February 2025 Agenda/Minutes

Meeting Details

  • Date: 25 February 2025
  • Time: 12PM US EST, UTC 1700 convert
  • Location: Remote
  • Recording

Agenda

CALL TO ORDER

Board Members Present:

  • Ricardo Griffith (chair)
  • Steve Springett (vice-chair)
  • Sam Stepanyan (secretary)
  • Ashwini Siddhi
  • Harold Blankenship (treasurer)
  • Avi Douglen
  • Diego Silva Martins

Guests

  • Andrew van der Stock
  • Kelly Santalucia
  • Dawn Aitken
  • Lauren Thomas
  • Hayden Corry
  • Starr Brown
  • Christian Capellan
  • Heather Kennedy
  • Chris Barbeau
  • Leea Hudson-Wilson
  • Maxim Baele
  • Aram Hovsepyan
  • Rob van der Veer
  • Aruneesh Salhotra

CONFLICT OF INTEREST AND ANTI-TRUST STATEMENT

As the Board consists of individuals from many competing organizations, OWASP and its Board shall abide by all applicable anti-trust and competition laws. To avoid any perceived or actual conflict of interest, or anti-trust concerns under US federal, state, or regulations, only the published agenda shall be discussed or voted upon, or amended as below. If there are any conflicts of interest, Board members are expected to disclose the conflict of interest and must recuse themselves from discussion and voting.

CHANGES TO THE AGENDA

Changes to the agenda - unless otherwise prohibited by anti-trust or competition laws - including adding, altering, or tabling of motions is permitted by following Roberts Rules of Order (RONR 12th Ed) 41:63, which requires an affirmative two-thirds vote.

  • A request from Rob van der Veer to join at 2:00 PM prompted a discussion to reorder the agenda.
  • Proposed moving Rob’s topic (new business) after the management update and reordering the agenda items to prioritize guests (Charity CFO) and finance report before other items; agreed by consensus without a formal vote.

APPROVAL OF MINUTES

Board Members

  • Ricardo Griffith: YES
  • Sam Stepanyan: YES
  • Harold Blankenship: YES
  • Ashwini Siddhi: YES
  • Steve Springett: YES
  • Avi Douglen: YES
  • Diego Silva Martins: YES

PRE-READING MATERIAL

Executive Reports

Finance Report by Chris Barbeau - The Charity CFO

  • Budget finalization with Andrew still in progress; audit draft prepared, awaiting finalization.
  • January 2025 financials: Cash decreased by $85,000, AR increased by $118,000, net assets increased by $43,000, liabilities decreased by $134,000, total net assets up by $169,000.
  • Income: $341,000 (up from $132,000 in December 2024), driven by $270,000 in sponsorship revenue.
  • Expenses: $171,000 (up from $153,000 in December 2024), including travel bookings for the Barcelona Global AppSec Conference.
  • Net income: $170,000.
  • Discussion on cash sweeps accounts (suggested by Sam from prior meeting); Andrew noted a Citizens money market account at 4.25% interest, FDIC insured up to $250,000, with access issues to be resolved.

NEW BUSINESS

Discussion on CRA Open Source Stewards

Background: OWASP has various CRA initiatives. Let’s discuss how we can support open source projects that might be impacted by the CRA

  • Maxim Baele introduced the Cyber Resilience Act (CRA), effective 2028 in Europe, mandating security requirements for products entering the European market.
  • OWASP’s potential role as an open-source steward was discussed, supporting projects to comply with CRA
  • Maxim Baele shared the draft OWASP CRA Stewardship document
  • Concerns raised by Steve about scale and volunteer availability; proposed a working group to develop processes.

Meet the proposed new EU Entity Candidates

Background: The new European entity will likely be formed in March with Andrew’s visit to Brussels. This is a chance to meet the proposed Directors and ask questions.

  • Candidates Maxim Baele and Aram Hovsepyan introduced themselves as potential OWASP EU Board members.

Discussion on the new OWASP European Foundation Entity

Background: The new European entity will likely be formed in March with a visit to Brussels. This is a chance to discuss the new entity and ask questions.

  • Andrew reported delays in drafting bylaws due to communication issues with VAT desk lawyers (OWASP.com e-mail issues)
  • Target formation date shifted to April; structure intended as a wholly owned subsidiary, pending legal advice on tax and EU grant implications.

Executive Reports

Andrew van der Stock - Executive Director

  • Membership renewals: Issues with double charges in Stripe and Glue Up resolved; plan to make Glue Up the “source of truth” renewal source, requiring manual updates for ~1,000 members.
  • Membership provisioning issues reduced by 60% since January with manual sweeps; automation in progress.
  • Staff summit held virtually; successful, with prioritization needed for initiatives (e.g., chatbot, knowledge base). It is proposed to have the in-person meeting at AppSec Cali once it is restarted.
  • Andrew is attending nonprofit cyber meeting in London and will visit Brussels to wind down the old EU entity.
  • Website redesign progressing; seeking vendor proposals. Feedback on the requirements appreciated
  • CRM consolidation to Monday.com CRM and GlueUp for better metrics and reduced fees.
  • Amsterdam board strategy meeting in April 2025: hotel booked; dietary needs (e.g., kosher, vegetarian) to be coordinated.

Operations Update - Dawn Aitken

  • Dawn reported cleanup of 90+ day AR; old items without deliverables to be removed.
  • Chapter tickets reduced to 12, half awaiting replies

Events Update - Lauren Thomas

  • Ticket sales at 20% of budget for Global AppSec Europe event
  • Industry trends slide added for board review.
  • Costs for venues and food/beverage up 25% over four years; ticket price rises implemented to ensure profitability.

Discussion with Rob van der Veer on OWASP Standardization

Background: Rob van der Veer has been working on standardization for OWASP. This is a chance to discuss the progress and ask questions.

  • Rob highlighted OWASP’s role in AI security standards (e.g., ISO 27090, AI Act) via LLM Top 10 and AI Exchange.
  • Proposed a blog post and press release to position OWASP as driving practical AI regulation.
  • Coalition for Secure AI (CoSAI): Proposed OWASP join as a non-funding partner in a technical steering committee with Microsoft, OpenAI, Google, etc.
  • SANS proposed a partnership with OWASP for the AI Summit (April 1), leveraging OWASP AI Exchange framework.

Motion to approve the 2025 Budget

Background The 2025 Budget has been finalized with a -$72k deficit, which takes into account the 200K USD of investment in a new website and certification, and increased outreach spending. The Budget needs to be approved to allow BAU operations to work per the Spending policy.

  • Draft 2025 Budget Summary

  • Draft 2025 Budget Detail - for Board Members only

  • Income: $4.414 million, down $74,000 from 2024 due to smaller DC exhibitor space.
  • Expenses: $4.498 million, up $881,000, including website redesign, increased bills for food & beverage, and video recording
  • Deficit: -$72k, offset by cash reserves (2.5% of total).
  • Strategies: Increase revenue, reduce food/beverage costs (e.g., sponsor lunches/drinks), explore community video recording.

Motion: “Resolved, that the 2025 Budget is approved, effective immediately.”

Sponsor: Harold Blankenship Second: Ricardo Griffith

  • Steve Springett: YES
  • Harold Blankenship: YES
  • Sam Stepanyan: YES
  • Avi Douglen: YES
  • Diego Silva Martins: YES
  • Ashwini Siddhi: YES
  • Ricardo Griffith: YES

Results: Passes 7-0

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

  • No closed-door session needed this month; internal update will be provided separately.

Action Items:

  • Finalize budget and audit report. (Assigned: Andrew, Chris)
  • Address cash sweeps account linking issues. (Assigned: Andrew, Chris)
  • Add CRA-affected projects and helper tools to the Amsterdam strategy meeting agenda. (Assigned: Ricardo)
  • Set up a Google Group for the informal CRA working group and attend the first meeting; collaborate with Maxim Baele. (Assigned: Andrew, Steve)
  • Finalize OWASP EU timeline in Monday.com and share with the Board and candidates for support (e.g., finding a Belgian lawyer). (Assigned: Andrew)
  • Follow up with VAT desk lawyers regarding the draft OWASP EU bylaws. (Assigned: Andrew)
  • Meet the remaining OWASP EU Board candidates. (Assigned: Andrew)
  • Communicate the membership renewal changes (regarding Stripe recurring payments) to the community and affected members. (Assigned: Andrew)
  • Provide a list of website designers via Monday.com. (Assigned: Sam)
  • Add staff summit prioritization to the Amsterdam agenda. (Assigned: Ricardo)
  • Coordinate a blog/press release on AI regulation outreach. (Assigned: Star, Rob)
  • Conduct due diligence on Coalition on Secure AI; provide mentorship accordingly. (Assigned: Andrew, Steve, Rob)
  • Coordinate co-marketing for the SANS AI Summit; provide mentorship on partnership setup. (Assigned: Star, Dawn, Steve, Rob)
  • Add event cost/price rise discussion to Amsterdam agenda. (Assigned: Ricardo)

ADJOURNMENT

Adjournment motion

The next general Board meeting is on March 25 2025, at 12 pm US Eastern Time.

“It is moved, and seconded to adjourn. Those in favor, say “aye””

Sponsor: Ricardo Griffith (Chair) Second: Avi Douglen

Watch Star