Tuesday, July 22, 2014
Passed by a vote of the OWASP Board of Directors on July 16, 2014.
There is a disconnect amongst OWASP Leadership in terms of determining who is empowered to make decisions for our organization. It is our belief that the Board has expressed the desire to empower our leaders, but has, at times, questioned the decisions made. The goal of the plan which follows is to empower all OWASP leaders who have an idea that merits action with the ability to act.
OWASP will once again reinstate a committee structure for participation in key aspects of our organization. This may include Chapters, Projects, Conferences, Governance, and other topics to be determined later. The key difference between the proposed committees and those of OWASP past will be in the empowerment to take action. OWASP Committees may, at any time, conduct a vote to enact change within the stated scope of the committee without prior approval from the Board.
At any point in time, a community member may propose a new committee via the OWASP Leaders List stating their rationale and desired scope for creating a new committee. After a community discussion, with perceived majority support and no major arguments against, the OWASP Board of Directors will establish whether there is a conflict of interest with any existing committees and whether the formation of that committee is in line with with OWASP goals. If no conflict is determined to exist, the Board will initiate a public call for OWASP members interested in committee membership, via the OWASP Community mailing list, with a seven day time window. So long as the committee receives at least five OWASP members applicants, the Board will vote on the committee creation. A majority vote of support from the Board is sufficient for establishment of a new committee with all OWASP member applicants being granted committee membership.
The scope of an OWASP committee is established during the initial proposal for the new committee. In the event that a community member believes that a committee has taken actions outside of it’s scope or would like to adjust the scope of a committee, then they may state their rationale and desired response via the OWASP Leaders List. After a community discussion, the OWASP Board of Directors will establish the validity of any scope disagreement or proposed scope amendment. A majority vote of the Board of Directors is required to modify the scope of any OWASP committee.
Any community member is welcome to participate in and provide feedback to an OWASP committee. Committee membership (voting privileges and leadership responsibilities), however, is limited to those who meet the following criteria:
1) Individual must be an OWASP member in good standing. 2) Individual must have the written endorsement of either a current committee member or an OWASP Board member. 3) Individual must demonstrate a history of at least three months participation in the committee for which they are applying for membership.
Any person who satisfies the above criteria may, by way of the public committee communication medium outlined in section VIII below, request to be granted membership to the committee. The committee will then conduct a vote on the applicant, via the same medium, and if the majority of members agree, they will be granted committee membership as well.
Active committees are responsible for conducting a poll of members, at least every six months, asking each if they would like to continue to serve on the committee. Committee members who respond “No” or who do not respond at all during a seven day time window will be removed from membership.
A member of a committee leadership team may have their membership removed for reasons of inactivity over a period of at least six months or misconduct by a unanimous vote of the remaining members of the committee.
If at any point in time, for any reason, committee membership is less than five people, then the committee leadership must initiate a public call for OWASP members interested in committee membership with a seven day time window. All qualified applicants must be accepted to join the committee as committee members. If there are not at least five committee members at the end of the seven day window, the committee will automatically be removed due to a lack of participating interest with that committee’s functions being reassumed by the OWASP Board of Directors.
Committee members are required to report any infractions of OWASP Foundation policies and procedures to the OWASP Board of Directors.
The OWASP Foundation will provide a designated staff member to support each active committee from an operational perspective. The staff member may participate in the committee as a community member, but will not serve as a voting member of the leadership team due to a potential conflict of interest. Participating staff are required to report any infractions of OWASP Foundation policies and procedures, by the committee, to the OWASP Board of Directors. The committee leadership team will be invited to provide feedback for the assessment of their assigned staff member by being invited to provide an annual evaluation of their committee related activities, capability and professionalism.
Members of the OWASP Board of Directors are allowed to become committee members, but participate as normal committee members with no special powers either expressed or implied. While Board member participation in committees is encouraged, Board members must refrain from taking an active leadership role for the committee.
All committees are required to hold their discussions in the open in order to enable participation by any member of the community. All official committee discussions (written and verbal) must be archived in a publicly accessible location so that the community may observe committee actions at any point in time. Use of the OWASP Force Portal for Committees is strongly encouraged as it provides logical conversation grouping, an archive of conversations, document attachment capability, participation metrics, and more, but other technologies may be used as long as it is agreed upon by all committee members and all relevant information is linked from the respective Committee wiki page. Committees that wish to solicit assistance from outside participants for committee activities are strongly encouraged to do so using the OWASP Initiatives framework.
Committees are required to notify the OWASP Community, via the OWASP Leaders List, in writing of any official votes and provide a written summary of actions taken on a minimum of a monthly basis. Committee decisions are considered official once a record has been published to the community. The Board is responsible for reviewing committee actions and ensuring that the committee is acting within it’s pre-defined scope and in accordance with the OWASP Foundation Bylaws as well as all other applicable policies and procedures.
All committees are responsible for being self-organized. The includes determining their own leadership structure, coordinating committee meeting schedules at least monthly, taking and publishing notes of committee meetings, assembling monthly action summaries, culling inactive committee members, and ensuring compliance within the defined scope and various OWASP policies and procedures.
If at any point in time an OWASP Leader believes that a committee is no longer necessary or that the scope of one committee conflicts with the scope of another, they may bring up this concern via the OWASP Leaders List. After a community discussion, the OWASP Board of Directors will hold a vote on the committee removal. A ⅔ majority vote of the Board is required for the removal of a committee.
As the goal of this proposal is the empower our leaders to be able to take action on behalf of the organization, no Board vote is necessary for any initiative of the committee provided that the following is true:
1) The action is within the stated scope of the committee.
2) If money is required, the action follows the guidelines set forth in the Community Engagement Funding document.
3) No contracts are being executed by the committee on behalf of the OWASP Foundation.
4) The action is in line with the OWASP Foundation Code of Ethics and is pursuant to OWASP’s mission.
If any of these is not true, then the OWASP Board of Directors should be consulted for approval prior to the committees execution.
Because the committee is acting on behalf of the OWASP Foundation, but as a separate entity from the OWASP Board, the committee members are expected to conduct their actions with regard to the OWASP Mission, the OWASP Code of Ethics, and the Board’s annual strategic goals. The committee and it’s members will ultimately be held accountable for any actions that are not in line with these key principles or that are outside of the pre-determined scope of the committee. Perceived violations should be brought to the attention of the OWASP Leaders List along with all substantiating evidence. After a community discussion, the Board may veto the actions of the committee by a majority vote of the Board of Directors.
We believe that empowering our volunteers to take action is core to the execution of OWASP’s mission. With the above committee structure, we believe that the right pieces will be in place to provide the organization with effective governance as well as checks and balances to ensure unbiased operation. We hope that you will agree that executing on this is in the bests interests of the future of the OWASP Foundation.
Tuesday, July 15, 2014
“Something that looks like a protocol but does not accomplish a task is not a protocol—it’s a waste of time.”
― Bruce Schneier, Applied Cryptography
― Bruce Schneier, Applied Cryptography
You won’t want to miss Bruce Scheier’s keynote at the AppSec USA 2014 conference September 16-19 in Denver. But you also can’t afford to miss AppSec USA’s two full days of training sessions featuring top experts collaborating with you and your peers on the latest application security challenges and industry trends.
Register today for AppSec USA and the training sessions at http://2014.appsecusa.org/
Below are the brief overviews of AppSec USA’s 2014 training sessions. Click the links to learn more about the session and presenters.
Presented by Secure Ideas
The advanced web penetration testing course is designed to be a hands-on course that will expand both internal and external security personnel testing knowledge.
Presented by Blindspot Security LLC
This course is designed to provide attendees with the core concepts required to make informed decisions about what cryptographic primitives and APIs are safest to use in practice. The content will include approximately 50% lecture and 50% labs or other exercises to reinforce the concepts presented.
Presented by Mandiant, a FireEye Company
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach.
Presented by Tobias Gondrom
Managing and improving your global information security organization; Leverage OWASP and common best practices to improve your security programs and organization; Achieving cost-effective application security; Bringing it all together on the management level.
Presented by Albero Solutions
This course aims at providing all web developers deep hands-on knowledge on the OWASP Top 10 web application vulnerabilities list.
Presented by Recurity Labs
After the training the participants will be able to assess, audit and exploit Ruby on Rails applications. This includes knowledge about the inner workings of the framework itself as well as a set of decent payloads for practical demonstration of vulnerabilities.
Presented by Aspect Security
This hands-on course enables students to understand how easily mobile devices and applications can be attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls.
Tuesday, July 8, 2014
OWASP Leaders -
Our Community Manager, GK Southwick, gave her 2 week notice to OWASP on June 27, 2014. GK's last day will be this upcoming Friday, July 11.
Although GK has only been with us a short time, we appreciate the hard work and dedication she has had in trying to make headway in managing requests for new and existing chapters, starting a revamp of our merchandise request process and ensuring that community members' merchandise requests are answered in a timely fashion, and assisting with volunteer initiatives.
We wish GK best of luck in her future endeavors, including her great contributions to the AppSec community through her involvement with B-Sides Las Vegas and many other industry events.
OWASP will be re-hiring for the community manager position shortly. Stay tuned for updates on the application process and hiring timeline.
Monday, July 7, 2014
As you know, AppSec USA 2014 is going to be held in Denver, CO September 16-19.
If you have not registered yet, be sure to do so HERE
Do not forget that chapter leaders can attend the conference free of charge by using a discount code when registering. Additionally, there are discount codes for the leaders to join training sessions (ask us for these codes).
We truly appreciate your help with promoting AppSec US 2014, and hope to see you in Denver.
Global Conference Manager
Monday, June 30, 2014
TODAY is the DEADLINE to submit your NOMINEES for the WASPY AWARDS!! https://www.owasp.org/index.php/WASPY_Awards_2014