>>>> Committee".
>>>>>>> My rationale for the creation of this new committee is that our
>>>>>>> community has made a number of observations about inadequacies in the ways
>>>>>>> our Chapters interact with the OWASP Foundation, it's Staff, and the
>>>>>>> Board.  This committee would serve as a new form of governance within the
>>>>>>> OWASP Foundation, cutting red tape and empowering our chapter leaders to
>>>>>>> better serve the mission of OWASP while still adhering to the OWASP Core
>>>>>>> Values of openness, innovation, being a global community, and integrity.
>>>>>>> We will focus on strengthening the OWASP Chapters through education,
>>>>>>> networking, and driving value to our members.
>>>>>>> Topics that are within scope for the OWASP Global Chapters Committee
>>>>>>> include, but are not limited to:
>>>>>>>    - *Leadership Requirements:* The committee will be responsible
>>>>>>>    for defining requirements for new chapter leaders and create a community
>>>>>>>    vetting process.
>>>>>>>    - *Activity Requirements:* The committee will be responsible for
>>>>>>>    defining the minimum activity requirements for chapters and will
>>>>>>>    periodically review chapters for meeting those minimum requirements.
>>>>>>>    - *Mentorship:* Programs will be created to pair new chapter
>>>>>>>    leaders together with more experienced ones.  Budgets will be established
>>>>>>>    in order to facilitate mentees attendance of mentor chapter meetings.
>>>>>>>    - *Projects Partnership Tours:* To emphasize the importance of
>>>>>>>    projects, a budget will be established for projects to hold regional tours
>>>>>>>    of chapters where they will speak and show off their projects.
>>>>>>>    - *Budgets:* The committee will be a resource for OWASP policies
>>>>>>>    and procedures when it comes to the budget process and ensuring that it is
>>>>>>>    being followed.  The committee will help identify opportunities for chapter
>>>>>>>    leaders to spend their money.
>>>>>>>    - *Policy:* The committee will review and revise the Chapter
>>>>>>>    Leader Handbook on a periodic basis.  They will assess gaps in existing
>>>>>>>    policies and help to create new policies or redefine existing policies to
>>>>>>>    address gaps.
>>>>>>>    - *Guidance:* The committee will serve to help guide other
>>>>>>>    leaders with any questions that they have.  They will assist with finding
>>>>>>>    speakers.  They will help to recommend topics for presentations.
>>>>>>>    - *Feedback:* The committee will survey chapter leadership on
>>>>>>>    pertinent topics and be a listening outlet for chapter needs.
>>>>>>>    - *Conflict Resolution:* The committee will serve as a tribunal
>>>>>>>    for conflicts among and between chapters.
>>>>>>>    - *Local and Regional Events:* The committee will help to guide
>>>>>>>    chapter leaders on how to start and run local and regional events.  A
>>>>>>>    "startup" budget will be formed from existing event revenues in order to
>>>>>>>    seed investment in more events, helping additional chapters to be able to
>>>>>>>    raise enough money to cover their expenses and innovate.
>>>>>>>    - *Board Guidance:* The committee will work with the Board on
>>>>>>>    any initiatives they have as they relate to chapter policies, governance,
>>>>>>>    budgets, or otherwise.
>>>>>>> This scoping was developed by myself and Tiffany Long in an effort
>>>>>>> to cover many of the issues our chapters face on a routine basis.  It is
>>>>>>> not a comprehensive list and I'd certainly welcome suggestions from others
>>>>>>> in our community.  Moreso, it is my hope that others will be interested in
>>>>>>> participating in and contributing to this committee.
>>>>>>> Per the Committee Creation section of the Committees 2.0 Operational
>>>>>>> Model, this is now up for a community discussion with a Board vote to
>>>>>>> follow.  I hereby formally request that this be added as a topic for vote
>>>>>>> at the September 19th OWASP Board meeting.  Thank you.
>>>>>>> Sincerely,
>>>>>>> Josh Sokol
>>>>>>> OWASP Board Member 2014-2017
>>>>>>> OWASP Austin Chapter Leader
>>>>>>> OWASP LASCON Conference Co-Founder
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> _______________________________________________
>>>>>> Owasp-chapters mailing list
>>>>>> Owasp-chapters at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-chapters
>>>>> This message may contain confidential information - you should handle
>>>>> it accordingly.
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> --
>>>> secmachine․net #wepowersecdev
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> This message may contain confidential information - you should handle it
>> accordingly.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> secmachine․net #wepowersecdev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180916/15ae5309/attachment-0001.html>

More information about the OWASP-Leaders mailing list