Draft Strategy Document
11 views
Skip to first unread message
Andrew van der Stock
Mar 17, 2026, 8:53:39 PMMar 17
to Global-board, Stacey Ebbs
Hi all,
Stacey has done some terrific work on making the strategy document read well and look good. Please review this document and let Stacey (cc'd) know of any changes/errors you think need to be fixed before we release the final to the community. I've not yet closely reviewed the document; I will provide my own feedback to Stacey when I have a chance to read it more fully.
thanks,
Andrew
Marisa Fagan
Mar 18, 2026, 11:40:18 AMMar 18
to Andrew van der Stock, Global-board, Stacey Ebbs
Hi Stacey!
This is a great resource that is really setting the tone for a great year!
My one suggestion is that “Fundraising” should show up last on the list, not first. I personally read lists in priority order by default and “fundraising” is not the priority that has the most people involved and just doesnt seem right to me that money would be listed as our top priority. Hopefully that makes sense. So I would list fundraising last but otherwise the order is good.
-Marisa
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/401290c6-de4b-40a7-a8c7-4b611a927717n%40owasp.org.
Louis Griffith
Mar 18, 2026, 12:36:00 PMMar 18
to Marisa Fagan, Andrew van der Stock, Global-board, Stacey Ebbs
Hi Marisa,
I completely understand your perspective on how ordering can imply priority.
That said, I do believe the current order works as intended. While fundraising may not represent the most visible or broadly participated activity, it serves as the foundation that enables all the other pillars. Global collaboration, education, policy efforts, and risk reduction initiatives all depend on having the financial resources in place to operate effectively and sustainably.
In that sense, positioning fundraising first isn’t about signaling it as the “top priority” in terms of importance to the mission, but rather recognizing it as the enabler that makes the rest possible.
Appreciate you raising the point.
Best,
Steve Springett
Mar 18, 2026, 9:27:27 PMMar 18
to Marisa Fagan, Louis Griffith, Andrew van der Stock, Global-board, Stacey Ebbs
I agree Ricardo. In fact, the Linux Foundation constantly reminds me of this. Just yesterday, they issued a funding-specific press release that enables the foundation to achieve its mission. Funding is the thing they led with.
Stacy,
The document looks fantastic and reads well. Very nicely done. I’ve reviewed up til the fourth pillar. I likely will not be able to review the last two pillars until Friday.
Feedback:
- The graphic with "A world with no more insecure software” is really pixelated. The background is obviously a rasterized image from Hugo, however, the text, logo, 25 years, etc should be vectors so they look crisp. On a 5K 40” monitor, the text looks very blurry.
- I would replace "Open Worldwide software security Project” with “OWASP Foundation”. We never really refer to ourselves by our full name.
- “Shoping security requirements…” under Policy and Regulation doesn’t sound right. “Shoping” is the wrong word here. Also, what is the significance of color shading differences between the 5 pillars? I find it a bit distracting.
- “nfrastructure”, “fulfil”, “Thisstructure”, are incorrectly spelled.
- Need a full stop after "attracting even more people"
- Is Oxford English the target? I see “ize” and “ization” for words originating with the Greek -izo suffix. This is how U.S. English and Oxford English spell them, but not British English. There is also the use of the words “flavour”, “theatre”, and “modelling”, all of which are Oxford and British English spellings. So the combination of these leads me to believe that Oxford English is the target. Just confirming.
- "Millions of developers write code daily…” this may be perceived negatively in the age of AI. Just since December, the models have improved to the point where secure coding education is less of an issue and more of an AI implementation detail. If we focus on “software engineering” rather than limiting it to writing code, that would lead to secure architecture and design, which is something AI struggles with.
- "rote memorization”? I actually had to look up what “rote” meant. Not sure if your non-native English speakers will know what it means either.
Again, great job on this.
Stacy,
The document looks fantastic and reads well. Very nicely done. I’ve reviewed up til the fourth pillar. I likely will not be able to review the last two pillars until Friday.
Feedback:
- The graphic with "A world with no more insecure software” is really pixelated. The background is obviously a rasterized image from Hugo, however, the text, logo, 25 years, etc should be vectors so they look crisp. On a 5K 40” monitor, the text looks very blurry.
- I would replace "Open Worldwide software security Project” with “OWASP Foundation”. We never really refer to ourselves by our full name.
- “Shoping security requirements…” under Policy and Regulation doesn’t sound right. “Shoping” is the wrong word here. Also, what is the significance of color shading differences between the 5 pillars? I find it a bit distracting.
- “nfrastructure”, “fulfil”, “Thisstructure”, are incorrectly spelled.
- Need a full stop after "attracting even more people"
- Is Oxford English the target? I see “ize” and “ization” for words originating with the Greek -izo suffix. This is how U.S. English and Oxford English spell them, but not British English. There is also the use of the words “flavour”, “theatre”, and “modelling”, all of which are Oxford and British English spellings. So the combination of these leads me to believe that Oxford English is the target. Just confirming.
- "Millions of developers write code daily…” this may be perceived negatively in the age of AI. Just since December, the models have improved to the point where secure coding education is less of an issue and more of an AI implementation detail. If we focus on “software engineering” rather than limiting it to writing code, that would lead to secure architecture and design, which is something AI struggles with.
- "rote memorization”? I actually had to look up what “rote” meant. Not sure if your non-native English speakers will know what it means either.
Again, great job on this.
— Steve
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/D1AF46DC-9968-4656-B96A-8DD1650F86DC%40owasp.org.
ashwini siddhi
Mar 20, 2026, 5:54:49 AMMar 20
to Andrew van der Stock, Global-board, Stacey Ebbs
This is great work by Stacey!
Outside of Steve’s comments — which I completely agree with — I had one additional thought on the length of the document. It might be helpful to include a concise summary or annexure that captures the key points preferably with some graphics or visuals. I’m not sure how many people will go through a 25-page document in detail.
Regards
Ashwini
--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/401290c6-de4b-40a7-a8c7-4b611a927717n%40owasp.org.
ashwini siddhi
Apr 22, 2026, 7:55:08 AM (9 days ago) Apr 22
to Stacey Ebbs, Global-board, Andrew van der Stock
I love the highlights version very much.
Thank you, Stacey.
Regards
Ashwini
On Tue, Apr 21, 2026 at 7:02 PM Stacey Ebbs <stace...@owasp.com> wrote:
Hi All,
Thank you for your feedback. Andrew has also provided detailed changes, which have now been incorporated alongside everyone’s comments.
Please find V2 of the document here for your review.
Ashwini, to your point, I agree that this is a long-form document. We will create a highlights page on the website with an overview of the key pillars for those who do not wish to read the full version. I hope this helps, and I’m also happy to develop a one-page summary if further feedback indicates it would be useful.
Thank you all,
Stacey
Andrew van der Stock
Apr 26, 2026, 12:23:50 AM (6 days ago) Apr 26
to ashwini siddhi, Stacey Ebbs, Global-board
Pending any additional feedback, I'd like to have this published after the Public Board meeting on Tuesday. Please review before then.
thanks,
Andrew
ashwini siddhi
Apr 27, 2026, 12:31:33 PM (4 days ago) Apr 27
to Andrew van der Stock, Stacey Ebbs, Global-board
Thought we were including the Industry Framework piece too before it goes out?
Regards
Ashwini
ashwini siddhi
Apr 30, 2026, 12:35:00 PM (yesterday) Apr 30
to Stacey Ebbs, Andrew van der Stock, Global-board
Hi Stacey,
Yes, please go ahead. Thank you.
Regards
Ashwini
On Thu, 30 Apr 2026 at 9:58 PM, Stacey Ebbs <stace...@owasp.com> wrote:
Hey Ashwini,
I hope you are well.
I just wanted to confirm if you are happy for me to go ahead and publish the strategy document.
The last correspondence I had from Andrew and the board was on April 16th, stating the following:
If there are no strong objections, let's proceed with the term "Industry Advisory Council" so we can unblock the Foundation staff to release and use this material.
The document has been updated to reflect this term, and Missie has also used this term in her collateral for corporate supporters.
Let me know if this needs further discussion. I'd be happy to set up a call.
Thanks so muchStacey
Reply all
Reply to author
Forward
0 new messages