|Join hundreds of InfoSec professionals at our upcoming |
[Global AppSec Amsterdam, September 23-27]
Chapter Handbook: FAQ
- 1 How to Start a Chapter
- 2 Getting Started
- 3 Basic Meeting Rules
- 3.1 How many meetings per year do we need to host?
- 3.2 So after our 4 meetings can we charge to raise money for funds?
- 3.3 Why do I need to post information on my wiki?
- 3.4 What do you mean by "Free and Open?"
- 3.5 What is Vendor Neutrality?
- 3.6 My chapter would like to sign this contract/accept this donation, how do I do it?
- 4 Social Media for Chapters
- 5 Funding
- 5.1 What is this Seed Money I learned of?
- 5.2 I heard that I could get grants?
- 5.3 How do memberships work for Chapters?
- 5.4 I saw some Chapters use sponsorships, what is this?
- 5.5 Who writes the sponsorship document?
- 5.6 What can I offer in return for sponsorships?
- 5.7 Wait, I thought I could not send my own contracts?
- 5.8 Who do I send Sponsorship contracts to?
- 6 The Reimbursement Process
- 7 Basics of the Wiki
How to Start a Chapter
Finding an OWASP Chapter
Before applying go an OWASP Chapter, please check the OWASP Chapter page.
How do you choose where to start another Chapter?
OWASP Chapters are started by volunteers passionate about helping to develop a security inclusive culture within their geographic area. When a potential Leader asks to start a new chapter, we first evaluate the location to make sure that it is not too close to an existing Chapter.
The evaluation takes the size of the local tech scene and travel time to existing Chapters into account. While what is considered reasonable travel times changes with each local area, a handy basic understanding is that anything under 2 hours travel time between areas will result in us looking closer and contacting the existing local Chapter Leaders to ensure that we will not strangle existing Chapters by spreading their membership too thin.
Okay, There are no Chapters near me, how do I get started?
The next step is that you will be invited to an orientation to help you plan your Chapter's beginning.
I was told my proposed Chapter was too close to an existing Chapter?
If your proposed Chapter is too close to an existing chapter, we will not be able to create it. However, you will be introduced to all of the nearest Chapter Leaders so that you can work to volunteer in the most applicable chapter.
I want a nation/regional/state/province wide Chapter
OWASP had a history of giving the first chapter in a nation the same of that country, however, as we are growing rapidly we have discontinued this and now name Chapters after the local city.
OWASP also maintains a policy of allowing Chapters to start small and grow or combine to cover larger areas. This means that Chapters cannot start by covering larger areas unless they show stable growth for their existing Chapter and show a plan to cover the different areas in their expanded geographic territory.
Choosing your Chapter's Audience
Most chapters choose to aim their content at a combination of security professionals and developers. Some choose to aim specifically at one or the other. Some chapters reach out to new AppSec Departments and managers to offer training to their teams. Many chapters work with their local universities to train students in AppSec with the aim of either bringing students directly into AppSec or to ensure the next generation includes security throughout the entire SDLC and encouraging DevSecOps mentality.
It is important to note that when starting a chapter it is best tailor your content to the audience that exists and grow that audience in the direction that is both best for the Chapter and most interesting to you.
Your Chapter's wiki page
Your Chapter's wiki is the record of all chapter activities. If you host a meeting or event that is not on the Chapter it never happened. If your Chapter grows large enough to need self governance, you must develop those rules in concert with your membership and post them on the Chapter wiki page. If this information is not on the Chapter wiki page it cannot be taken into account should a complaint be made.
What types of meetings should my Chapter have?
Common meeting types include:
- Having 1-3 speakers with slide decks, Q&A, and light networking afterwards. This is the most common type of meeting and often considered the best for frequent use.
Supplementary meeting types include:
- Often used to supplement other meetings during months when another type of meeting is not happening, during a celebration, or in conjunction with other meetings
- Capture the flag and other competitive events
- Mentoring programs or sessions
- Hackathon (you can look at helping local not-for-profits or OWASP projects)
- Study groups
- Panels No matter what type of meetings you host they must be free unless special arrangements are made ahead of time with the foundation staff. Many chapters find it helpful to encourage new people by inviting them to report interesting news bites or seek help from a committee to perfect presentations.
My Chapter wants to host an event. How do we get started?
The purpose of chapters is to create a local community that can support and evangelize Application Security. We suggest that the best way to do this is to focus on growing a thriving community rather than focusing on hosting a large event in the first year.
That said, you can find all of the information you need about hosting an event on the How to Host a Conference page.
I want to grow my Chapter larger, do you have ideas that can help me?
Basic Meeting Rules
How many meetings per year do we need to host?
To be considered active, all chapters must host at least 4 meetings per year. All of the meeting types listed above, plus many more are considered meetings in this count. Additionally, one regional or local event per year will also count as a meeting. In the case of National Chapters, local meetings also count towards the 4.
The reason we chose 4 meetings per year as the minimum number of meetings is that it takes this number of meetings to help create regular attendees who are attached to the Chapter's success. Having fewer meetings is both a sign of a failing chapter and often a cause of a failing chapter. Because of this, chapters who host fewer meetings will be counselled to help them find the best way of addressing their needs.
So after our 4 meetings can we charge to raise money for funds?
NO. Chapters can only charge for very specific reasons that are based on the content of the event. You can charge for training events, conferences, and particularly expensive speakers. If you have any questions you can send them to the staff using the Contact Us form.
Why do I need to post information on my wiki?
OWASP is an open organization. All information about your chapter must be put on the wiki. Furthermore, it is important to remember that for many people, the OWASP wiki is the first way they will encounter your Chapter. Most of the requests for chapters are actually for chapters that currently exist, but have no updates on the wiki.
Furthermore, more people would be interested and willing to devote time and energy to your Chapter if they can see a history of successful meetings, events, and governance.
What do you mean by "Free and Open?"
Being free and open means that meetings and resources must be free, and open to all who wish to come. Being open means that information about meetings and other events or resources must accessible. Maximum accessibility means having all of the information on the wiki early enough that people can plan to access the meetings.
What is Vendor Neutrality?
OWASP is vendor neutral, that means nothing we do can appear to support a particular vendor and nothing vendors do can claim that we support them.
- You can ask people to speak about what they do, but they cannot:
- Present a sales pitch
- Discuss paid products in a way that is only valuable to their customers
- Brand their talk
- Request our mailing lists
- They can speak about
- Technical challenges and how they solved them
- Security processes and how they developed them
- Open source tools and how they used them
- Learning, Educational, best practices, industry trends, etc.
- If a speaker would like to offer a business card drawing or other method to get emails, it must be clear that participation is optional
- The speaker can have their company’s logo on the first slide, but every other slide must be either unbranded or OWASP branded.
My chapter would like to sign this contract/accept this donation, how do I do it?
Chapters are not their own organizations and therefore are not allowed to accept money on their own. Funds must be submitted first to the foundation and will then be set aside for your chapter.
Similarly chapters are not legal entities and cannot sign contracts. All contracts must be signed by the foundation.