Tuesday, May 23, 2017

OWASP Leaders' Workshop Pt 1: 4 Major Changes and Leader Insight and Control

The Leaders' Workshop was held on Wednesday night before the AppSec Europe conference with about 30 project and chapter leaders in attendance. It covered some exciting new developments in the OWASP infrastructure as well as leaders' questions about ongoing concerns and upcoming events. If you have been a leader for at least six months, please remember that you can receive free access to any Global AppSec and that you can attend this pre-conference workshop even if you do not attend the conference.  In future conferences we plan to host the workshop on a GoToMeeting Webex as well to allow leaders from all over the world to join in.

There are four key changes coming to OWASP infrastructure as a result of the year-long listening activity that the staff has been engaged in as we assess how to tackle the organization's technical debt and growing pains.  The first four topics we are focusing on include the Website Reboot, the Association Management System (AMS), our mailing lists, and a volunteer program.  This meeting focused primarily on changes coming for our AMS and Lists.  

Website Reboot and Volunteer Systems

We started with a quick update to the Website Reboot and the Volunteer Program.  The Website reboot had hit some snags in scheduling as we waited for the board to approve funding for the project and then had to address a sudden loss of our host provider.  During this time Phase 1: Updating wiki source to 1.27.x  has been completed, Matt is writing the RFP for Phase 2: Wiki style updates, and Phase 3: single sign on is being integrated with the move to Amazon Web Services.  

The Volunteer Program is on the horizon and you should see surveys coming out in the next month and the first results in Q4.  Currently, the goal of the Volunteer Program will be to have an easy way for members and potential volunteers to put together a “Volunteer Resume” and apply to volunteer positions written by leaders.  The end goal is to allow leaders to a) have an easy way to widely distribute calls for volunteers, b) interview and choose volunteers, and C) track, interact with, and reward volunteers.  This program is also closely tied to the AMS and new abilities and insights it will give our leaders.

As always you can follow our monthly Operations Update posts on the OWASP Blog or in the OWASP Connector for detailed information on these projects as they progress.

Updated Association Management System

The Association Management System (AMS) is the platform that allows OWASP to effectively manage the needs of our community.  It is essentially cross-referenced lists of every request, member, volunteer, project, chapter, and sponsor OWASP has interacted with.  Until recently the technology to allow our community leaders to interact with this system in a sustainable and scale-able way did not exist.  Now we are glad to tell you that we are implementing a new system what will not only help things run more smoothly behind the scenes, but also give leaders significant insight into your project or chapter as well as create a single source of truth for the community to work with.  

We are now allowed to give visible and invisible badges to our leaders who will in turn be able to identify project and chapter contributors for badging. Amongst other things, when fully rolled out, leaders will be able to log into their force portal and see who is an OWASP member that has allocated to their chapter or project currently and in the past, as well as who they have listed as official contributors to their project.

Through APIs we will be able to allow special permissions for protected aspects of the wiki.  For example, leader positions will be tied directly to Sales Force so that even if someone changes them on the wiki they will revert to the official status. Additionally, project leaders can allow particular contributors to update protected projects pages. When tied with the upcoming volunteer platform, Leaders will have much more organized control, APIs will slowly be able to eliminate repetitive tasks, and key insights will be much more apparent.  

Equally as important are the new conveniences that authenticating with the force portal will bring.  In your portal page, not only will leaders be able to have new insights into WHO they are working with and HOW they are dividing the work, but the labor they are doing and the support they have requested will be clearly presented.  

The new force portal will create a single location to request, track, and receive funding.  Leadership badges mean that when their membership is up for renewal leaders will be directed to honorary (and if they choose, paid) membership plans rather than having to locate them based on prior knowledge.  It also means that we will be able to severely limit event codes which can lead to annoying slowdowns and frustrating disorganization.  You will be able to register for events directly from your portal and therefore you will be authenticated as a leader and have the discounts automatically applied to your order.  

Mailman Transformed

OWASP’s lists system is very problematic, it is bloated, it is unsupported, and currently, it is insecure.  No matter how we choose to address lists, at this point it would require a migration.  

We began our search for a replacement with a long list of requirements.  We needed a system that worked in both email and on a separate platform.  Our replacement needed to mobile native and allow for restricted lists as well as for a searchable archive.  It also needed to do a more successful job of fostering community than our current solution which has left us with crickets in the community list and many abandoned chapter and project lists.  Furthermore, it needs to allow for people to easily choose what communications they wish to interact with and ignore those they do not wish to spend time on without missing vital communications.  

In the end, the answer to our search was Discourse.  With Discourse we will allow us to create a platform that allows for users to customize their experience, it is searchable, archive-able, mobile native, and you can choose to interact with it through email or through the app/browser platform.  It also has features such as a daily digest that you can choose to replace up-to-the-minute notifications.  

The most important difference that our change to discourse will bring is a reorganization of our lists and how we use them. This is due partially because our current system is incompatible with Discourse, and partially because over the past decade we have learned much about what our community wants and  needs.   With Discourse we can create a system of communication that is both less siloed and more granular.  For instance, the most common complaint about the leader’s list is that too many discussions of governance happen in it.  By changing the structure we can create a place for leaders who wish to communicate without these discussions to thrive, while also supporting our community members who deeply care about governance.  We can also make it easy for our community members to dip into different sections when the topic is vital to them.

In Discourse we will have 6 main categories with subcategories.  

The Community category is the the “main” category for the average OWASP user.  Here there will be a Main uncategorized location to have general conversations.   You can expect recurring events such as puzzles, polls, or directed weekly questions as well as a location to chat with other community members from around the globe.

There will also be a Governance sub-category for those who are interested in discussing, changing, or writing on specific points of governance for our community.  Separately, there is a Board List for reading and communicating directly with the board of directors in their official capacities.  

The two NEW parts of this category are requests from Leaders and community members respectively: Many leaders have asked for an Announce Only list that they can subscribe to so that they can get information from OWASP without automatically signing up for the discussions that usually come with those announcements.  

The second was a request from community members for a place where they can ask specific appsec questions from people they already trust. Answers can be voted on, rewarded, and discussed.  One large request from the Leaders' Workshop was to limit this topic to only paid and honorary members of OWASP.  

Projects, Chapters, and Committees

The Projects, Chapters, and Committees will each have individual sub categories for each project, chapter, or committee (Example: AppSensor or Charlotte or Education Committee) as well their respective FAQs and a location for general uncategorized conversations about projects or chapters.

Projects will specifically have the ability to badge their contributors and allow them to have write-rights in project specific sub categories.


The events category will have sub categories dedicated to local, regional, and global events.  Here you will be able to compare notes, get ideas and problem solve with other volunteers who are running events.  This is an excellent place for experienced event teams to mentor new event teams.  It will also serve as a great place for event teams to set up specific event topics for planning or to discuss making the events platform better.  


The Leaders’ category will remain much as it does now, with the addition of an announce only section for the leaders list.  

What makes this system easier to use across categories is that each user can choose to follow individual categories, sub categories, or even topics.  No longer will someone be overwhelmed by the leaders list and therefore unwilling to engage in with the wider community.  As members sign up, they will be able to sign up for their own Chapter or Project sub category as well as join the community lists and other lists in just one step.  No more applying to join and hoping the moderator notices.  No more joining for one topic but having to slog through dozens of emails you are, frankly, uninterested in.  

Furthermore, due to the trust and social badging systems on Discourse, members will be identified and the volunteer work done by each member will be clearly available so that our top contributors can get the kudos they deserve. Best of all the, Discourse system is responsive.  Threads, topics, subcategories, and categories can change as our community changes--helping OWASP to meet community needs quickly.  

Timeline and Logistics  
Discourse is expected to start being rolled out in Q4 or Q1 of 2018.  In the meantime, we will be slowly beta testing features and you can respond to requests for testers as we roll them out and ramp up each test.  

Other Questions
Our leaders asked us three additional questions:
  • What is happening with the OWASP Code Sprint?
  • Discussion on move from 2 to 4 meetings per year
  • What does the foundation look at when judging if an event can be charged for or not?

We will be answering these questions in future blog posts.  Look for the Code Sprint post on Thursday May 25th and the other questions next week.  

If you have feedback on the Website Reboot, Volunteer program, our new AMS and the Force Portal, or the move to Discourse, please feel free to reach out on the lists, this comments section, or the talk page on the appropriate wiki page.  We will be monitoring all three.  

Which of these upgrades are you most excited about?  

No comments: