Global Membership Committee Meeting Notes March 20, 2012

Membership Committee Monthly Call Date: March 20, 2012

Time: 12 noon EST

Location: 1. Please join my meeting, Tuesday, March 20, 2012 at 12:00 PM Eastern Daylight Time. https://www3.gotomeeting.com/join/519737486

2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.

Australia: +61 (0) 2 8014 4934 Austria: +43 (0) 7 2088 1399 Belgium: +32 (0) 38 08 1855 Canada: +1 (416) 900-1164 Denmark: +45 (0) 69 91 88 61 Finland: +358 (0) 942 41 5777 France: +33 (0) 182 880 455 Germany: +49 (0) 898 7806 6460 Ireland: +353 (0) 14 845 975 Italy: +39 0 699 36 98 80 Netherlands: +31 (0) 708 912 514 New Zealand: +64 (0) 9 909 7882 Norway: +47 21 03 58 95 Spain: +34 931 81 6668 Sweden: +46 (0) 852 503 498 Switzerland: +41 (0) 435 0167 07 United Kingdom: +44 (0) 203 535 0622 United States: +1 (786) 358-5411

Access Code: 519-737-486 Audio PIN: Shown after joining the meeting

Meeting ID: 519-737-486

Attendees:

Kelly Santalucia

Kate Hartmann

Helen Gao

Dan Cornell

Ofer Maor

Gandhi Narasimha

Notes:

1. Will Bechtel from Qualys Award Proposal

• What is the Issue / Goal:

1.Recognize unsung heros of Web Application Security 2.OWASP Awards (Web Application Security Person of the Year) 3. Award - statue like oscars but with the WASP, write up on OWASP website and referenced on Qualys website as well 4. Selection Criteria: work or involvement in web application security, local involvement. Not a nationally recognized personality. 5. Chapters elect local winners during summer months. We provide rules (selection criteria, etc) for chapters to conduct vote. After all chapters have selected winners (by a cut-off date) OWASP board reviews criteria and chapter winners and pick 5 chapter winners as national finalists. Finalists invited to OWASP Annual Conference in Austin. Membership attending conference vote for National winner. All finalists get iPad. Winner gets something extra, big feature on website and large OWASP award.

• Dan is concerned how much support we would get from the local chapters. It was a challenge last year at AppSecUSA 2011 in MN when Kate tried to do the sort of the same thing last year.
• Kate says that there was not much participation last year. She went to the committee chairs for nominees. Kate questions "why are doing this with Qualys" She expressed she is not comfortable doing a member of the year award with a corporate supporter. If it was just OWASP involved, she is all for it, but not if a corporate supporter is driving it.
• Kelly - Qualys just thinks it is a good idea to do.
• Kate - agrees and is into giving out awards, just opposed to it being given out by a corporate supporter. If it is foundation driven she is behind it 100%.
• Helen - If it is a good idea it does not matter where it is driven from exterior or interior. She thinks their part is to provide the sponsorship.
• Kelly - This is all the information I have and as soon as I have more information I will be sure to pass it along to the GMC. We can wait on this until more information is available from Will.
• GMC - agrees to wait for more specifics on the proposal

2. Linkedin Currently OWASP has a Linkedin group that was created years ago and its free and open. Recently Michael Coates proposed a member only subgroup.

• Dan - believes it looks like a badge that goes on a current member of OWASP's profile in Linkedin. There is no secret discussion in regards to this group. All content must be available to everyone in and outside the group.
• Helen - What value does it add?
• Dan - just a badge on your linkedin page
• Helen - does it create any technical issues
• Kelly - is fine with keeping track of this and will work with Michael on the process. Expiring members might be an issue but I can work with Michael on it.
• Ofer - as long as it does not come instead of what we have now. If it does come instead of what we have now it would not be good. We could use any publicity we can get.
• Kelly - Believes Michael referred it to the same thing as a membership card only digital
• Helen - We should spread OWASP and give as many perks as we can. It is very tricky and is a little concerned with the honorary membership.
• Gandhai- what if someone is not a member but wants to be included in subgroup as a supporter not a paid member?
• Helen - defines a supporter to: voting rights, membership...anyone who has supported OWASP as a chapter leader, project leader. Members defined to voting rights and money.
• Kelly - keep it the same as a membership card. We are not hiding anything from anyone, just a replacement for the card.
• Gandhi- we need to make the message clear this is not exclusive

3. Bundle Membership We have decided in the last meeting to test the water by adding "for groups of 3 or more contact Kelly" to the new individual membership page. Helen will send to all committee and leaders for feedback. Review in 3 months. If feedback is positive then add to individual membership page as well as corporate membership page. The goal is to encourage corporate sponsored individual memberships.

• Dan - the only concern he has is that we have had interest in the past from big corporations who have wanted to buy 10000 memberships. It gives that corporation a crazy disproportion in voting powers.
• Ofer - they can do that today
• Helen - we are here to stop abuse of this benefit
• Ofer - will figure out a solution should this issue arise
• Kelly - can we put a cap on membership? Say only allow them to purchase a bulk membership up to 50 individual membership.
• Dan - there was a request before when a corporation wanted to purchase 10000 memberships for their developers. Membership gets tied specifically with voting and if we make it easy for them to buy large blocks of votes it will impact the election. He likes the idea of having other people getting involved in OWASP, but they would also be entitled to voting rights. Dan has yet to think of a way to prevent them from impacting the election.
• Kelly - can we make group memberships not have voting rights?
• Dan - voting is the only thing that is tangible that we can restrict non-members from voting. I don't think this is something we can handle.
• Helen - say I buy 10000 memberships, we verify each membership email is associated with a valid person. Would that help prevent abuse?
• Ofer - not really because they could instruct their people how to vote. I think the most concerning than an actually organization viciously trying to buy OWASP. Say I am KPMG and I buy all my global security consultants worldwide a membership say 500 people. Now there is a election and a KPMG person is running for the board. Then we have a shift in power just because we have one candidate who is running and they have their people vote for him.
• Dan - is less concerned of someone maliciously doing this and more concerned we look at our electorate and there is 1500 people who were previously members that were spread across the industry and then all the sudden there are 1000 new ones, so we have 40% of the electorate comes from one organization. That is just a very scewed voting profile. Maybe people could order large mass of books to spread awareness, rather than allowing them to purchase membership in bulk. He is concerned that if we make it easy for people to buy memberships in bulk that membership is tied to voting and if we try to separate the two it put us in a not so good situation. We should not make it easy to mass buy membership.
• Ofer - what if we people were able to vote only if they have been very active in OWASP over the past year. The problem with this is how to keep track of it.
• Helen - Summery of Bundle Membership: seems like a good idea to increase membership, but the biggest concern is how to prevent it from scewing the election. Put on hold and continue discussion in email

4. Value of Membership Project

• Kelly - composed a couple survey questions to be answered by the board and committee leaders. Take the questions and answers and draft a script to be sent to the board for approval. Once approved, have a video made to post on the membership page. This is for both corporate and individual membership. If we have to, we can make two videos, but want to collect all the information at one time.

Is everyone fine with me sending this to the board and committee leaders? Yes from all

• Ofer had to drop off

5. The new Partner supporter Helen will follow up with contacts for each Partner supporter and candidate.

• Helen - needs to present it to the board and receive final approval

6. New Membership homepage

• Helen - will send a proposal to the board for approval to go live
• Gandhai - agrees
• Dan - Did we change the names of some supporters?
• Helen - the only name changes should be barter to partner
• Dan - Barter and Trade doc will need to be updated. Dan will update this document

7. Membership Slides

• Kelly - created some membership slides to be approved by the board to then be sent to all chapter leaders asking them to present them at the beginning of their chapter meetings. In hopes to help promote membership. The graph on the slide will be updated every 3 months.
• Helen - agrees
• Dan - Did we update our mission?
• Kelly - The mission statement was taken right off the OWASP home page
• Dan - agrees

8. Promotional Material

• Kelly - membership flyer that has been created for some chapters who have been asking for some membership material.
• Helen - this is the first membership flyer she has ever seen
• Kelly - needs a graphic arts' touch, but it serves the purpose for now.
• Helen - suggests we should send it to all chapter leaders
• Dan - fine
• Gandhai - fine

9. New membership revocation web page Will present in the next board meeting. Ran out of time in the last board meeting.

• Helen - Thanks to Dan for creating this
• Dan - mainly Tom Brennan, but Dan cleaned it up a bit
• Helen - the next board meeting Helen will present it. It is a very timely piece of material and should go live sooner than later.
• Kelly - agree
• Dan - agree
• Gandhi - agree