Request for OWASP Global Board and Executive Management Team Support for Funding Bid.

[Adrian Winckles]

Dear OWASP Board and Executive Management Team

Grant Ongers, Chair
Avi Douglen, Vice Chair
Bil Corry, Treasurer
Matt Tesauro, Secretary
Glenn ten Cate, Member-at-Large
Vandana Verma Sehgal, Member-at-Large

Andrew van der Stock, Executive Director
Harold Blankenship, Director of Technology & Projects

I’m following up on behalf of the OWASP Education & Training Committee regarding the UK Government Tender Opportunity for “Assessing the Viability of Creating an International Standard on the Privacy of Apps and App Stores” (attached again) that I circulated last week which we believe will help the long term goal for an Open Application Security Curricula and eventual certifications.

After a committee meeting this morning we would like to make the OWASP Education and Training Committee the key lead partner in this consortium and to be able to utilise for financial purposes the OWASP European Entity as this is still nearer to UK domestic legislation and governance than any formal US based jurisdiction.

How feasible is it to be able to issue a formal letter of support from the OWASP Foundation empowering the committee to be the Lead Party in the Tender and also to be able to utilise OWASP’s European entity to hold the appropriate funds?

As time is of the essence would it please be possible to have a formal response by Wednesday 3rd May 12:00pm EST if we are going to be able to put any meaningful bid together for the proposed work which is due by Tuesday 9th May 12:00pm BST.

We look forward to hearing from you.

Adrian Winckles (Chair)

(on behalf of the OWASP Education & Training Committee)

[Grant Ongers (OWASP)]

Hi Adrian,

Sorry about the delayed reply but with RSA and the time zone difference... well. I think you understand. Any how, on to your proposal:

Do I understand correctly that you want to bid for this tender using the EU entity as the legal vehicle? 

Who will actually do the work required? How will they be remunerated?

@Global-board your thoughts on this would be most welcome.

Best regards,

Grant

--

Grant Ongers Co-Lead | OWASP Cornucopia Project Co-Lead | OWASP AppSec Curriculum Project Chair   | Global Board of Directors F164 738F 16BF FDBF F0B6 5720 C986 8AF7 5F41 97BE

[Adrian Winckles]

HI Grant 

Thats correct with regard to the EU entity.

I would probably do most of the admin work but be able to use others from the committee and beyond as necessary.

Part of the idea was to utilise my day job with ARU as port of the consortium which would give the necessary Cyber Essentials coverage necessary for working with UK government as a supplier.

Thanks 

Adrian 

[Bil Corry]

If OWASP EU signs the agreement, we would be on the hook for the deliverables.  This is a four month project, which is not a lot of time, but there is quite a bit of work and it's over the summer vacation months.

So my questions are:

1. At a macro level, does OWASP need to be involved with this, or can we utilize the standard if someone else creates it?
2. Do we have enough people to execute on all of the deliverables?
3. Do we have the expertise involved with this project to ensure the final product is high quality and meets all of the objectives?
4. Is the Foundation paying people to work on this, or is it all volunteer work?
5. If it slides off the rails, who will be the backup to carry it over the finish line?

Best,

- Bil

[Adrian Winckles]

HI Bil

Thanks for the response

To address your questions 

1. I would argue strongly on two points that OWASP needs to be involved in these areas from two perspectives.  Firstly if we are aiming to be the leading industry voice for application security we surely need to be at the forefront of leading initiatives like this and have a seat at the table.  Leaving it to others surely just weakens our credibility, effectiveness and put simply, our relevance.  Secondly, to drive through the Foundations and Committees educational and certification ambitions we need a funding vehicle to be able to allow the effort necessary to take the work forward.  This has been the most relevant one that has come to light recently.
2. Effectively we are creating a consortium with the Education Committee as the lead, I use my work as an academic to drive some of this with access to other colleagues and using some of the expertise from the committee members and other community contributors.  By having the funding we have much more flexibility than just volunteer input.
3. I believe with expertise I have locally within my team and across the commit/community we have all the necessary skills to deliver this project.
4. We are effectively going to be paying people to do this work funded by the project grant/tender.
5. I will have a number of colleagues who can step in to help deliver.in the event of project slippage

IF there's anything else you need clarification on before tomorrow, please do let me know.

Thanks

Adrian 

[Grant Ongers (OWASP)]

Hi Adrian,

Could you share with us the tender? That will allow us to see everything that Bil was asking for in the way in which you'll need to provide it to the Department.

In principal I would agree with your statement about OWASP needing to be a part of creating this standard - especially as this is one of the golas the Education Committee has, but we do need to understand how much it will take to make it happen and what we are committing the Foundation too, and how that is going to get fulfilled.

Best regards,

Grant

[Adrian Winckles]

Hi Grant

I’ll resend again when I can get back to my desk 

For info, it was attached to my first email

Thanks

Adrian 

Sent from my iPhone

[Grant Ongers (OWASP)]

Hi Adrian,

I only see attached to your original email a PDF'ed version of that email signed by you, and the ITT (Invitation To Tender) itself. You would need to send to the Department a Technical

Submission, and at least three appendixes: Pricing Schedule, Company Information, and a Tender Submission Statement. 

If you could share those documents with us that would go a long way towards answering the outstanding questions. The appendixes are obviously less interesting than the Technical Submission document, but would be useful to understanding how you anticipate successfully completing this project. 

Best regards,

Grant

[Grant Ongers (OWASP)]

Hi Adrian,

I do understand - believe me, I do. There is nothing more frustrating than getting everything to the point of completion and then being turned back by the board. I want to avoid that at all costs too, but the board does need to understand what you are proposing.

To that end: I think that if the committee has clarity on what they are going to propose, a plan that they know is executable, and a back-up plan for things that fail then the board would happily get behind that. Financially speaking if the committee plans on spending less than 80% of whatever the bid value is (I would probably aim at about £30,000 bid, plan to get the work done for less than £20,000, allowing that things do go over budget) then it should get the full support of the board.

Perhaps start with questions 4 and 6 from the Technical Submission (Methodology and Project Management and Delivery) as that covers the what and the plan that the board would like to see.

Don't worry about the rest for now as all the appendixes the Department provides templates for (so easy to deal with once you have the board's approval) and we can help you write the answers for Skills, expertise and capacity (Q3) as well as Understanding of the sector (Q5) and we can actually take those as read as we know, and trust the committee with regards to them. Questions 1 and 2 are straightforward too, you have answers for them already in your email to us.

Best regards,

Grant

On Wed, 3 May 2023 at 09:57, Adrian Winckles <adrian....@icloud.com> wrote:

Hi Grant 

The Committee were really looking for support & clarification before we put together the majority of the documentation for the bid.

Otherwise we potentially could be putting a lot of effort into writing bid material which could be wasted and could be better utilised elsewhere.

Essentially we’re asking for feasibility before proceeding too far 

Thanks

Adrian

Sent from my iPhone

[Adrian Winckles]

Hi Grant 

Unfortunately what I needed to make this work initially was to put through the partnership details for research approval via the university which is the most awkward step and the other details would have followed by tomorrow but without that evidence of support it wasn't going to progress.

When I first received details of the opportunity I shared for wider comment but only had  responses from a few members of the committee but no Foundation management.

Consequently, with regret we've had to abandon this opportunity if we can't get those simple steps across the line, it was always going to be difficult with such a tight tender deadline.  There are some other opportunities we're working towards which may also progress the committee goals a bit further along.

Thanks

Adrian