OWASP Board Meeting December 1, 2009 Agenda
Please review the progress of the Global Committee http://www.owasp.org/index.php/Global_Committee_Pages and prepare your report to status on old business and new business.
When Tue Dec 1 5pm – 6pm GMT (no daylight saving) Where 1-866-534-4754 Code: 7452912855
MEETING LEADER: Jeff Williams
IDEA CATCHER: Kate Hartman
Outstanding items for 2010
- Correction Banner Ads
- Welcome New Board Members - Matt Tesauro and Eoin Keary
- 2010 Budget
- Proposal - The Foundation should produce an annual report similar to http://upload.wikimedia.org/wikipedia/foundation/2/26/WMF_20072008_Annual_report._high_resolution.pdf. I suggest that we draft one (many of the materials are available) and target a Q1 release - perhaps along with the T10.
- Please review Global Committee Reports before meeting
- Board Member 3 Month Rotation of Global Committees Oversight (Draw Straws)
- Membership Report 755 - Alison Report
- Linked'In OWASP Group Members = 4718
OWASP Election Process
- Proposal to adopt the process followed in the recent board election as OWASP's standard election process, with action items for the membership committee to resolve before the next election:
- examine the policies around who will be allowed to vote
- work on email address problems (including mass email service)
- define policies surrounding campaigning
- explore "approval voting" instead of mandatory 2 candidate vote plicy
- define process for releasing the results
- work with voting system vendor to do security testing?
Brazil Conference Issues
Discuss the resolution of issues raised about AppSec Brazil
Can we be more specific about the recommended actions here so the board can approve?
- The issue was initially raised publicly on a couple of mail lists as well as the GPC call on Nov. 23rd
- Matt Tesauro has done the initial data collection about this issue
- Will provide the data collected both in raw and summary form.
- Board members Dinis Cruiz and Matt Tesauro should be excluded from further involvement since both attended the event
- Any committee member that attended should also be excluded - e.g. Pravir Chandra
- A group consisting of at least 1 board member and several committee representatives should be created to resolve these issues
- The group should review the collected data, further discuss with the parties as necessary and document the situation and outcomes
- Additionally, where needed recommendations to avoid these issues in future should be presented to the board and the appropriate committee
- I suggested that Jeff Williams be considered for the Board representation since he has a legal background.
- My initial email to the parties in question will be forwarded to the OWASP Board list for reference.
- Profit Loss Report - Is there interest in Annual OWASP Federal Conference in DC? - Videos of APPSEC DC Summit online ETA ?
Training Conference Idea
- Proposal to offer "OWASP" courses or training conferences in major cities. Not certification, but evangalism through instruction (McGovern). Allows OWASP to become the "body of knowledge" without providing a type of certification. Cover trainer costs with a 25/75 revenue split. Model Trainer Joe teaches a one day class in Austin. $675 X 10 Students = $6750. Joe's expences = $1000. Net split = %25 to Joe - $1437.50 %75 to foundation - $4312.50. Pricing variable as possible added benefit to corporate sponsors? Earmark funds for SOC or Public Relations?
- Proposal for 2011 Summit/Conference - Las Vegas
- How many active chapters? How many leaders showed up at Summit from them? What is action here?
- Start "OWASP College Chapters" program. Provide a full "kit" of materials to college student chapter leads. Goal is to get a touchpoint in every college with a CS department around the world. Chapter goals are to raise OWASP awareness by students and to influence the curriculum.
- The Certification Update
- Proposed statement about OWASP getting involved in certification.
- Proposal to start SOC with 90K grant Update
- OWASP-CRM Project - Overview/Update/Roll-out for OWASP Foundation.
- OWASP.COM Google Domain what is action?
- Proposal to start a "Provider Registry" for ASVS - http://code.google.com/p/owasp-project-management/wiki/Providers. Personally, I'm not sure that it's a great idea. Without some attestation as to the skills of the organization, it's essentially worthless. And I don't think that OWASP is in a good position either philosophically or organizationally to be doing reviews of organization's skills. To me, this is just like certification. We shouldn't do it, but it might be ok for us to define some criteria for organizations that do it. So I can imagine an "Application Security Verifier Criteria" that lists certain criteria for performing verification services (years of experience, number of apps, OWASP member, OWASP contributor, number of confirmed vulnerabilities found, platforms supported, ASVS levels supported, etc...)
- Public Relations
- Special Interest Groups (result of summit) click here
OWASP Industry Outreach (OIO) -EK
A few ideas in relation to the industry outreach idea:
Objective: For OWASP to listen to industry, government, national enterprise state bodies and other standards organisations in relation to "what are the real problems facing you?" & "How can OWASP help?", "How do we mature web application security" To define a roadmap consisting of both short term and long term goals. Short term goals must support the longer term objectives.
Limit the activities defined to a very short list that is achieveable and measureable within one calendar year.
1.Invite-only event + limited OWASP leaders (cant overwhelm event with OWASP delegates!)
2.Identifying a cross-section from many verticals. (Gov, FS, Energy, Transport, Telecoms, Dev, Retail, etc) Might have a break-out session for each of the industry verticals.: Closed session where delegates can discuss openly issues facing them and challenges. Limited to 2 hours. Each group session nominates a delegate to present findings to the whole group (all delegates)
3.NDA/Code of conduct doc to be signed by ALL delegates. Organizations wont send delegates or speak openly unless there is some from of information control.
4.Wider meeting & presentations (from majority industry delegates and some OWASP) to all attendees on what issues they have, in order of priority. - we listen to industry
5.OWASP Board Panel discussion
6.OWASP industry panel meeting discussion
7. Agree and define a road map for OWASP & Industry supporting each other.
8 This may/should increase corporate sponsorship if delegates get something out of it and make OWASP more relevant to industry.
"Currently Security conferences are presented by security people security people. The Industry outreach programme is an attempt to change this model."
-New committee - Dinis (Connections committee)
- Linked'In Group 4715 Members of Linked'In Group 37 Moderators co-sysops for discussion groups
- Public Relations OWASP Newsletter
- Public Relations budget 2010 (what committee)
-Date/Time of Next Meeting