OWASP Foundation

Board Summary

August 2024

Initiatives & Operations

Andrew van der Stock

OWASP Foundation Staff

Executive Director

• Moving back to Australia
• How to best contact me and make time with me
• Policy review of Board election materials is underway
• Code of Conduct and Elections policy are in public review
• Microsoft Intune being rolled out to manage devices
• Enforced device encryption, automatic updates, MFA login for Windows devices, security baseline settings (PIN complexity, password requirement, etc)
• Compliance audit
• Remote wipe

Executive Director

• Audit
• Single entity (OWASP Foundation, Inc.), single year
• Audit field work has commenced
• Need to sort out EU entity (discussion later in this meeting)
• IT general controls:Need to enroll staff in Insperity training in securely handling data, phishing attacks, privacy, etc.
• New presentation templates
• Leaders as Members update

New templates are here

Now 100% compliant with the brand guidelines

OWASP Blue Theme

Your name here

OWASP Light Theme

Your name here

© 2024 Author Name. Licensed under CC-BY-SA 4.0

OWASP Dark Theme

Your name here

© 2024 Author Name. Licensed under CC-BY-SA 4.0

Leaders as members

Leaders As Members

1071 total leaders

​

293 Members

778 Non-Members

​

A few anomalies so far

• No single source of truth
• Pseudonym
• Not an email address
• Missing emails (i.e. name only)
• Email in leaders.md doesn’t match their Stripe customer record
• No Stripe owasp.org metadata
• Stripe is non-owasp.org email
• No leader tag for most leaders in Copper
• Duplicate Copper records fools our membership check tools

Timeline

GSuite Suspended

leaders.md will be updated to be their secondary email

Oct 30

GitHub admin role revoked�Leader discounts suspended

GitHub role changed to member

​

Nov 30

August

Campaign to become members

Weekly mail outs to non-member leaders, Slack and social media announcements

September 30

Not able to manage chapters in AMS�Expenses suspended for non-members

Leaders must be in the AMS to manage their chapter. Only member Leaders will only be able to claim expenses.

Dec 30

Leadership is terminated

Removed as a user from GitHub�Removed from leaders.md�GSuite will be deleted March 30, 2025

Leader benefits

Operations

• The Board Election process has started. The call for candidates is open until 8-31-24.

​

​

Corporate Relations

​

Kelly Santalucia

Corporate Supporter New Member Benefits

Testimonials from Corporate Supporters

Checkmarx:

“Checkmarx places high value on our sponsorship with OWASP, which we see as a partnership. The goals of OWASP and Checkmarx are aligned, aiming to bring the practice of application security to a higher standard everywhere in the world. One significant factor in the choice to become a Gold Sponsor was the ability it gave us to provide a benefit to OWASP members, which in our case was to give all members access to our Codebashing secure training platform at no additional cost. Presenting at OWASP gatherings and having our VP of Security Research co-lead the API Security Project are all part of a sponsorship that benefits everyone.”

​

Ubiq:

“The OWASP individual member benefit program has led to increased adoption and sign-ups of our free, community version, enabling us to work more closely with security-minded developers and engineers across the globe and educate them on how identity-driven, data-level security controls can more effectively safeguard sensitive data and help them avoid cryptographic failures.”

​

Appdome:

“Appdome chose the gold level for two reasons

1. We believe in the OWASP mission and want to fund the mission as much as we can afford
2. The ability to provide a member benefit that is only available at this level and above”

Root:

Root qualifies as a start-up (est 36-months or less) and could have joined with the $2k package, however, they joined as a Platinum ($25k). She found the member benefit very interesting and hopefully soon, will be submitting a member benefit proposal for approval.

​

Corporate Supporter Pipeline

Conference Sponsor Pipeline

2024 Global AppSec San Francisco Exhibitor/Sponsorship Pipeline

Finance

​

The Charity CFO

Membership

Andrew van der Stock

Individual Members

Membership up 97 for August, for a total of 8286 members, an all time high.�

One Year 4239 +60

Two Year 1074 -7

Lifetime 1266 17

Complimentary 1707 27�

All forms of complimentary membership will be reaffirmed once we are on a new AMS.

In September, let’s discuss sunsetting force majeure complimentary membership.

Chapters

Dawn Aitken

New Chapters

• 2024-07-24, OWASP Mauritius
• 2024-07-30, OWASP Edmond
• 2024-07-30, OWASP Sivagangai

​

​

Meetup Membership Data

143,416 Total members

​

• 220 Groups - (276 active chapters)
• 48 meetings in the last 30 days
• 1,519 new members joined in the last 30 days

​

​

​

​

​

Projects and Grants

Starr Brown

Projects

Project status always available at Project Website Status | OWASP Foundation

• Ongoing Leader Feedback
• Open call for feedback related to contributor license agreements, project funding, and in-kind funding. The attempt to notify via the #leaders channel in Slack garnered two responses - in total.
• Redistributing via email and Slack
• Please share amongst other Project leaders if you communicate via private channels on our behalf
• Link: https://owasp.wufoo.com/forms/z1nwhgkb12p34cu/
• Will promote again at Global AppSec San Francisco and Project Summit
• Ongoing Project Budgets & Financial Transparency
• Financial clarity is lacking for projects in terms of budget vs. spend
• Transparency is lacking because of the current process does not allow for easy means of showing budget vs. inflow / outflow
• Transparency between the foundation and its project leaders needs to be better to ensure we can clearly account for cash flow and resolve requests for payment in a timely manner
• Andrew has requested additional ledger coding with Charity CFO that will assist in the effort of making project accounting clear and easy to understand

Projects

• AMS
• Data cleanup and workflow confirmation is our current stage; this is the majority of the project’s implementation
• Go live likely early October due to dates related to elections / member status and because an extension was given for the Cloudflare member portal use
• Blend-ed
• Go Live planned for Q4 2024
• RFC: Donated materials for OWASP Top 10 beginner friendly free certification course need review by community members
• Planning: Train the Trainer courses as means to support current OWASP community trainers and leaders with a way to not detract financially from existing trainers and to add to the inflow of revenue supporting projects, developers and leaders as well as to increase operational revenue by creating training packages for other organizations who wish to utilize the OWASP portfolio of projects as part of their offering
• Planning: Leader, Member & Chapter training

Projects @ Events

Planning

• Project Summit
• We need travel assistance with the goal of bringing lab and incubator project developers as well as those more junior in their career to the event
• Working with Fastly, major airlines & other grant providers to apply for travel funding
• Seeking Summit Sponsors, prospectus forthcoming by early September

Events

Lauren Thomas

Global AppSec Lisbon Summary

Overall Conference Tickets (Receptions, conference, training) Conference Tickets

Budgeted: 840 Budgeted: 600

Sold: 1045 Sold: 782

% sold to budget: 124% % sold to budget: 130%

% increase from 2023: 198% % increase from 2023: 177%

Training

Budgeted: 130

Sold: 182

% sold to budget: 140%

% increase from 2023: 152%

​

​

​

Analysis: Global AppSec Lisbon far exceeded expectations in regards to YOY growth and anticipated budgeted numbers. Sponsorship and conference growth could be due to finally exiting the times of COVID as well as the location. Training growth attributed to added training courses. The only area where ticket sales did not meet the expected attendance is the WIA Reception which budgeted 35 tickets and sold 16 as well as the Newcomers reception which budgeted for 75 tickets and sold slightly under at 65 tickets.

Global AppSec San Francisco Summary

Overall Conference Tickets (Receptions, conference, training) Conference Tickets

Budgeted: 1155 Budgeted: 900

Sold: 566 Sold: 441

% sold to budget: 49% % sold to budget: 49%

Note: At this time (4 weeks before the event) for SF 2022,

we had 263 Tickets sold. At this time for DC 2023, we had

507 tickets sold

​

Training

Budgeted: 115

Sold: 54

% sold to budget: 47%

​

​

​

BOD Call to Action: Please reach out to your contacts and promote on social media. If you have a company looking for bulk ticket purchases, even better. Please direct them to the events team.

Global AppSec Developer Day SF Update

Due to low registration numbers, Developer Day on September 25th has been cancelled. We will be reviewing our efforts to determine what steps should be taken in order to build the conference in the future.

​

Tentative plans for a virtual Developer Day in early 2025.

​

BOD Call to Action: Please assist the foundation with outreach to Developers. Once a date has been secured for virtual Developer Day 2025, we would appreciate any assistance in reaching out to potential developers.

​

​

​

2024 and Beyond Global AppSec Events at a Glance

​

2024 AppSec Days at a Glance

​

2024 AppSec Days at a Glance… Continued

​

BOD Call to Action: in Q4 of 2024 we have a handful of new Regional Events. If you would kindly assist in spreading the word on AppSec Days Panama, Singapore, Spain, and India.

2024 Global AppSec SF Status On Track

September 23-27

2024 AppSec Days Panama Status On Track

September 11-12

2024 AppSec Days Singapore Status On Track

October 1-2,2024

2024 AppSec Days Spain Status On Track

October 26,2024

2024 LASCON Status On Track

October 22-25

2024 AppSec Days India Status On Track

November 14-15

Completed events

2024 SnowFROC Status Completed

March 7

2024 BASC Status Completed

April 6

2024 AppSec Days PNW Status Completed

June 15-16

2024 Global AppSec Lisbon Status: Completed

June 24-28

Community Development

Christian Capellan

Force Majeure Accounts

• No address or other identifying information was requested from force majeure complimentary accounts (Israel, Ukraine). Over 1000 accounts with no info, most appear to be fraudulent.
• Auditing 50 top users by Google Drive usage are being audited (address requested).
• 30 day deadline given before account deletion.
• Only two responses so far, both giving well-known non-residential addresses (a nightclub and a warehouse).
• One account was storing significant adult content, possible CSAM.
• Short-term: will be requiring address for new force majeure accounts (soon).
• Long-term: no force majeure accounts will be automatically ported to new AMS. Individuals will be contacted and asked to resubmit, providing address in new workflow.

Google Drive

• Google Workspace usage at 50% (down from 100% in May).
• Continuing to audit and clean up shared drives.
• OWASP accepted invite to apply to directly report suspected and/or confirmed CSAM to Centers for Missing and Exploited Children. Waiting on reporting infrastructure to be provided to us.

DEV Content

YouTube Content

Analytics: LinkedIn

Analytics: X (Twitter)