|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
Chapter Handbook: FAQ
- 1 How to Start a Chapter
- 2 Getting Started
- 3 Basic Meeting Rules
- 3.1 How many meetings per year do we need to host?
- 3.2 So after our 4 meetings can we charge to raise money for funds?
- 3.3 Why do I need to post information on my wiki?
- 3.4 What do you mean by "Free and Open?"
- 3.5 What is Vendor Neutrality?
- 3.6 My chapter would like to sign this contract/accept this donation, how do I do it?
- 4 Social Media for Chapters
- 5 Funding
- 5.1 What is this Seed Money I learned of?
- 5.2 I heard that I could get grants?
- 5.3 How do memberships work for Chapters?
- 5.4 I saw some Chapters use sponsorships, what is this?
- 5.5 Who writes the sponsorship document?
- 5.6 What can I offer in return for sponsorships?
- 5.7 Wait, I thought I could not send my own contracts?
- 5.8 Who do I send Sponsorship contracts to?
- 6 The Reimbursement Process
- 7 Basics of the Wiki
How to Start a Chapter
Finding an OWASP Chapter
Before applying go an OWASP Chapter, please check the OWASP Chapter page.
How do you choose where to start another Chapter?
OWASP Chapters are started by volunteers passionate about helping to develop a security inclusive culture within their geographic area. When a potential Leader asks to start a new chapter, we first evaluate the location to make sure that it is not too close to an existing Chapter.
The evaluation takes the size of the local tech scene and travel time to existing Chapters into account. While what is considered reasonable travel times changes with each local area, a handy basic understanding is that anything under 2 hours travel time between areas will result in us looking closer and contacting the existing local Chapter Leaders to ensure that we will not strangle existing Chapters by spreading their membership too thin.
Okay, There are no Chapters near me, how do I get started?
The next step is that you will be invited to an orientation to help you plan your Chapter's beginning.
I was told my proposed Chapter was too close to an existing Chapter?
If your proposed Chapter is too close to an existing chapter, we will not be able to create it. However, you will be introduced to all of the nearest Chapter Leaders so that you can work to volunteer in the most applicable chapter.
I want a nation/regional/state/province wide Chapter
OWASP had a history of giving the first chapter in a nation the same of that country, however, as we are growing rapidly we have discontinued this and now name Chapters after the local city.
OWASP also maintains a policy of allowing Chapters to start small and grow or combine to cover larger areas. This means that Chapters cannot start by covering larger areas unless they show stable growth for their existing Chapter and show a plan to cover the different areas in their expanded geographic territory.
Choosing your Chapter's Audience
Most chapters choose to aim their content at a combination of security professionals and developers. Some choose to aim specifically at one or the other. Some chapters reach out to new AppSec Departments and managers to offer training to their teams. Many chapters work with their local universities to train students in AppSec with the aim of either bringing students directly into AppSec or to ensure the next generation includes security throughout the entire SDLC and encouraging DevSecOps mentality.
It is important to note that when starting a chapter it is best tailor your content to the audience that exists and grow that audience in the direction that is both best for the Chapter and most interesting to you.
Your Chapter's wiki page
Your Chapter's wiki is the record of all chapter activities. If you host a meeting or event that is not on the Chapter it never happened. If your Chapter grows large enough to need self governance, you must develop those rules in concert with your membership and post them on the Chapter wiki page. If this information is not on the Chapter wiki page it cannot be taken into account should a complaint be made.
What types of meetings should my Chapter have?
Common meeting types include:
- Having 1-3 speakers with slide decks, Q&A, and light networking afterwards. This is the most common type of meeting and often considered the best for frequent use.
Supplementary meeting types include:
- Often used to supplement other meetings during months when another type of meeting is not happening, during a celebration, or in conjunction with other meetings
- Capture the flag and other competitive events
- Mentoring programs or sessions
- Hackathon (you can look at helping local not-for-profits or OWASP projects)
- Study groups
No matter what type of meetings you host they must be free unless special arrangements are made ahead of time with the foundation staff. Many chapters find it helpful to encourage new people by inviting them to report interesting news bites or seek help from a committee to perfect presentations.
My Chapter wants to host an event. How do we get started?
The purpose of chapters is to create a local community that can support and evangelize Application Security. We suggest that the best way to do this is to focus on growing a thriving community rather than focusing on hosting a large event in the first year.
That said, you can find all of the information you need about hosting an event on the How to Host a Conference page.
I want to grow my Chapter larger, do you have ideas that can help me?
Basic Meeting Rules
How many meetings per year do we need to host?
To be considered active, all chapters must host at least 4 meetings per year. All of the meeting types listed above, plus many more are considered meetings in this count. Additionally, one regional or local event per year will also count as a meeting. In the case of National Chapters, local meetings also count towards the 4.
The reason we chose 4 meetings per year as the minimum number of meetings is that it takes this number of meetings to help create regular attendees who are attached to the Chapter's success. Having fewer meetings is both a sign of a failing chapter and often a cause of a failing chapter. Because of this, chapters who host fewer meetings will be counselled to help them find the best way of addressing their needs.
So after our 4 meetings can we charge to raise money for funds?
NO. Chapters can only charge for very specific reasons that are based on the content of the event. You can charge for training events, conferences, and particularly expensive speakers. If you have any questions you can send them to the staff using the Contact Us form.
Why do I need to post information on my wiki?
OWASP is an open organization. All information about your chapter must be put on the wiki. Furthermore, it is important to remember that for many people, the OWASP wiki is the first way they will encounter your Chapter. Most of the requests for chapters are actually for chapters that currently exist, but have no updates on the wiki.
Furthermore, more people would be interested and willing to devote time and energy to your Chapter if they can see a history of successful meetings, events, and governance.
What do you mean by "Free and Open?"
Being free and open means that meetings and resources must be free, and open to all who wish to come. Being open means that information about meetings and other events or resources must accessible. Maximum accessibility means having all of the information on the wiki early enough that people can plan to access the meetings.
What is Vendor Neutrality?
OWASP is vendor neutral, that means nothing we do can appear to support a particular vendor and nothing vendors do can claim that we support them.
- You can ask people to speak about what they do, but they cannot:
- Present a sales pitch
- Discuss paid products in a way that is only valuable to their customers
- Brand their talk
- Request our mailing lists
- They can speak about
- Technical challenges and how they solved them
- Security processes and how they developed them
- Open source tools and how they used them
- Learning, Educational, best practices, industry trends, etc.
- If a speaker would like to offer a business card drawing or other method to get emails, it must be clear that participation is optional
- The speaker can have their company’s logo on the first slide, but every other slide must be either unbranded or OWASP branded.
My chapter would like to sign this contract/accept this donation, how do I do it?
Chapters are not their own organizations and therefore are not allowed to accept money on their own. Funds must be submitted first to the foundation and will then be set aside for your chapter.
Similarly chapters are not legal entities and cannot sign contracts. All contracts must be signed by the foundation.
Social Media for Chapters
All new Chapters who wish to have a MeetUp account must do so through the OWASP MeetUp Pro account. Chapters with existing MeetUp accounts are also encouraged to join the MeetUp Pro account. All Chapters in Meetup pro will have their fees covered by the Foundation rather than their own Chapter funds.
Great, but how do I get on the OWASP MeetUp Pro account?
If you already have a meetup account
Invite the OWASP Foundation join your group. You will need to follow these steps to move the meetup over to the main OWASP Account. Do not worry, while you will be replacing yourself as the main organizer, according to our representative you will still have access to the account as an organizer and as per OWASP rules the account will still be managed by you as a chapter asset.
If you have paid for a new subscription immediatly before changing over, follow these instructions for a refund:
1. Log into your Meetup account
2. Go to your subscription page here: https://www.meetup.com/account/subscription/
3. Click on 'Cancel subscription'
If you do not have a meetup account
Please send the Community Manager a short statement describing who should come to your events and the city that most of your events will be taking place in through the Contact Us form. Examples or the statement include:
- The Open Web Application Security Project (OWASP) is a not-for-profit, worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
- OWASP is a thriving global community that drives visibility and evolution in the safety and security of the world’s software. We hold meetings for like-minded security and development professionals to discuss discuss security from a range of perspectives. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open-source software projects, OWASP produces many types of materials in a collaborative and open way.
- This is the meetup headquarters for the Bay Area chapter of the Open Web Application Security Project (OWASP). This group is dedicated to bringing together the massive amount of Bay Area web application security talent and interest in the form of presentations, talks, conferences, and any other kind of get-together we want to come up with. We're looking to facilitate all types of meetings between members, from formal conferences to little meetups at a Bay Area coffee shop. The key advantage of meetup.com is that we can benefit from the shared calendar, which is available via iCal, Google Calendar, etc. We encourage you to get involved in every way possible. Recommend events, put together a local meetup at a coffee shop, restaurant, or bar, or put together a talk to present at one of these venues. We look forward to hearing from you and seeing you at a local event!
I want to host an event, how do I set up registration?
All registration systems that accept funds must be set up on the OWASP Foundation's account. Just remember that your chapter is not a legal entity in its own right, but rather it is more like a department.
Social Media Contract
What is this Seed Money I learned of?
When a chapter has at least two leaders the OWASP Foundation will give it $500 seed money. This money will be replaced in the beginning of every year. For example, if in January you have $499 in your account OWASP Will add $1 to bring you up to $500. If you have $1 in your account, we will add $499 to bring you up to $500.
I heard that I could get grants?
Each year you can ask the foundation for up to $500 (usd) up to 4 times per year.
How do memberships work for Chapters?
I saw some Chapters use sponsorships, what is this?
- Sponsorships started out as a way to for businesses who would not afford a corporate membership. But since some sponsors share much more than that.
- To get a sponsorship you first write a sponsorship document (you can use the contact us form to ask tiffany to help on this) and then submit it to Kelly through the contact us form. You can also post it on your wiki page and send it to local companies.
- You can also ask for a in-kind sponsorship. For example, the Ottawa chapter has in-kind sponsorship with a company which provides them with a room to meet in, the av equipment to host meetings, snacks, and soft drinks. The certainty of having a stable location to meet is important to them. (contrast to chapters that move about from venue to venue).
Who writes the sponsorship document?
What can I offer in return for sponsorships?
You can offer a number of things, a logo on the wiki page, thanking them in a certain number of meetings, allowing a (small) table in a certain number of meetings, etc.
Wait, I thought I could not send my own contracts?
You cannot. However, when you are happy with your final draft of the contract, you can send it to the Membership and Business Liaison. They will then send you the official contract to post on your wiki and send to prospective sponsors.
Who do I send Sponsorship contracts to?
You can send the Sponsorship contracts to any prospective sponsor, you can also ask the Membership and Business Liaison to send them to her contact list.
The Reimbursement Process
How do I spend money?
- All funds must go through a reimbursement process. Here is the process for if you have no funds in your account and would like a grant:
- Request funds with details of what you wish and how much it costs.
- Pay out of pocket
- Submit for reimbursement
Process for chapters with money in their accounts:
- Anything that is being spent to facilitate a meeting such as the following are considered whitelisted and may go through only the reimbursement system as long as the cost is under $500 USD:
- Speaker fees
- Travel fees
- Anything that costs $500 USD or more must go through the request system
You can find more information at the OWASP Funding page
What can I spend money on?
You can spend money on anything it takes to run your chapter. Ideas include:
- Speaker fees
- Travel fees
- Equipment for the Chapter
How long does it take to be paid?
How does my money come in?
You will be given the opportunity to choose whether to use a wire transfer or Paypal
Basics of the Wiki
How can I get a wiki account?
You can apply for a log in and password for the OWASP Wiki by filling out the application here. Due to a temporary problem with spam, please use the Contact Us form to let us know once you are done so that we may expedite your request.
What should I post on the wiki?
You should post all chapter events as far in advance as possible. You should also list all chapter social media, calls for volunteers, and chapter specific governance.
Why should I post on the wiki?
Posting on the wiki gives anyone interested in your Chapter a central location to learn about your chapter. This activity is central to making sure that your Chapter is following the OWASP Principles of being free and open.
How do I edit the wiki?
You can find a Tutorial here.