January 2021 Videoconference

MEETING DETAILS

• Time: January 26, 2021 - 12:00PM US EST, UTC 1700 convert
• Location: Remote
• Call-in: Zoom Meeting
• Meeting Recording

AGENDA

CALL TO ORDER - Attendance

Board Members

• Owen Pendlebury
• Sherif Mansour
• Vandana Verma Sehgal
• Martin Knobloch
• Grant Ongers
• Bil Corry
• Joubin Jabbari

Guests

• Andrew van der Stock
• Harold Blankenship
• Kelly Santalucia
• Alonna Stock
• Dawn Aitken
• Lisa Jones
• Tom Pappas

CHANGES TO THE AGENDA

APPROVAL OF MINUTES

• Previous Meeting Minutes

REPORTS

Staff reports, including Executive Director and Finance can be found after the agenda.

Organizational KPIs

KPI             January        Delta
Members         3482           4.54% (up 22% since March 2020!)
Visitors        505,703        -21.8% (Holiday break)
OSD SLA met     37.5%          -62.5% worse (includes ticket cleanup)
NSFR SLA met    73.9%          -0.14% improvement (includes ticket cleanup)
YTD net income  $16.2k         Better by $376.5K, ForecastZ was -$316k (December 2020 preliminary close)

Financial Summary

Revenue: On an accrual basis, total revenue, YTD was $2,218.8K compared to the Budget of $1,848.2K. The results are BETTER by $370.6K, with Conference income being $448.5K ahead of the 2020 budget/Zforecast, as well as Membership income being $3.3K ahead of Budget, offsetting the other revenue lines that were under Budget (Membership and Donations).

Expenses Total spending YTD 2020 is LESS than Budget by $5.9K due to Conference expenses are over Budget by $190K (AppSec Cali 20, 20 Snofroc, 20 NZ Day and 20 Seasides) as well as Professional fees (Trade Mark and legal expense, Audit fees), offset by the underspending in Chapter expenses (down $157.7K), Travel costs ($110.2K) and Project spending ($131.1K) which offset the overspending in Professional fees of $164.7K, for legal/trademark costs. We do need to watch this for 2021 as we do not have the resources to repeat the 2020 Legal spending Net Income/Loss YTD 2020 Net income, on a combined Accrual basis, is $16.2K, which is BETTER than the YTD 2020 budget/Zforecast of negative -<$360.2K> by $376.5K. Chapter Funds US balance is $849.9K, up $20K from Nov 2020. EU Ch ball is $65.6K up $1.5K from Nov 2020. US Proj ball is $177.9K down $4.8K from Nov 2020. EU Proj balance remains at $-9K

• December 2020 Financial Package

NB: I’ve provided the November 2020 financial package here for your review as well, as we’ve had a couple of Board meetings with no provisional or finalized financial packages for you to review. ajv

• Updated November 2020 Financial Package

OLD BUSINESS

NEW BUSINESS

2021 Board Officers Election

Chair

Vice Chair

Secretary

Treasurer

Motion to confirm re-charter of Education Committee

Background During the preparation of the minutes, it became clear despite the item being clearly about approving the Education Committee charter, extended discussion with the Education Committee members present, the vote wasn’t for any particular motion. The vote was unanimous. This Motion resolves the confusion and will allow the minutes to be updated to reflect the results of that previous vote.

• Education Charter

Motion “Resolved, the 2021 Board confirms the unanimous vote by the 2020 Board to approve the Education Committee charter. The following Motion shall be entered into the minutes of the December 2020 meeting: “Resolved, the Education Committee charter is approved, effective December 15, 2020.”

• Sponsor: Grant
• Second: Sherif

Motion to approve the updated Chapter Committee Charter

Background The Committee’s policy recently changed, which requires existing Committees to present an updated charter and ensure that they have between 3 and 5 officers, these officers can only sit on one committee and may not be from the Board or the Foundation. The charter from the Chapters Committee is derived from the previously approved scope. Chapter Committee representatives are present for the discussion or any questions relating to the charter or scope.

• Revised Chapter Committee Charter

Motion “Resolved, the revised Chapter Committee charter is approved, effective January 26, 2021.”

• Sponsor: TBA
• Second: TBA

Bylaw changes relating to Code of Conduct to comply with Delaware Law

Background Schwabe reviewed our Codes of Conduct and bylaws in relation to the confidential investigation last year. As a result, they made a number of recommendations to improve compliance with Delaware General Corporation Law (“DGCL”), which governs our bylaws. They found that our bylaws in relation to director removal were not compliant with the law. Thus the Board could not use these provisions.

The following motions should be voted on as a whole.

Main motion

“Resolved, the Board by 2/3rd affirmative vote adopts Schwabe’s recommendations to updates to the Foundation’s bylaws and Director’s Code of Conduct relating to Director Removal and Harassment.”

Subsidiary motion: Amend Director Removal bylaws to comply with Delaware General Corporation Law

Background The provisions for Director Removal weren’t compliant with DGCL. These amendments bring our bylaws into line with the DGCL, ensuring consistency that the Board votes to recommend Director removal, which is then put to a member vote to remove the Director.

“Resolved, the Board directs the Foundation to update OWASP’s bylaws as per the following text within 30 days to become compliant with the Delaware General Corporate Law.”

Section 2.04

“Directors may be removed from office by the members, with or without cause, as permitted by and in accordance with the laws of the State of Delaware. The Board will recommend to the Members that a Director be removed from office when there is a finding that a Director has committed an action that results in a finding of “Cause.” A determination of “Cause” by the Board of Directors requires an affirmative vote of the full number of voting Directors then in office, except for the Director being considered for removal. For the purpose of these Bylaws, the term “Cause” shall mean

(w) repeated violations of the Board Code of Conduct Policy or (x) a final conviction of a felony involving moral turpitude or (y) willful misconduct that is materially and demonstrably injurious to OWASP or (z) a no-confidence vote by the Board of Directors under Section 3.04 of the Bylaws.

For purposes of the definition of “Cause,” no act, or failure to act, by a Director shall be considered “willful” unless committed in bad faith and without a reasonable belief that the act or failure to act was in the best interest of OWASP. As voting by OWASP Members is optional, a simple majority of votes received by members in good standing shall govern if the Director is removed.”

Section 3.03 Regular meetings

The Board of Directors shall have regular meetings as needed. A link to the board meeting agenda’s and the historical minutes is here: https://owasp.org/www-board/. Meetings shall be at such dates, times, and places as the Board shall determine in December of the preceding year and as amended by the Board. In no event will there be less than one meeting per quarter. These meetings will be open to public attendance. However, certain portions of the meeting may be closed to board members and their delegates when required for legal reasons, or to shield liability, or to handle personnel issues, or similar.

Attendance in person or virtually by board members is required at no less than 75% of the total meetings each year and shall be highly encouraged to meet in person at least once annually at a date to be announced and agreed upon. To be considered as “attended,” the board member must attend at least 90% of the meeting, starting at the published scheduled time until the published end time or the meeting is adjourned (whichever is earlier). Attendance is tabulated by the Executive Director or delegate within seven days after every scheduled meeting for the purpose of determining if the 75% attendance requirement has been met, and the tabulation is based upon the entire calendar year. Canceled meetings are considered attended for the purposes of the tabulation.

Failure by a board member to meet the 75% attendance requirement after any tabulation will cause a mandatory vote of confidence by the remaining board members, whose votes will be publicly recorded. The vote of confidence is to take place within 21 days, but no sooner than seven days, of notification by the Executive Director or delegate that a board member has not met the attendance threshold. During the first seven days, the board member in question will have an opportunity to make their case to their fellow board members. The vote of confidence will take place on the OWASP Board of Directors email list unless the Board votes to review the matter at their next meeting, so long as the next meeting occurs within the 21­day window. An overall vote of “no confidence” is recorded if more than half of the board members vote for it, which causes the board member in question to be instantly removed from their seat on the Board. If a vote of confidence does not pass, the Board will put a vote of removal and recommend to the members to remove the Director, per section 2.04.

Subsidiary motion: Amend the Director’s Code of Conduct to address harassment and repeated violations

Background The Director’s Code of Conduct did not have anti-harassment provisions, and the consequences of repeated violations with Delaware law was not legal. This addition and amendment to the Director’s Code of Conduct resolve both issues.

“Resolved, that the Foundation is directed to amend the Board of Directors Code of Conduct to include or change the following clauses:

“Anti-Harassment

Board members must not engage in any intimidating, harassment, discriminatory, abusive, derogatory, or demeaning speech or actions (“harassment” includes, but is not limited to: communication or conduct that a reasonable person in the individual’s circumstances would consider unwelcome, intimidating, hostile, threatening, violent, abusive or offensive, such communication may be related to gender, gender identity and expression, sexual orientation, disability, national origin, race, age, religion; it also includes stalking, following, harassing photography or recording, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention).”

and replace the following text

“Sanctions

Board Members Behavior and Conduct - Board Members who intentionally and repeatedly do not follow proper conduct, may be reprimanded or formally censured by the Board. Repeated violations of the Board Code of Conduct, the Board can take the step of recommending the removal of a Director under Bylaw Section 2.04.”

• Sponsor: Sherif
• Second: Grant

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

Chapter Policy deferred to February 2021

The Chapter Policy had a significant amount of feedback, which is in the process of being incorporated. As this is the first rewrite of the Chapter policy in some time, I would prefer if the Board had a time to fully review the Chapter policy before approving it.

Bylaws Review Sub-Committee

I am seeking at least one and no more than three Board members to lead the effort to review and reconcile the lawyer’s review of our bylaws. There’s a significant number of changes that need to be merged, which will result in a vote of completely redrafted bylaws, including recent changes as outlined above, within the next 60 days (to be approved at March’s Board meeting).

Mission Statement Sub-Committee

As discussed in the January strategy meetings, OWASP needs to overhaul its mission statement to focus our energies on the challenges of the next 20 years, not the last 20. The mission statement should be straightforward and impactful. If we are doing it correctly, it will lead to much-needed improvements in application security. I am seeking 1-3 Board members to join the sub-Committee to work with myself and the Community in drafting a new mission statement within the next 90 days (to be approved at April’s Board meeting).

Automation Roadmap Presentation

Harold Blankenship will lead the Board through a discussion on what has been achieved to date, with a list of planned automation and self-service activities. As there is much to do, discussion and feedback from the planning poker game to assist in selecting what next to work on will be highly desirable at the end.

• OWASP Technology and Automation

ADJOURNMENT

Reschedule last day of Special Board meeting

Let’s discuss when the best time for the last day of the January special Board meeting should be rescheduled.

Adjournment motion

The next general Board meeting is on February 23, 2021, at noon US Eastern Time.

• https://owasp.org/www-board/meetings/202102.html

“It is moved and seconded to adjourn. Those in favor say “aye.”

Sponsor: Sherif Mansour Second: TBA

Staff Reports

Executive Director Report

January has been a busy month so far, including holding two half-day virtual meetings to discuss Board strategy. A number of items will result in activities in the coming months, including creating a new mission statement and a complete review of our bylaws. I have including this above to identify Board members who are willing to assist or lead these efforts.

I welcome Kelly Santalucia to her new position as Director of Events and Corporate Support. Kelly has been with the Foundation for over a decade and has a wealth of experience working with our Community to deliver tremendously successful events. I hope that we can return to community-run global, regional, and local events soon. Our most profitable, largest, and most mission accomplished events all had a high level of community activism, volunteers, and support. We need to get back to those days whilst incorporating the best of what we’ve learned about virtual events in the last 12 months.

Our team has been using the typically “quiet” January month to get member benefits moving forward. For example, OWASP merchandise, online books, and other activities will go live shortly, moving our operating plan forward quite nicely.

I encourage the Board to finalize the planning poker game to prioritize the rest of this year’s operating plan. There’s so much to do, and I would like to involve the Community in delivering these improvements to our mission by focusing our collective efforts on strategically important deliverables and outcomes rather than just perceived urgent activities of limited value.

Finance

• December 2020 Financial Package

NB: I’ve provided the November 2020 financial package here for your review as well, as we’ve had a couple of Board meetings with no provisional or finalized financial packages for you to review. ajv

• Updated November 2020 Financial Package

This is the PRELIMINARY write up for Dec 2020. We will be keeping the books open until the end of Feb 2021 to make sure that we have captured all of the 2020 revenue and expenses.

Attached, please find the preliminary OWASP Combined (Converted to USD for all reports) financial pkg for Dec 2020, which represents financial performance for the 12 months of the Fiscal year 2020. I have included the 2020 approved budget for the first four months and the approved Zforecast for May-Dec 2020. All amounts are combined with the EU and converted to USD in these reports.

The Online/SF event in October had now been finalized with the four sponsors that have requested to move their sponsorship to 2021 (Thank you, Kelly, for providing this information). Our doing better than the Bud/Zforecast for 2020 is due primarily to the success of the online event in Oct 2020, Congratulations. Also, congratulations are in order as we significantly overachieved the Bud/Zforecast, as you will see in the Board summary. The Bud/Zforecast called for a $300K deficit, and we showed a $16K positive Net income. We now need to turn our attention to 2021, which is going to be a challenge.

Income Statement:

Revenue: On an accrual basis, total revenue, YTD was $2,218.8K as compared to the Budget of $1,848.2K. The results are BETTER by $370.6K, with Conference income being $448.5K ahead of the 2020 budget/Zforecast, as well as Membership income being $3.3K ahead of Budget, offsetting the other revenue lines that were under Budget (Membership and Donations).

Expenses Total spending YTD 2020 is LESS than Budget by $5.9K due to Conference expenses are over Budget by $190K (AppSec Cali 20, 20 Snofroc, 20 NZ Day and 20 Seasides) as well as Professional fees (Trade Mark and legal expense, Audit fees), offset by the underspending in Chapter expenses (down $157.7K), Travel costs ($110.2K) and Project spending ($131.1K) which offset the overspending in Professional fees of $164.7K, for legal/trademark costs. We do need to watch this for 2021 as we do not have the resources to repeat the 2020 Legal spending Net Income/Loss YTD 2020 Net income, on a combined Accrual basis, is $16.2K, which is BETTER than the YTD 2020 budget/Zforecast of negative -<$360.2K> by $376.5K. Chapter Funds US balance is $849.9K, up $20K from Nov 2020. EU Ch ball is $65.6K up $1.5K from Nov 2020. US Proj ball is $177.9K down $4.8K from Nov 2020. EU Proj balance remains at $-9K

POINTS of NOTE:

Continuing the narrative theme previous months, as of 12.31.20, our cash position was $1, 213.3 DOWN $55.5K from Nov 2020. Our avg monthly spend for operations is roughly $100K including all payroll, which is still roughly about 12 months of reserve, which is very good in the current environment. If we remove AP, PPP loan that is $168.2K (down about $12K from Nov 2020), which is just over 1.5 months of reserve, taking us to an estimated 10.5 months, again a good number. Now the concern is the $1,085K (up $17K from Nov 2020) of Ch/Proj balances, which when combined with the AP balance of $55.5K is $1,140.5K vs. the Cash balance of $1,213.3K leaves us with a positive reserve of $72.8Kor just under one month of Oper reserve. The Deferred revenue, as we have recognized most of the AppSec US along with AppSec EU and Lascon, and is now $120.9K, or a little over one more month of the financial reserve. We need to make sure that we fulfill the sponsors’ value proposition so we do not lose this revenue. So through 12 months of the year, we are tracking way ahead of Budget due to the $461.3K of net income recognized in Oct 2020 for AppSec US, which turned into an online event. One other note is AppSec CA has traditionally been a lucrative event; we are not currently planning one. However, in order to bridge the gap, I think we seriously need to think about some type of “online” event for Jan 2021, which is going to be an online event, but we still need to throw off some positive cash flow, or we will keep eroding our current cash balance.

I have the next board call on Tuesday, January 26, 2021, and I will be attending along with Marissa Oakley, who has begun to work on the OWASP financials with me.

Chapters and Membership

Eight new Chapters Opened, 2 are New Student chapters

• OWASP Indian Institute of Technology Patna
• OWASP Sri Lanka Institute of Information Technology

Not included in the eight new chapters are 2 Chapter Reactivations

• OWASP Luxembourg
• OWASP Waterloo

Events & Corporate Support

January SOS-Rerun Courses:

Overall low attendance and 4 of 5 paid courses were canceled. The 6th course is being offered by Bjoern Kimminish and co-trainers as part of the Diversity Scholarship offering from WIA and Outreach Committees, 83 attendees were approved via the application.

General Event Updates:

The rollout of all event microsites is ongoing. Launching Call To Battle application for the Community next week Opening March Lightning Conference registration January 22, 2021, with featured speaker STOK. I am making the transition from event tool registration to Eventbrite for free events to better manage attendee tracking, communication, and event platform integration. Additional support requested from the Board for social sharing in event promotion needs.

Global AppSec Dublin 2022 and Global AppSec SF 2022

Contracts have been amended and signed for 2022

LASCON

The local team will be sending over the venue contract for review and Andrew’s signature. The event budget is currently under review and should be completed by the end of next week.

Global AppSec Australia

The event budget is currently under review, with hopes to have it wrapped up by the end of next week.

2021 Event Budget

It was submitted for all virtual events/activities except for Global AppSec Australia and virtual Global AppSec US. These will be available within the next week or so after finalizing event budgets with the team. The numbers previously submitted were inaccurate. The current 2021 budget is very conservative and realistic.

Operations

1. Sent all Board Members Annual Conflict of Interest Questionnaire for their signature.
2. Board Source Training - only received certificate of completion from Bil Corry.
3. Non-profit strategic impact Engine of Impact: Essentials of Strategic Leadership in the Non-profit Sector by William F. Meehan III and Kim Starkey Jonker

Verify that Sherif, Grant, and Owen ordered the book.

Projects & Technology

The Project & Technology presentation above will give more detailed updates around automation.

As per the Project Status Page, there were ten new projects within the last 60 days.

4 Projects were promoted to lab status, and one project was denied promotion.