Draft Strategy Document
5 views
Skip to first unread message
Andrew van der Stock
Mar 17, 2026, 8:53:39 PM (13 days ago) Mar 17
to Global-board, Stacey Ebbs
Hi all,
Stacey has done some terrific work on making the strategy document read well and look good. Please review this document and let Stacey (cc'd) know of any changes/errors you think need to be fixed before we release the final to the community. I've not yet closely reviewed the document; I will provide my own feedback to Stacey when I have a chance to read it more fully.
thanks,
Andrew
Marisa Fagan
Mar 18, 2026, 11:40:18 AM (12 days ago) Mar 18
to Andrew van der Stock, Global-board, Stacey Ebbs
Hi Stacey!
This is a great resource that is really setting the tone for a great year!
My one suggestion is that “Fundraising” should show up last on the list, not first. I personally read lists in priority order by default and “fundraising” is not the priority that has the most people involved and just doesnt seem right to me that money would be listed as our top priority. Hopefully that makes sense. So I would list fundraising last but otherwise the order is good.
-Marisa
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/401290c6-de4b-40a7-a8c7-4b611a927717n%40owasp.org.
Louis Griffith
Mar 18, 2026, 12:36:00 PM (12 days ago) Mar 18
to Marisa Fagan, Andrew van der Stock, Global-board, Stacey Ebbs
Hi Marisa,
I completely understand your perspective on how ordering can imply priority.
That said, I do believe the current order works as intended. While fundraising may not represent the most visible or broadly participated activity, it serves as the foundation that enables all the other pillars. Global collaboration, education, policy efforts, and risk reduction initiatives all depend on having the financial resources in place to operate effectively and sustainably.
In that sense, positioning fundraising first isn’t about signaling it as the “top priority” in terms of importance to the mission, but rather recognizing it as the enabler that makes the rest possible.
Appreciate you raising the point.
Best,
Steve Springett
Mar 18, 2026, 9:27:27 PM (12 days ago) Mar 18
to Marisa Fagan, Louis Griffith, Andrew van der Stock, Global-board, Stacey Ebbs
I agree Ricardo. In fact, the Linux Foundation constantly reminds me of this. Just yesterday, they issued a funding-specific press release that enables the foundation to achieve its mission. Funding is the thing they led with.
Stacy,
The document looks fantastic and reads well. Very nicely done. I’ve reviewed up til the fourth pillar. I likely will not be able to review the last two pillars until Friday.
Feedback:
- The graphic with "A world with no more insecure software” is really pixelated. The background is obviously a rasterized image from Hugo, however, the text, logo, 25 years, etc should be vectors so they look crisp. On a 5K 40” monitor, the text looks very blurry.
- I would replace "Open Worldwide software security Project” with “OWASP Foundation”. We never really refer to ourselves by our full name.
- “Shoping security requirements…” under Policy and Regulation doesn’t sound right. “Shoping” is the wrong word here. Also, what is the significance of color shading differences between the 5 pillars? I find it a bit distracting.
- “nfrastructure”, “fulfil”, “Thisstructure”, are incorrectly spelled.
- Need a full stop after "attracting even more people"
- Is Oxford English the target? I see “ize” and “ization” for words originating with the Greek -izo suffix. This is how U.S. English and Oxford English spell them, but not British English. There is also the use of the words “flavour”, “theatre”, and “modelling”, all of which are Oxford and British English spellings. So the combination of these leads me to believe that Oxford English is the target. Just confirming.
- "Millions of developers write code daily…” this may be perceived negatively in the age of AI. Just since December, the models have improved to the point where secure coding education is less of an issue and more of an AI implementation detail. If we focus on “software engineering” rather than limiting it to writing code, that would lead to secure architecture and design, which is something AI struggles with.
- "rote memorization”? I actually had to look up what “rote” meant. Not sure if your non-native English speakers will know what it means either.
Again, great job on this.
Stacy,
The document looks fantastic and reads well. Very nicely done. I’ve reviewed up til the fourth pillar. I likely will not be able to review the last two pillars until Friday.
Feedback:
- The graphic with "A world with no more insecure software” is really pixelated. The background is obviously a rasterized image from Hugo, however, the text, logo, 25 years, etc should be vectors so they look crisp. On a 5K 40” monitor, the text looks very blurry.
- I would replace "Open Worldwide software security Project” with “OWASP Foundation”. We never really refer to ourselves by our full name.
- “Shoping security requirements…” under Policy and Regulation doesn’t sound right. “Shoping” is the wrong word here. Also, what is the significance of color shading differences between the 5 pillars? I find it a bit distracting.
- “nfrastructure”, “fulfil”, “Thisstructure”, are incorrectly spelled.
- Need a full stop after "attracting even more people"
- Is Oxford English the target? I see “ize” and “ization” for words originating with the Greek -izo suffix. This is how U.S. English and Oxford English spell them, but not British English. There is also the use of the words “flavour”, “theatre”, and “modelling”, all of which are Oxford and British English spellings. So the combination of these leads me to believe that Oxford English is the target. Just confirming.
- "Millions of developers write code daily…” this may be perceived negatively in the age of AI. Just since December, the models have improved to the point where secure coding education is less of an issue and more of an AI implementation detail. If we focus on “software engineering” rather than limiting it to writing code, that would lead to secure architecture and design, which is something AI struggles with.
- "rote memorization”? I actually had to look up what “rote” meant. Not sure if your non-native English speakers will know what it means either.
Again, great job on this.
— Steve
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/D1AF46DC-9968-4656-B96A-8DD1650F86DC%40owasp.org.
ashwini siddhi
Mar 20, 2026, 5:54:49 AM (11 days ago) Mar 20
to Andrew van der Stock, Global-board, Stacey Ebbs
This is great work by Stacey!
Outside of Steve’s comments — which I completely agree with — I had one additional thought on the length of the document. It might be helpful to include a concise summary or annexure that captures the key points preferably with some graphics or visuals. I’m not sure how many people will go through a 25-page document in detail.
Regards
Ashwini
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/401290c6-de4b-40a7-a8c7-4b611a927717n%40owasp.org.
Reply all
Reply to author
Forward
0 new messages