[Owasp-leaders] [balint:7415] Re: [OWASP-chapters] Proposal for OWASP Global Chapters Committee

Matt Tesauro matt.tesauro at owasp.org
Tue Sep 18 21:29:14 UTC 2018

Answering inline:

BTW, I apologize to those that don't like 'long replies' but these
questions cannot be answered accurately and fully without the below.

On Thu, Sep 13, 2018 at 6:21 PM Timur 'x' Khrotko [owasp] <timur at owasp.org>

> Dear Matt,
> I wasn't saying that Dawn had anything against the Hungary chapter in
> particular. In this regard i can only mention that: While she did shut down
> our wiki page for its (apparent for her) deadness in January I in May
> (months later) also reviewed the European chapters on the wiki while i was
> looking for email addresses of the active chapters. As a byproduct i found
> around 3 chapter pages much more dead than ours may have looked. Why
> weren't those disactivated?

Without specifics, that's a hard question to answer - short of they
shouldn't have been.  I know there have been cases were Dawn alerts the
chapter leader that the chapter is inactive and they have responded asking
for time to correct some oversight like using Meetup but not mentioning it
anywhere on their wiki page.  I  know of other cases where there were
things the chapter wasn't doing to meet the minimum level of chapter
activity and, after correcting those things, Dawn re-activated them.  In
other cases, chapters have asked for time.  The ones you found could have
been in any of these or other specific situations at the time that you
looked at them.

I can say that nobody at the Foundation wants to shut down chapters -
certainly not ones that are active and growing the community.  But we do
have to balance the chapter leaders needs with the broader security/tech
community who may want to attend a chapter meeting.  We drive away
community members if we appear to be dead or dormant.  The minimum chapter
activity outlined in the Chapter Handbook
<https://www.owasp.org/index.php/Category:Chapter_Handbook> was written
(especially Chapter 2) to strike that balance.

> Also it took like 3-4 hrs for me to "review" all the European chapters at
> owasp.org in May . Well if you asked me to do this dead simple
> formalistic review i could create a report in 2 hrs with comments and
> suggested actions. So probably i could do this type of review with global
> scope in a week. So why the review of Latam chapters was an excuse to
> postpone anything?

I wish that you would have shared the outcome of your review of European
chapters - that would have helped QA the work we've done.  Please feel free
to provide that feedback - ideally in a Google Doc or Spreadsheet that's
easily accessible to the community.

However, looking at the wiki is just one pocket of information on our
Chapters.  Like I said in the last Town Hall meeting, one of the
fundamental problems OWASP currently has is that there systems were created
for a community 1/2 to 1/3 its current size.  Chapter details can be found
in the wiki, in Mailman, possibly in Google Groups or Eventbrite or Meetup
(the Foundation's account) or an separate Meetup account or Doorkeeper
(primarily Japan), etc.  Another large volume of chapter data is stored in
Salesforce.  You may not be familiar with how the Foundation uses
Salesforce (SF) but it has been a 'system of record' for information on the
community including chapters.  And NONE OF THESE SYSTEMS TALKS WITH OR IS
INTEGRATED WITH ANY OTHER SYSTEM.  We have islands of data which takes
manual effort to keep in sync.  This is one case why I said we've out grown
our current systems and processes.  We've started to work towards that
integration but its just beginning - e.g. the Foundation Meetup to
www.owasp.org tag to keep Meetup meeting info updated on the wiki.

 Adding to these problem, a migration to a new AMS (association management
software) was begun in the spring of 2017.  AMS's basically add a layer of
functionality on top of Salesforce.  To keep this brief, I'll just say that
the migration is still not complete, the vendor has been less then stellar
and the data that was migrated has loads of data quality issues.  That was
was drove the desire to review/audit all the chapters.  The migration of
chapter data was 'complete' but that completion came with incorrect field
mapping, duplication of data, data missing in either the old or new system
- basically a huge mess.  Dawn's audit/review of chapters was her taking on
the thankless and Herculean task of getting the chapter data in order.

> Regarding the January shutdown of the Hungary chapter: a) The last year
> the requirement was 2 meetups per year as far as i know.

>From the Chapter Handbook
<https://www.owasp.org/index.php/Category:Chapter_Handbook>: 2.2 Hold a
minimum of 4 local chapter meetings or events each year

> b) Wouldn't it be appropriate to first contact me before the shutdown?!

The standard procedure that Dawn is following includes reaching out to
chapter leaders - so yes, that's part of the plan.

> Maybe the process of shutting down chapters should be formally regulated
> so that Dawn can follow a decent/civilized guide!?

I'm the Director of Community and Operations and, at least since I had that
title, have been working with Dawn - answering questions on edge-cases,
being a sounding board for unusual situations, etc.  Dawn and I talk
multiple times per week - sometime multiple times per day on chapter and
other operational issues.  She's hardly working in a vacuum.

But we're also a staff of 5 - who would be this formal regulator?  The
overall process is:

When Dawn started this process, there were two large issues for chapter
maintenance at the Foundation:
(1) The AMS migration mess I already mentioned above
(2) A backlog of chapter requests due in part the the departure of the
previous Community Manager.

To resolve the conflict for her time between (A) new chapter requests, (B)
the backlog/queue of chapter requests and (C) the cleanup needed to make
handling chapter maintenance easier, the middle ground was taken and the
follow plan is being followed:

(1) Work down the queue/backlog of chapter requests while also doing the
audit/review of chapters to clean up the migration mess
(2) While working on a particular region, don't process new (new meaning
asked after this process started) requests for chapters unless the region
has already been reviewed/audited
(3) Once a region is audited/reviewed, start also handling new chapter
requests for that region.

That's what we're doing (really Dawn is doing all the hard work)

> Regarding the current year i clearly stated that it's true that we haven't
> had meetups yet. For different reasons. (Does that mean we won't catch up
> soon?)
> What i point to is: If the foundation sees in August that there is a
> problematic chapter the community manager should first ask how could it be
> fixed. Right?! Speaking about civilized procedures. Cause what happend
> recently was a letter stating that we don't seem to comply so we will be
> killed, Goodby!
> Then: Is it really the state of the art metric that a good chapter does x
> things that they call meetups and the foundation is happy. I would rather
> call it a bureaucracy approach. Making a thing that looks like a meetup
> isn't that difficult for those who wants to show off at LinkedIn.

While I generally agree with you, we don't have another method to 'keep an
eye' on chapters short of doing something like what I did - see if the
thing looks alive - wiki edits, last meeting was when?  Right now none of
that is automated or gathered up by any software - its manual.  If you have
a better approach or metrics to judge chapter actively on, please add them
to one of the feedback docs
from the Town Hall meetings
<https://www.owasp.org/index.php/Leaders_Town_Hall> so your good ideas
don't get lost.

> Wouldn't it be proper to help chapters with ideas what meetups they could
> do or even provide materials for that? That could be the value of the
> community and the foundation. Today the meetup market is quite full.

I wish I had that much time but there's just not enough hours in the day
with 5 staff and the size of our community to take the time to talk
individually with ever chapter.  I really wish that was possible but its
just not.  That's why the staff started the Town Halls, why those Town
Halls include the desire to create a number of committees to handle these
kind of issues - for Chapters, for Projects, for Events, for
Governance/Finance, ...  We're using those Town Halls to ask the community
where the gaps are so we can find ways to fill them with the resources we

> Finally i plan to do like two-three meetups till the end of the year. Will
> you shut down the chapter for not having four? Does it make sense? Is it a
> good long term strategy and proper utilisation of your/Dawn's/foundation
> limited resources?

Of course not.  Perhaps you get an email asking things like how your
chapter is going and that we notices you fell a little short of the 4
meetings this year, how does next year look?

Like I said above, its a balance between meeting the needs of chapter
leaders and the security community where your chapter is.  I'm sure a dead
chapter with no meetings and a non-responsive chapter leader(s) in
Metropolis doesn't serve the security community of Metropolis nor the
mission of the OWASP Foundation. I can't image anyone in the OWASP
community arguing against that.

> PS. It's one of the requirements regarding the community manager to
> communicate clearly - in case of Ramiro it didn't work seemingly.

Timur:  I hear that and, I don't speak anything but English.  I've learned
a handful of words in other languages but can't speak or read any other -
except for computer languages ;-)

In my 10 years at OWASP, I've made my share of mistakes - both in trying to
get a message across and trying to understand what is being said to me.
That's just how things are since we all don't speak one language (and
there'd still be issues of communication not working).  That's why I
stressed the need for patience and always starting from the assumption that
the other person has no bad intent.  Those two things can really help keep
misunderstandings to a minimum.

Ramiro and I had an additional thread off the list and we're good. [Ramiro,
correct me if I'm wrong]  It took some dialog and patience on both sides
but things are resolved.

And, to be honest, staff is super busy and its hard (and feels very
expensive in terms of time) to provide long, thought out answers.  That's
just the nature of communication today - fast, quick and lacking details.
I can promise you that if you don't understand me or I don't provide
details, I will be happy to give more or try a different way to explain
things if you ask.

Finally, sorry for missing my Monday COB deadline - this week is already
getting 'interesting' between AppSec US deadlines, the Board election
deadlines, a bunch of events needing invoices paid, contracts signed,
refunds processed...  Time got away from me yesterday and I'm sorry.


-- Matt Tesauro

> Cheers,
> Timur
> On Fri, 14 Sep 2018 at 00:09, Matt Tesauro <matt.tesauro at owasp.org> wrote:
>> Ramiro,
>> To be frank, your post is completely inappropriate and violates at least
>> this item in OWASP's code of ethics
>> <https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>
>> :
>>    - Not intentionally injure or impugn the professional reputation of
>>    practice of colleagues, clients, or employers;
>> I will not tolerate posts of this nature to anyone in the OWASP community
>> - *and staff is part of the community*.  I expect to see your future
>> posts to the leaders list be civil and constructive.
>> To answer your unfortunately worded post:  It would appear you didn't
>> understand her reply.  Let me rephrase it so that you may better understand
>> what Dawn is currently working on with my full knowledge and approval:
>> We are going through the inventory of chapters and cleaning
>> up/de-activating chapters which do not meet the minimal requirements per
>> the chapter handbook - principally having fewer then 4 meetings per year.
>> While she is doing this work, we are not accepting new chapters in the
>> regions that haven't been audited.  So far, she's completed the US and EU -
>> the geographical regions with the most chapters.
>> Her email simply stated that she's currently working on aka _auditing_
>> the Latin America region and not opening any chapters until the audit of
>> that region is complete.
>> Obviously she knows that Ecuador is in Latin America since the fact that
>> she's auditing that region is an issue with handling your request.
>> If you'd like me to further explain the reasons for conducting the
>> audit/review of existing chapters, I'd be happy to discuss it further
>> assuming you can be civil and abide by the OWASP Code of Ethics.
>> Cheers!
>> --
>> -- Matt Tesauro
>> *OWASP Foundation*
>> Director of Community and Operations
>> matt.tesauro at owasp.org
>> Consider giving back, and supporting the open source community by
>> becoming a member <https://www.owasp.org/index.php/Membership> or making
>> a donation <https://www.owasp.org/index.php/Donate> today!
>> Join us at AppSec USA 2018 <https://2018.appsecusa.org/> 8-12 October in
>> San Jose, CA!
>> On Thu, Sep 13, 2018 at 3:33 PM <ramiro.pulgar at owasp.org> wrote:
>>> Hi all,
>>> Dawn doesn’t know where countries are.
>>> I asked her since January that I want to restart Ecuador chapter, and
>>> she sent me an email that she is working first on Latinamerica and then she
>>> will solve my request…. Ecuador is in Latinamerica!!!!!!!!!!
>>> “Dear Ramiro:
>>> Thank you for reaching out, we are currently working on the Latin
>>> America region and once that is completed we will reach out to the
>>> community.
>>> Thank you.
>>> Dawn Aitken
>>> Community Manager
>>> (973) 658-6186”
>>> I think that Dawn doesn´t have interest to attend our requests.
>>> Please, I recommend that a Community Manager have to be a OWASP leader
>>> or a Community lover that shares our interests.
>>> Saludos Cordiales,
>>> Ramiro Pulgar
>>> OWASP Ecuador Chapter Leader
>>> Linkedin: http://www.linkedin.com/in/ramiropulgar
>>> Whatsapp: +593 99 275 1705
>>> [image: https://www.owasp.org/images/a/a0/Owasp-logo-250.png]
>>> PublicKeyID: 0x0BAA7B2D http://pool.sks-keyservers.net |
>>> http://keyserver.pgp.com
>>> Fingerprint: 4096R/0BAA7B2D 4C7E 5264 F07A CFFA 3987 18CF DBD6 C750 0BAA
>>> 7B2D
>>> URL Site: http://www.owasp.org/index.php?title=Ecuador
>>> Mailing List: http://lists.owasp.org/listinfo/owasp-ecuador
>>> Twitter: @owaspec <https://twitter.com/owaspec>
>>> Disclaimer: The information contained in this e-mail is confidential and
>>> intended only for the use of the person or company to which it is
>>> addressed. This information is considered provisional and referential; it
>>> can not be totally or partially distributed nor copied by any media without
>>> the authorization from the sender. The sender does not assume
>>> responsibility about this information, opinions or criteria contented in
>>> this e-mail.
>>> *From:* owasp-leaders-bounces+ramiro.pulgar=owasp.org at lists.owasp.org
>>> <owasp-leaders-bounces+ramiro.pulgar=owasp.org at lists.owasp.org> *On
>>> Behalf Of *Timur 'x' Khrotko [owasp]
>>> *Sent:* Thursday, September 13, 2018 1:25 PM
>>> *To:* Ofer Maor <ofer.maor at owasp.org>
>>> *Cc:* Tom Brennan <Tom.Brennan at owasp.org>; OWASP Board List <
>>> owasp-board at lists.owasp.org>; owasp-chapters at lists.owasp.org;
>>> owasp-leaders <owasp-leaders at lists.owasp.org>
>>> *Subject:* Re: [Owasp-leaders] [balint:7407] Re: [OWASP-chapters]
>>> Proposal for OWASP Global Chapters Committee
>>> Ofer, while there maybe an issue that there are some cases of people
>>> parazitizing on the owasp goodwill. But how high is this issue on the list
>>> of the current owasp issues? I hear voices that owasp/foundation is/are in
>>> crises, and there are high priority/critical issues to deal with.
>>> On the other hand what does foundation do in addressing the problem you
>>> mentioned? My experience is that Dawn did shut down the Hungary chapter
>>> around christmas wo any prior notice. The notice came from wiki that our
>>> page was deactivated. Formally they didn't see recent meetups on the wiki
>>> page. Practically they didn't click on the meetup.com link there to see
>>> the meetup activity. And it was only Tiffany who apologized for that.
>>> Now i had a formal letter from Dawn that our chapter will be shut down
>>> as we didn't do any meetups this year (true). Maybe she could ask first how
>>> may the foundation help us in doing meetups?!
>>> So my observation is that besides many great things )) the foundation
>>> also makes nonsense repressive moves, sends nonsense long replies, and they
>>> send some of our requests to dev/null.
>>> Respect,
>>> Timur
>>> On Thu, 13 Sep 2018 at 15:32, Ofer Maor <ofer.maor at owasp.org> wrote:
>>> Hey Tony,
>>> There have been some issues where chapters were created, a lot of work
>>> was done, funds were drawn, but no actual progress was made. I don't think
>>> I can tell what were the reasons behind each such incident. I am pretty
>>> sure in some cases it is just poor execution, but at the same time it feels
>>> as if there are cases were people are more after the "title" on their
>>> LinkedIn page than about driving the community. In any case - even if its
>>> all good intent but with no actual followup, this creates a burden on the
>>> Foundation staff, without helping the cause. Therefore there is room for a
>>> "meritocracy" type of structure - where you first do something, and only
>>> then get others to carry some of the weight. When I became the chapter
>>> leader of #Israel a decade ago or so, I didn't even rely on the Foundation
>>> for funds - we did originally everything by getting each sponsor to pay for
>>> something, only later we've went to the foundation to manage funds and
>>> sponsorships. Those were different times, and the Foundation today can
>>> provide more support than back then, but I'd still like to see the
>>> community driving this thing forward first, and rely on the foundation for
>>> support, than the other way around.
>>> Anyway - just my .02...
>>> Ofer.
>>> On Thu, Sep 13, 2018 at 1:55 PM, Tony Turner <tony.turner at owasp.org>
>>> wrote:
>>> Ofer, is that really a problem that needs to be solved? Bogus chapters I
>>> mean. I hadn’t heard that was an issue. I’m not sure I’m crazy about that
>>> much governance around forming chapters. We need to make it easy, not
>>> create restrictions around the process.
>>> Tony Turner | OWASP Orlando Chapter Lead
>>> On Sep 12, 2018, at 2:30 PM, Ofer Maor <ofer.maor at owasp.org> wrote:
>>> Hey All,
>>> Jumping in a little late into this discussion (but having read through
>>> most of it....) - a few of my thoughts:
>>> Yes, OWASP was easier to manage in the "good old days" when we were
>>> smaller, more idealistic, and less commercial. But that type of
>>> reminiscence will not get us anywhere today. OWASP Has grown, considerably,
>>> and as any other organization, as it grows, and more money gets involved,
>>> there are more and more pressures on it, and this means we need the right
>>> structure to support that, finding the way to keep the community spirit and
>>> vendor neutrality, while managing pressures - both financially and
>>> "politically". I am all in favor for Josh's call for Committee. I know the
>>> previous committees have "derailed" into insufficient progress, but I think
>>> they had their good times too, and I think there's room to bring them back
>>> to life.
>>> Moreover, pulling from some of the discussion we had on the slack
>>> channel, I think as the organization grows, and as the "value" of being a
>>> "Chapter Leader" is growing (people want that on their resume now....), we
>>> need to find a better way to vet new chapters. One of my suggestions (which
>>> of course needs more hashing out from its initial thought) is to create a
>>> tiered, merit based approach, where people will have some framework to
>>> create a "chapter candidate" - which requires them to put in effort and
>>> deliver results (i.e. create meetings with enough attendance etc), but
>>> without giving them too much credit upfront, and without invoking the
>>> "heavy" operational side. These chapter-candidates will not have a budget,
>>> they can not have members allocate it to them, nor will they get any
>>> financial support. They will only get some basic rights to use the name and
>>> logo of OWASP for the meetup. Once they have passed through certain barrier
>>> requirements (to be defined by the chapters committee and approved by the
>>> board if needed), they will be able to become a chapter.
>>> This will provide individuals, from one hand, an easier way to start-up
>>> a local OWASP activity without going through the entire process, but will
>>> also limit the load on the foundation staff, and also make it harder for
>>> people to abuse the system for their personal gain (free conference
>>> admission, bogus titles, etc.).
>>> Bottom line - I'm all for it.
>>> Ofer.
>>> On Sun, Sep 2, 2018 at 12:28 AM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>> Dear OWASP Leaders,
>>> As per the OWASP Committees 2.0 Operational Model
>>> <https://www.owasp.org/index.php/Governance/OWASP_Committees>, approved
>>> by a vote of the OWASP Board of Directors on July 16, 2014, I would like to
>>> formally propose the creation of a new "OWASP Global Chapters Committee".
>>> My rationale for the creation of this new committee is that our
>>> community has made a number of observations about inadequacies in the ways
>>> our Chapters interact with the OWASP Foundation, it's Staff, and the
>>> Board.  This committee would serve as a new form of governance within the
>>> OWASP Foundation, cutting red tape and empowering our chapter leaders to
>>> better serve the mission of OWASP while still adhering to the OWASP Core
>>> Values of openness, innovation, being a global community, and integrity.
>>> We will focus on strengthening the OWASP Chapters through education,
>>> networking, and driving value to our members.
>>> Topics that are within scope for the OWASP Global Chapters Committee
>>> include, but are not limited to:
>>>    - *Leadership Requirements: *The committee will be responsible for
>>>    defining requirements for new chapter leaders and create a community
>>>    vetting process.
>>>    - *Activity Requirements: *The committee will be responsible for
>>>    defining the minimum activity requirements for chapters and will
>>>    periodically review chapters for meeting those minimum requirements.
>>>    - *Mentorship: *Programs will be created to pair new chapter leaders
>>>    together with more experienced ones.  Budgets will be established in order
>>>    to facilitate mentees attendance of mentor chapter meetings.
>>>    - *Projects Partnership Tours: *To emphasize the importance of
>>>    projects, a budget will be established for projects to hold regional tours
>>>    of chapters where they will speak and show off their projects.
>>>    - *Budgets: *The committee will be a resource for OWASP policies and
>>>    procedures when it comes to the budget process and ensuring that it is
>>>    being followed.  The committee will help identify opportunities for chapter
>>>    leaders to spend their money.
>>>    - *Policy: *The committee will review and revise the Chapter Leader
>>>    Handbook on a periodic basis.  They will assess gaps in existing policies
>>>    and help to create new policies or redefine existing policies to address
>>>    gaps.
>>>    - *Guidance: *The committee will serve to help guide other leaders
>>>    with any questions that they have.  They will assist with finding
>>>    speakers.  They will help to recommend topics for presentations.
>>>    - *Feedback: *The committee will survey chapter leadership on
>>>    pertinent topics and be a listening outlet for chapter needs.
>>>    - *Conflict Resolution: *The committee will serve as a tribunal for
>>>    conflicts among and between chapters.
>>>    - *Local and Regional Events: *The committee will help to guide
>>>    chapter leaders on how to start and run local and regional events.  A
>>>    "startup" budget will be formed from existing event revenues in order to
>>>    seed investment in more events, helping additional chapters to be able to
>>>    raise enough money to cover their expenses and innovate.
>>>    - *Board Guidance: *The committee will work with the Board on any
>>>    initiatives they have as they relate to chapter policies, governance,
>>>    budgets, or otherwise.
>>> This scoping was developed by myself and Tiffany Long in an effort to
>>> cover many of the issues our chapters face on a routine basis.  It is not a
>>> comprehensive list and I'd certainly welcome suggestions from others in our
>>> community.  Moreso, it is my hope that others will be interested in
>>> participating in and contributing to this committee.
>>> Per the Committee Creation section of the Committees 2.0 Operational
>>> Model, this is now up for a community discussion with a Board vote to
>>> follow.  I hereby formally request that this be added as a topic for vote
>>> at the September 19th OWASP Board meeting.  Thank you.
>>> Sincerely,
>>> Josh Sokol
>>> OWASP Board Member 2014-2017
>>> OWASP Austin Chapter Leader
>>> OWASP LASCON Conference Co-Founder
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> Owasp-chapters mailing list
>>> Owasp-chapters at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-chapters
>>> This message may contain confidential information - you should handle it
>>> accordingly.
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> --
>>> secmachine․net #wepowersecdev
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> This message may contain confidential information - you should handle it
>> accordingly.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> secmachine․net #wepowersecdev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180918/cbdc6683/attachment-0001.html>

More information about the OWASP-Leaders mailing list