Monday, April 16, 2018

AppSec-Eu 2018 - communication to the community

Dear OWASP community,

The OWASP Foundation board of directors has come to the understanding that previous information that was shared about the move of OWASP AppSec-Eu from Tel Aviv to London has not been received as being open and transparent enough.

As  mentioned in previous communications, we do recognize the communication has not been optimal and we are working hard to improve this. Nevertheless, the community has clearly articulated your desire to have more background information and the reasoning behind the move of the venue.

As we believe truly in the "O" of OWASP, I will hereby share more information about the justification for the move of AppSec-Eu away from Tel Aviv.

As with any foundation, OWASP needs to maintain sound financial health to empower our members and to achieve our mission goals. We do have many expenses and our financials are publicly available.

The OWASP Foundation's financial health does heavily lean on the two major annual conferences: AppSec-Eu and AppSec-US. In 2017, both conferences failed on meet financial goals, the first ending up negative and the latter making much less than expected. This was not due to any person or group, but was just a fact of what happened. The teams that put on these conferences did a fantastic job.

With this background, our new Executive Director did look into the proceedings of the upcoming global conference, AppSec-Eu, in Tel Aviv. Her analysis revealed several risk factors with this location that were cause for concern that the conference could have difficulties generating the required profit. This, on top of the the problems the Foundation experienced in 2017, discussed above, would put OWASP at too much financial risk.

Some factors that lead to the decision to move were:
  • The Israel chapter was planning to continue with its annual and very successful free AppSec-Il conference, potentially competing with AppSec EU.
  • The budget planning was estimating that 80% of the attendees to come from outside of Israel, in contrast to previous conferences, which  roughly 50% of the attendees where from the local community. We would lose the grass roots attendees.
  • Some global OWASP sponsors indicated an unwillingness to sponsor a conference in Israel, citing a poor ROI of sponsoring in that area.
  • There have been many discussions with the Israel chapter about the above issues. Their responses indicated that they did not have the statistics that would counter any of the above risks, as they have never organized a paid conference in Israel.
  • Some of the above is based on assumptions, as always when you are trying to predict the future.
  • Some points might have been negotiable, but seen the time-frame we just did not have the time
With the above considerations, and the financial problems with OWASP now, our ED felt that the only responsible course of action to guarantee the financial health of OWASP was to move the conference.

We hope that everyone understands the reasoning behind this difficult decision. We extend, once again, our sincere thanks to the Israel community for their efforts to date, but also our apologies, and hope of a future event in Israel. We also again apologize for not explaining all of this earlier. It would most certainly have avoided some of the frustration and disappointment that some community members have experienced.

On behalf of the OWASP Board of directors,
  Martin Knobloch
OWASP Chairman of the BOD

Board Statement about the AppSec-EU 2018 and related events

[From the OWASP Connector, Wednesday Feburary 14th 2018]

Dear OWASP community,
As there have been quite a number of changes over the last number of months, the Global OWASP Foundation has faced a number of challenges. As you may be aware, three of our staff members have left the foundation, leaving a big gap in our day to day operations. This is not an excuse, but a reason why some processes both slowing down or even came to a complete halt. We are very happy to have found an Executive Director (ED) in Karen Staley. Since joining, Karen has been working hard to turn these challenges into opportunities and to allow OWASP to increase our organizational maturity and professionalism. I think it’s safe to say that the four newly elected board members and new ED, have had the most memorable start in their new position.

We are all extremely passionate about OWASP and with this passion comes frustrations. Your frustration in relation to the lack of information/ communication is understandable. As most of you were celebrating the Christmas and New Year holidays, the board were blindsided by these events. To this end the newly elected and sitting board members, together with our ED, were busy with the matters at hand. Given the time of year and the nature of the matter at hand, it’s easy to forget to communicate. We understand that the lack of communication on our part can make you assume nothing is happening.
Even though there was no communication with the OWASP community at large, we want to ensure you that we were in constant communications with those involved and are working towards an acceptable path forward.

As per previous mailing list communications, the AppSec-EU 2018 conference will take place in the UK. Operational challenges are currently being resolved and information about the conference venue, location will be available as soon possible.

Volunteers who have been working hard on organizing the AppSec-EU 2018 conference in Tel Aviv and the OWASP Israel chapter especially, felt frustrated with the decision to move the conference and way it had been communicated. Those that have previously organized a global OWASP AppSec conference in the past know how much more complex it is to organize compared to a local event, even if the numbers of attendees are more of less the same. The decision to move the AppSec-EU 2018 conference to the UK has been made. We would like to acknowledge the effort of the organizing team, while realizing the required level of support from the foundation was not achieved.

As OWASP board and staff, we see the huge burden it puts on the local chapter and leading volunteers. The OWASP board and staff recognizes the necessity of providing more professional support to the local chapter and volunteers to justify the expectations of our community and sponsors. With her extensive experience in organizing international conferences, our ED is working hard to do so.

As you are aware, the board members are volunteers too and we do our best to act in the best interest of the OWASP community. OWASP is bigger than individuals or the board, OWASP is a community which is driven by it volunteers and we welcome your input in how we can improve OWASP to further our mission. Please be invited to the OWASP Board meetings, the first meeting of the current board is January 24th.

Many times, those who shout the loudest are perceived in representing the community’s opinion. In the succession of the announcement the AppSec-EU to be moved from Tel Aviv to the UK, and the public statement that has been made articulating the frustrations about this decision, people from inside and outside the OWASP community felt the need to vent their opinions. As we are an open organization, I appreciate how forthcoming our community was.

Nevertheless, in OWASP we have a clear policy of ethics, stating the expected professionalism in communication and respect towards each other. We as a community of professionals are required to set an example to the next generation and should therefore lead by example in respecting these ethics when communicating both privately and in the public domain.

We will endeavor to improve our communications going forward and hope that this has not deterred any of the great OWASP community that have spent a countless number of hours volunteering to improve software security as a whole.

On behalf of the OWASP Board of directors,
   Martin Knobloch
OWASP Chairman of the BOD

Thursday, April 5, 2018

The OWASP AppSec conferences are planned for July and October 2018.  These conferences are the premier meeting places for the OWASP community and those working in information security.  

As OWASP members and countless volunteers already know; OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. The OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP advocates approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all these areas.

The core of OWASP's success is the community that works tirelessly ensuring that anyone working in information security has access to the best resources and knowledge in application security.  The best place to learn more, expand understanding and to meet up with the global community and contribute to its goal for improving application security is the AppSec Conferences.   

The conference training and seminars are managed and developed by the community for the community.  Join us in London, from 2-6 July or come to San Jose, CA from 8-12 October to train, learn and have a great conference experience with your colleagues.   

Tuesday, March 27, 2018

Call for submittal of papers for OWASP AppSec USA San Jose CA Event

Submit papers for OWASP AppSec USA San Jose CA Deadline April 13,2018

AppSec EU Conference Program Coming Soon!

AppSec EU 2-6 July London, England will take place at the very modern and well located QEII Centre.  The committee is reviewing the conference presentations and training submissions preparing for what we believe will be a very positive learning, networking and engaging conference.
Plan to join the community in London.  Registration is now open!  We look forward to seeing you in London!

Thursday, February 8, 2018

Board decision on the NYC RFP

OWASP Community,

Yesterday your elected board decided not to have OWASP support an RFP to build a cybersecurity center of excellence in NYC.  The local NYC OWASP community did an awesome job working to meet the RFP requirements and assembling a team and a detailed proposal.

The team presented the submission generally during the past OWASP BOD call February 7th and in all details during the executive meeting afterwards.
We decided (unanimously) not to support the proposal at an organizational level for a couple of very basic reasons:
  1. The activities would be geographically focused in NYC. As a global entity, we should prioritize activities with a global interest.
  2. The activities potentially involve a commercial interest which we feel can introduce a conflict of interest to our mission.
  3. The foundation has substantial commitments and existing priorities with AppSec conferences, Projects and Chapters, which are already stressing our existing resources. 
  4. We believe both the RFP process and further work around this initiative would be a significant amount of work for the Foundation staff, which could introduce risk to the core mission of OWASP.
With decisions that involve large amounts of effort, money and direction we expect people to have strong opinions and ideas.  We feel an acute responsibility as your elected board to work to make the best decisions we can for the global OWASP community - to direct our activities and funds toward our mission, which is an open global application security community.  We deeply appreciate everyone’s contributions.

Thank you.

On behalf of the OWASP BOD,
    Martin Knobloch
OWASP Chairman of the BOD