This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Board Meeting December 1, 2009 Agenda"

From OWASP
Jump to: navigation, search
m
(Brazil Conference Issues: Added link to AppSec Brazil 2009 report)
 
(32 intermediate revisions by 8 users not shown)
Line 1: Line 1:
AGENDA
+
=AGENDA=
--------------
+
 
 
http://www.owasp.org/index.php/OWASP_Board_Meetings
 
http://www.owasp.org/index.php/OWASP_Board_Meetings
  
Line 11: Line 11:
 
1-866-534-4754 Code: 7452912855  
 
1-866-534-4754 Code: 7452912855  
  
===OLD BUSINESS===
+
MEETING LEADER: Jeff Williams <br>
 +
 
 +
IDEA CATCHER: Kate Hartman
 +
 
 +
=OLD BUSINESS=
  
 
[http://www.owasp.org/index.php/OWASP_Board_Meetings#tab=Details_of_2009_Meetings 2009 Review of outstanding items]
 
[http://www.owasp.org/index.php/OWASP_Board_Meetings#tab=Details_of_2009_Meetings 2009 Review of outstanding items]
Line 17: Line 21:
 
Outstanding items for 2010
 
Outstanding items for 2010
  
- [https://docs.google.com/a/owasp.org/Doc?id=dhtj4s2_1crpq2jcd&hl=en RFQ] Outsourcing OWASP Website/Mailing Lists etc & [http://www.owasp.org/index.php/OWASP_Board_Meeting_July_09 Larry Support]
+
* [https://docs.google.com/a/owasp.org/Doc?docid=0ASUwHYYmOdvrZGh0ajRzMl8xY3JwcTJqY2Q&hl=en RFQ] Outsourcing OWASP Website/Mailing Lists etc & [http://www.owasp.org/index.php/OWASP_Board_Meeting_July_09 Larry Support]
 +
** Question:  Is the scope of this RFQ just the OWASP archive proposed by Matt Tesauro or all of the OWASP IT infrastructure?
 +
 
 +
 
 +
* Correction [http://www.owasp.org/index.php/OWASP_Board_Meeting_August_09 Banner Ads]
 +
 
 +
=NEW BUSINESS=
 +
 
 +
* Welcome New Board Members - Matt Tesauro and Eoin Keary
 +
* OotM Budget + request by NL & IBWAS for Kuai
 +
* OWASP Certification position vote
 +
 
 +
==Finance Report==
 +
 
 +
- YTD
 +
 
 +
- 2010 Budget
 +
 
 +
[http://www.owasp.org/images/7/7c/P%26L_as_of_Nov_09.pdf P&L as of Nov 2009]
 +
 
 +
- Proposal - The Foundation should produce an annual report similar to http://upload.wikimedia.org/wikipedia/foundation/2/26/WMF_20072008_Annual_report._high_resolution.pdf.  I suggest that we draft one (many of the materials are available) and target a Q1 release - perhaps along with the T10.
  
  
===NEW BUSINESS===
 
- Welcome New Board Members - Matt Tesauro and Eoin Keary
 
  
 
==Committee Reports==
 
==Committee Reports==
  
[http://www.owasp.org/index.php/Global_Committee_Pages Global Committees]
+
- Please review [http://www.owasp.org/index.php/Global_Committee_Pages Global Committee Reports] before meeting
  
=Items for the Agenda to be discussed=
+
- Board Member 3 Month Rotation of Global Committees Oversight (Draw Straws)
  
  
- Public Relations [http://www.owasp.org/index.php/Category:OWASP_Newsletter OWASP Newsletter]
 
- Public Relations budget 2010
 
  
=Membership=
+
==Membership Committee==
  
 
- Membership Report [http://spreadsheets.google.com/pub?key=p6IFyntQTi7sxa2Xjx191BA 755] - Alison Report
 
- Membership Report [http://spreadsheets.google.com/pub?key=p6IFyntQTi7sxa2Xjx191BA 755] - Alison Report
Line 39: Line 59:
 
- Linked'In OWASP Group Members = [http://www.linkedin.com/groups?gid=36874&trk=hb_side_g 4718]
 
- Linked'In OWASP Group Members = [http://www.linkedin.com/groups?gid=36874&trk=hb_side_g 4718]
  
- Board Member 3 Month Rotation of Global Committees Oversight (Draw Straws)
 
  
- Election:
 
  
'''Wrap of election process: From Dan Cornell'''
+
===OWASP Election Process===
 +
 
 +
- Proposal to adopt the process followed in the recent board election as OWASP's standard election process, with action items for the membership committee to resolve before the next election:
 +
* examine the policies around who will be allowed to vote
 +
* work on email address problems (including mass email service)
 +
* define policies surrounding campaigning
 +
* explore "approval voting" instead of mandatory 2 candidate vote plicy
 +
* define process for releasing the results
 +
* work with voting system vendor to do security testing?
 +
 
 +
 
 +
===Brazil Conference Issues===
 +
 
 +
Discuss the resolution of issues raised about AppSec Brazil
  
We didn't have a strong policy on who would be allowed to vote and that led to some confusion during the election and could have led to a lot of troubles.  For example, the current Board was added to the election process during the conference whereas the previous decision had been to have them not vote.  One person had contributed to OWASP for several years, but did not meet the specific criteria but we set them up with a vote anyway.  Two people renewed their expired memberships during the election and were also given a vote.  None of these decisions were necessarily wrong, but it would have been good to enumerate our policies publicly beforehand so that less was left to discretion during the election.
+
'''Can we be more specific about the recommended actions here so the board can approve?'''
  
-It was hard to collect accurate info about the voters - most specifically their email addresses.  We actually had one of the candidates emails (Eoin's) incorrect as well as a number of bounced emails from well-known OWASP contributors such as Alex Smolen.  Tom Brennan's work with Salesforce.com may help in this area as we will have a single repository of people's "true" contact information.
+
Done below. --[[User:Mtesauro|Mtesauro]] 23:54, 30 November 2009 (UTC)
  
-We had one identified problem with people not receiving ballot emails (John Steven) and possibly others that went unreported.  The assumption is that some sort of edge spam filter caught the message at a point where it could not be found later. This is hard to combat as OWASP is a virtual organization and we need to rely on email to communicate. Calling or snail mailing every member is not a practical alternative.
+
(1) Determine the group that should resolve the raised issues
 +
* A group consisting of at least 1 board member and several committee representatives should be created to resolve the issues
 +
** I suggested that Jeff Williams be considered for the Board representation since he has a legal background.
 +
* Exclude from the group any person who attended the event to remove any question of bias
 +
** Board members Dinis Cruiz and Matt Tesauro should be excluded from further involvement since both attended the event
 +
** Any committee member that attended should also be excluded - e.g. Pravir Chandra
  
-There was no up-front policy on how we let folks campaign.  Was the wiki the only place to post the info or was emailing the Leaders list acceptable as well?  We ended up with some traffic on the mailing list toward (and past) the end of voting.  No one complained about the use of the leaders list, but I could see a world where that might have rubbed some folks the wrong way.
 
  
-There was some dissatisfaction (one person) who did not want to have to vote for two candidates because they only knew one of the candidates and did not want to vote for someone they did not know. That is a fair input although I'm not sure that we should necessarily change our policy next time.  After all - many voters might not have met any of the candidates, but could have voted after reviewing their position information on the wiki.
+
(2) Produce a document of the situation and resolution determined by the group chosen above.
 +
* The group should review the collected data, further discuss with the parties as necessary with the goal of documenting the situation and  outcome
  
-We needed a better plan for how to certify and disseminate the results.  What we did was ad hoc (calls, emails to candidates, emails to lists) and that could have been pre-planned.  Prior planning would have let us disseminate the results more quickly.
 
  
-We used VoteNet's password generation and mass email service for the first email and that cost an extra $350 (I think) That probably could have been avoided, as I wrote a Perl script (attached) to send the subsequent mass emails.
+
(3) Where needed, recommendations to avoid these issues in future should be presented to the board and the appropriate committee(s)
  
-VoteNet's application apparently doesn't work well in Google Chrome.  Not the worst problem in the world, but something to note.
 
  
-I would have preferred to have been able to do some security testing of the voting solution prior to the vote.  I'm not sure that is practical from what is really a pretty entry-level voting solution - the VoteNet folks wouldn't let us run a test election which isn't surprising because of the cost of the election product we used.  If we were spending $5k for a vote then perhaps, but for a couple hundred dollars this is more of a transactional sale. Everyone appeared to be well behaved this time around, but that doesn't have to be the case. I guess I'm glad we're a "Builder" community rather than a "Breaker" community :)
+
[https://docs.google.com/Doc?docid=0ATb3QwFMHCXrZGdubjI3ZHNfMTFndmRoNm5keg&hl=en Google doc] with background information
  
-The VoteNet folks were very helpful and responsive. My interactions with Caitlyn Radack (cradack@votenet.com) for sales and with Ramon Graham ([email protected]) for support were all very positive.  They turned around the password generation and mass email ahead of their typical two business day timeframe.
+
'''Update:''' The group has produced a report [http://www.owasp.org/index.php/OWASP_Investigation_-_AppSec_Brazil_2009 here] --[[User:Mtesauro|Mtesauro]] 22:19, 22 December 2009 (UTC)
  
-We (well, I) made the decision to make the election anonymous and therefore not auditable.  I think that was the right call, but might be something to discuss in the future.  Also the results were not available until the end of the election and I think that was appropriate so we didn't see any bias introduced where folks selected their votes based on the current leaders in the election.
 
  
=Conferences=
+
[http://www.owasp.org/index.php/Summit_2009#tab=Agenda 2009 Summit]
  
Summit
+
===AppSec DC===
-Recap
 
  
AppSec DC
 
- Recap
 
 
- Profit Loss Report
 
- Profit Loss Report
- Videos Online ETA?
+
- Is there interest in Annual OWASP Federal Conference in DC?
 +
- Videos of APPSEC DC Summit online ETA ?
  
[http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference 2010 Agenda]
 
  
- 2011 Summit/Conference - Las Vegas
 
  
=Chapters=
 
  
- How many active chapters?  How many leaders showed up at Summit from them?
+
===Training Conference Idea===
- Videos of APPSEC DC Summit online ETA ?
+
 
 +
- Proposal to offer "OWASP" courses or training conferences in major cities.  Not certification, but evangalism through instruction (McGovern).  Allows OWASP to become the "body of knowledge" without providing a type of certification.  Cover trainer costs with a 25/75 revenue split. Model  Trainer Joe teaches a one day class in Austin.  $675 X 10 Students = $6750. Joe's expences = $1000.  Net split = %25 to Joe - $1437.50    %75 to foundation - $4312.50.  Pricing variable as possible added benefit to corporate sponsors?  Earmark funds for SOC or Public Relations?
 +
 
 +
- [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference 2010 Agenda]
 +
 
 +
- Proposal for 2011 Summit/Conference - Las Vegas
 +
 
 +
 
 +
 
 +
==Chapters Committee==
 +
 
 +
2010 focus:
 +
* Identify & reactivate inactive chapters
 +
* Actively support chapters with mentorship- and speaker program
 +
* Roll out College OWASP Education kit through chapters
 +
 
 +
 
 +
- How many active chapters?  How many leaders showed up at Summit from them? '''What is action here?'''
 +
 
 +
- Start "OWASP College Chapters" program.  Provide a full "kit" of materials to college student chapter leads.  Goal is to get a touchpoint in every college with a CS department around the world.  Chapter goals are to raise OWASP awareness by students and to influence the curriculum.
 +
 
 +
==Education Committee==
 +
 
 +
- The Certification [http://www.owasp.org/index.php/OWASP_Board_Meeting_October_09 Update]
 +
 
 +
- [[Proposed statement]] about OWASP getting involved in certification.
 +
 
 +
2010 focus:
 +
* academic outreach
 +
**Increase # academic members
 +
**Introduce OWASP material into curriculae
 +
**Support Appsec research grants for students
 +
**Organise events at universities
 +
**Participation in research programs (e.g. advisory boards)
 +
*OWASP BootCamp
 +
*Roll out College OWASP Education kit through chapters
  
<insert topics>
+
==Projects Committee==
  
=Projects=
+
- Proposal to start SOC with 90K grant [http://www.owasp.org/index.php/OWASP_Board_Meetings_June_09 Update]
  
- SOC 90K pending release of budget?? - [http://www.owasp.org/index.php/OWASP_Board_Meetings_June_09 Update]
+
- [http://www.owasp.org/index.php/Crm OWASP-CRM Project] - Overview/Update/Roll-out for OWASP Foundation - [http://www.owasp.org/images/e/e4/CM_Capture_8.png click here]
  
- [http://www.owasp.org/index.php/Crm OWASP-CRM Project] - Overview/Update/Roll-out for OWASP Foundation.
+
- OWASP.COM Google Domain  '''what is action?'''
  
- OWASP.COM Google Domain
+
- Proposal to start a "Provider Registry" for ASVS - http://code.google.com/p/owasp-project-management/wiki/Providers.  Personally, I'm not sure that it's a great idea. Without some attestation as to the skills of the organization, it's essentially worthless.  And I don't think that OWASP is in a good position either philosophically or organizationally to be doing reviews of organization's skills. To me, this is just like certification.  We shouldn't do it, but it might be ok for us to define some criteria for organizations that do it.  So I can imagine an "Application Security Verifier Criteria" that lists certain criteria for performing verification services (years of experience, number of apps, OWASP member, OWASP contributor, number of confirmed vulnerabilities found, platforms supported, ASVS levels supported, etc...)
  
<insert topics>
+
*GPC's State of Affairs:
 +
**Participation at the [[OWASP AppSec Iberia 2009|IBWAS09]]
 +
**[http://globalprojectscommittee.wordpress.com/2009/11/27/new-drive-for-project-reviewers/ Reviewers Drive],
 +
**On its way is the work to finish up the release template associated with the new project details page - after completion all the project details pages should be linked with each and all projects' pages,
 +
**One project - [[:Category:OWASP JBroFuzz|OWASP JBroFuzz]] - has already been assessed against the new assessment criteria 2.0.
 +
**[[OWASP Projects Dashboard|Five projects]] under assessment, 
 +
**Two new projects recently set up:
 +
***[[:Category:OWASP Security Assurance Testing of Virtual Worlds Project|OWASP Security Assurance Testing of Virtual Worlds]], led by Rick Zhong,
 +
***[[:Category:OWASP_CBT_Project|OWASP Computer Based Training Project (OWASP CBT Project)]], led by Nishi Kumar.
  
=Industry=
+
==Industry Committee==
  
 
- Public Relations
 
- Public Relations
  
 
- Special Interest Groups (result of summit) [http://www.owasp.org/index.php/Global_Committee_Pages click here]
 
- Special Interest Groups (result of summit) [http://www.owasp.org/index.php/Global_Committee_Pages click here]
 +
  
 
'''OWASP Industry Outreach (OIO)''' -EK
 
'''OWASP Industry Outreach (OIO)''' -EK
  
 
A few ideas in relation to the industry outreach idea:
 
A few ideas in relation to the industry outreach idea:
 
 
   
 
   
 
'''Objective''': For OWASP to listen to industry, government, national enterprise state bodies and other standards organisations  in relation to "what are the real problems facing you?" & "How can OWASP help?", "How do we mature web application security" To define a roadmap consisting of both short term and long term goals. Short term goals must support the longer term objectives.
 
'''Objective''': For OWASP to listen to industry, government, national enterprise state bodies and other standards organisations  in relation to "what are the real problems facing you?" & "How can OWASP help?", "How do we mature web application security" To define a roadmap consisting of both short term and long term goals. Short term goals must support the longer term objectives.
Line 131: Line 202:
 
   
 
   
 
'''"Currently Security conferences are presented by security people security people. The Industry outreach programme is an attempt to change this model."'''
 
'''"Currently Security conferences are presented by security people security people. The Industry outreach programme is an attempt to change this model."'''
 +
  
 
==OTHER==
 
==OTHER==
 +
* '''New committee''': [[OWASP Connections Committee]]
 +
* Linked'In Group [http://www.linkedin.com/groups?gid=36874&trk=hb_side_g 4715 Members of Linked'In Group] 37 Moderators co-sysops for discussion groups
 +
* Public Relations [http://www.owasp.org/index.php/Category:OWASP_Newsletter OWASP Newsletter]
 +
* Public Relations budget 2010 (what committee)
  
-New committee - Dinis (Connections committee)
+
=CLOSING=
  
- Linked'In Group
+
-Date/Time of Next Meeting
[http://www.linkedin.com/groups?gid=36874&trk=hb_side_g 4715 Members of Linked'In Group]
 
37 Moderators co-sysops for discussion groups
 
  
-Date/Time of Next Meeting
+
 
 +
 
 +
__NOTOC__

Latest revision as of 22:19, 22 December 2009

AGENDA

http://www.owasp.org/index.php/OWASP_Board_Meetings

Please review the progress of the Global Committee http://www.owasp.org/index.php/Global_Committee_Pages and prepare your report to status on old business and new business.

When Tue Dec 1 5pm – 6pm GMT (no daylight saving) Where 1-866-534-4754 Code: 7452912855

MEETING LEADER: Jeff Williams

IDEA CATCHER: Kate Hartman

OLD BUSINESS

2009 Review of outstanding items

Outstanding items for 2010

  • RFQ Outsourcing OWASP Website/Mailing Lists etc & Larry Support
    • Question: Is the scope of this RFQ just the OWASP archive proposed by Matt Tesauro or all of the OWASP IT infrastructure?


NEW BUSINESS

  • Welcome New Board Members - Matt Tesauro and Eoin Keary
  • OotM Budget + request by NL & IBWAS for Kuai
  • OWASP Certification position vote

Finance Report

- YTD

- 2010 Budget

P&L as of Nov 2009

- Proposal - The Foundation should produce an annual report similar to http://upload.wikimedia.org/wikipedia/foundation/2/26/WMF_20072008_Annual_report._high_resolution.pdf.  I suggest that we draft one (many of the materials are available) and target a Q1 release - perhaps along with the T10.


Committee Reports

- Please review Global Committee Reports before meeting

- Board Member 3 Month Rotation of Global Committees Oversight (Draw Straws)


Membership Committee

- Membership Report 755 - Alison Report

- Linked'In OWASP Group Members = 4718


OWASP Election Process

- Proposal to adopt the process followed in the recent board election as OWASP's standard election process, with action items for the membership committee to resolve before the next election:

  • examine the policies around who will be allowed to vote
  • work on email address problems (including mass email service)
  • define policies surrounding campaigning
  • explore "approval voting" instead of mandatory 2 candidate vote plicy
  • define process for releasing the results
  • work with voting system vendor to do security testing?


Brazil Conference Issues

Discuss the resolution of issues raised about AppSec Brazil

Can we be more specific about the recommended actions here so the board can approve?

Done below. --Mtesauro 23:54, 30 November 2009 (UTC)

(1) Determine the group that should resolve the raised issues

  • A group consisting of at least 1 board member and several committee representatives should be created to resolve the issues
    • I suggested that Jeff Williams be considered for the Board representation since he has a legal background.
  • Exclude from the group any person who attended the event to remove any question of bias
    • Board members Dinis Cruiz and Matt Tesauro should be excluded from further involvement since both attended the event
    • Any committee member that attended should also be excluded - e.g. Pravir Chandra


(2) Produce a document of the situation and resolution determined by the group chosen above.

  • The group should review the collected data, further discuss with the parties as necessary with the goal of documenting the situation and outcome


(3) Where needed, recommendations to avoid these issues in future should be presented to the board and the appropriate committee(s)


Google doc with background information

Update: The group has produced a report here --Mtesauro 22:19, 22 December 2009 (UTC)


2009 Summit

AppSec DC

- Profit Loss Report - Is there interest in Annual OWASP Federal Conference in DC? - Videos of APPSEC DC Summit online ETA ?



Training Conference Idea

- Proposal to offer "OWASP" courses or training conferences in major cities. Not certification, but evangalism through instruction (McGovern). Allows OWASP to become the "body of knowledge" without providing a type of certification. Cover trainer costs with a 25/75 revenue split. Model Trainer Joe teaches a one day class in Austin. $675 X 10 Students = $6750. Joe's expences = $1000. Net split = %25 to Joe - $1437.50  %75 to foundation - $4312.50. Pricing variable as possible added benefit to corporate sponsors? Earmark funds for SOC or Public Relations?

- 2010 Agenda

- Proposal for 2011 Summit/Conference - Las Vegas


Chapters Committee

2010 focus:

  • Identify & reactivate inactive chapters
  • Actively support chapters with mentorship- and speaker program
  • Roll out College OWASP Education kit through chapters


- How many active chapters? How many leaders showed up at Summit from them? What is action here?

- Start "OWASP College Chapters" program. Provide a full "kit" of materials to college student chapter leads. Goal is to get a touchpoint in every college with a CS department around the world. Chapter goals are to raise OWASP awareness by students and to influence the curriculum.

Education Committee

- The Certification Update

- Proposed statement about OWASP getting involved in certification.

2010 focus:

  • academic outreach
    • Increase # academic members
    • Introduce OWASP material into curriculae
    • Support Appsec research grants for students
    • Organise events at universities
    • Participation in research programs (e.g. advisory boards)
  • OWASP BootCamp
  • Roll out College OWASP Education kit through chapters

Projects Committee

- Proposal to start SOC with 90K grant Update

- OWASP-CRM Project - Overview/Update/Roll-out for OWASP Foundation - click here

- OWASP.COM Google Domain what is action?

- Proposal to start a "Provider Registry" for ASVS - http://code.google.com/p/owasp-project-management/wiki/Providers. Personally, I'm not sure that it's a great idea. Without some attestation as to the skills of the organization, it's essentially worthless. And I don't think that OWASP is in a good position either philosophically or organizationally to be doing reviews of organization's skills. To me, this is just like certification. We shouldn't do it, but it might be ok for us to define some criteria for organizations that do it. So I can imagine an "Application Security Verifier Criteria" that lists certain criteria for performing verification services (years of experience, number of apps, OWASP member, OWASP contributor, number of confirmed vulnerabilities found, platforms supported, ASVS levels supported, etc...)

Industry Committee

- Public Relations

- Special Interest Groups (result of summit) click here


OWASP Industry Outreach (OIO) -EK

A few ideas in relation to the industry outreach idea:

Objective: For OWASP to listen to industry, government, national enterprise state bodies and other standards organisations in relation to "what are the real problems facing you?" & "How can OWASP help?", "How do we mature web application security" To define a roadmap consisting of both short term and long term goals. Short term goals must support the longer term objectives.

Limit the activities defined to a very short list that is achieveable and measureable within one calendar year.

1.Invite-only event + limited OWASP leaders (cant overwhelm event with OWASP delegates!)

2.Identifying a cross-section from many verticals. (Gov, FS, Energy, Transport, Telecoms, Dev, Retail, etc) Might have a break-out session for each of the industry verticals.: Closed session where delegates can discuss openly issues facing them and challenges. Limited to 2 hours. Each group session nominates a delegate to present findings to the whole group (all delegates)

3.NDA/Code of conduct doc to be signed by ALL delegates. Organizations wont send delegates or speak openly unless there is some from of information control.

4.Wider meeting & presentations (from majority industry delegates and some OWASP) to all attendees on what issues they have, in order of priority. - we listen to industry

5.OWASP Board Panel discussion

6.OWASP industry panel meeting discussion

7. Agree and define a road map for OWASP & Industry supporting each other.

8 This may/should increase corporate sponsorship if delegates get something out of it and make OWASP more relevant to industry.

"Currently Security conferences are presented by security people security people. The Industry outreach programme is an attempt to change this model."


OTHER

CLOSING

-Date/Time of Next Meeting