This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:June 6, 2011

Jump to: navigation, search

Talk Page Guidelines

  • Sign your name after a comment by using four tildas (~~~~). Mediawiki automatically replaces this with the right thing
  • Add a new discussion point with the level 2 heading (==Example==) or the '+' sign
  • Add inline replies using increasing number of colons (:)
  • See MediaWiki Talk Page Conventions

From Kate:

  1. Be constructive. An idea is a seed and needs to be nurtured. If you do not agree with the idea, come up with an alternative, don’t just shoot it down.
  2. Be flexible. We can’t all get our way all the time.
  3. Follow through and be honest. If you say you are going to do something, please do it. if you don’t’ have time to do something, say that too.
  4. Encourage members to follow the discussions and to document their ideas. Let’s keep this open.
  5. Be creative! Come up with new ways of thinking and opportunities to make things happen!
  6. Hold everything against the Core Values and Core Principles.

Mark Bristow 11:50, 24 May 2011 (EDT)

My only major recommendation is to better define the Global AppSec/Regional/Local break. I'd recommend any event larger than 100 expected attendees (Things that are clearly chapter meeting, such as NY chapter meetings excluded) would be under the Conferences Committee purview. Events expecting less than 100 attendees would all be classified as local events (unless they are deemed "conferences" for a specific reason), managed by the Chapters Committee and put into OCMS for GCC awareness when working the larger schedule items.

My Rationale: the Conferences Committee has the experience and knowledge regarding larger events i.e. conferences and the chapters committee does not have this focus. Larger events (over 100 expected attendees) and would benefit from knowledge and guidance of the conferences committee who has the experience with larger events.

Additionally, one of the conferences committee's major goals (and a primary reason for OCMS's existence) is to conflicting scheduling of events. Larger events, including those with a regional draw need to be carefully managed as we are currently experiencing attendee, speaker, and sponsor fatigue with our schedule that's mostly in the second half of the year. Local events IMO are more for GConfC awareness and tracking of the "official" event schedule, they rarely cost much (although almost all request some sort of funding/schwag and foundation support) and I can't think of a single local event that's turned a profit (many don't' charge a fee). Personally I feel that the GChapC would be a fine venue to coordinate these activities so long as the GConfC still get awareness of them (Fore scheduling purposes).

Jsokol 12:11, 24 May 2011 (EDT)

I respectfully disagree with Mark. IMHO, the number of expected attendees is a horrible way to define whether or not the GCC gets involved in a conference. The GCC's involvement should be based on some set of offerings/assistance from the GCC and whether or not the conference planners feel that they require that level of assistance. Most of the local/regional conferences mentioned are experienced conference planners who do not require the knowledge and/or guidance of the GCC. Ultimately, this should be a choice by the conference planners and not something forced upon them because they're going to have 100 people or more.

If the issue is one of managing event schedules to make sure they do not conflict, then the solution is as simple as just making sure that events are entered into OCMS. Regardless, if the scope of the local/regional events are truly local or regional, then there should be little conflict or overlap with the other Global AppSec events.

As the Co-chair of one of these local/regional events, I wholeheartedly agree with the proposal to move these events under control of the Chapters Committee. These local/regional events are run almost completely by local resources. They solicit their own sponsors, speakers, and volunteers. As long as the values of these conferences run in parallel with OWASP's Core Values, then there is no reason why we shouldn't be enacting policies to enable more of these homegrown conferences to sprout up. These types of incentives are better suited for the Chapters Committee than the GCC which has historically shown the desire to limit the number of conferences, limit chapter profits, and try to take control out of the hands of the conference planners.

Mark Bristow 16:13, 27 May 2011 (EDT) Update in response to Josh's Comment about "These local/regional events are run almost completely by local resources". That is actually not true. I will agree that most of the labor is done by the local team (GCC is working on ways to help provide additional "effort" support), all of the financial risk is taken on by the foundation. It is OWASP Foundation funds that pay for venues, deposits, food, and the foundation that takes on the risk of any loss (which has happened in the past). Conference income accounts for 77% of OWASP's annual income. In 2010 Conferences brought in a total profit of $240,399.71 (up 151% from 2009 even counting the $34,991.87 of which was allocated directly to local chapters budgets) while OWASP's overall net was $4,972.63. Conferences and their profits are what make OWASP possible without these funds we could not put on events like the OWASP Summit (total cost to the foundation was $224,799.05, only $44,095.65 came from chapters in the form of donations, individual travel sponsorships, or forfeiture). While I agree its important to empower chapters and local leaders to make smart decisions and as a result the GCC has provided, for the first time, profit sharing for local chapters for events in 2010. The financial benifits of OWASP events is far too crutial to the ongoing support of the OWASP mission to be removed from the oversight and experience of the people who have held sucesseful events in the past and have proven that they can effectively manage these activities.

Additionally, as a Co-Chair of one of the larger regional events, I wholeheartedly agree with keeping the events under the GConfC. From a foundation perspective I'd argue that AppSec DC uses even less labor resources than LASCON does (at this point, AppSecDC is completely self sufficient other than the need of capital from the foundation to get us started). However the AppSec DC Team puts on our event for the benefit of Application Security awareness by engaging key stakeholders (the US Government). We do not do it to bolster our local budget, we did it for the betterment of OWASP and will continue to do so as long as we are allowed. The Chapters Committee should continue to have oversight of chapter meetings, the chapter handbook, local sponsorships etc but for the larger events, they need the experience of someone who has planned large scale events. Perhaps number of attendees isn't the best metric to use the GConfC has been using more subjective delineators for over a year now with success, however I felt that might be a way to compromise and clearly define who had oversight of what.