Web Application Security Consortium: Charter
To develop, adopt, and advocate standards for web application security.
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.
As an active community, Web Application Security Consortium (WASC) facilitates the exchange of ideas and organizes industry Projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.
What We Do
- Create an open forum for the creation, discussion, and dissemination of knowledge pertaining to web application security.
- Educate the market regarding web application security related matters.
- Create a vendor neutral champion/voice of the web application security industry.
What We Don't Do
- WASC does not advocate vendor specific technologies, services, or solutions.
- WASC does not speak on any one person or company's behalf, but rather on the industry's behalf as an agnostic champion of web application security related matters.
Board of Directors
The Board of Directors is a five-person group of Officers responsible for the management and oversight of the consortium's business affairs in accordance with the Charter. The Board provides oversight for Projects to ensure timely completion and alignment with consortium goals. The Board of Directors is also responsible for management of corporate assets, allocating resources, and facilitating the organization’s broad objectives.
The five people on the Board of Directors are elected by the Officers every six months during the first full week of May and December. During the two weeks prior to the next Board of Directors vote, any non-emeritus status Officer of WASC who participated in the previous Board of Directors vote may submit himself or herself as a candidate for consideration of a Board of Directors seat.
When the list of candidates are announced, each Officer may vote for five of the listed candidates. Immediately following the close of the vote, the five candidates with the most votes are considered the new Board of Directors.
To minimize any conflict of interest, no more than one Officer employed by the same organization may be a candidate for or occupy the Board of Directors at the same time. If multiple Officers from the same organization submit there candidacy for the Board of Directors, the senior Officer, meaning the one with the earlier date of being elected an Officer, shall be given priority.
* If the number of Officers on the Board of Directors totals 3 or less, a new vote should be held immediately to fill the vacant positions for the current six month term.
The Board is responsible for carrying out the following activities:
- Review the status of Projects that are in-progress.
- Review new Project proposals.
- Govern the vote for Project proposal acceptance.
- Govern the vote for Project deliverable acceptance.
- Govern the vote for nominated Officers (Subject to Voting Limitations).
- Govern the semi-annual Board of Directors election process.
- Review Officer and Member requirement obligations.
- Process Officer nominated amendments to the Charter. Charter amendments require an affirmative vote of two-thirds of the eligible votes (Subject to Voting Limitations).
Board of Director meetings require a quorum of at least three members present. All decisons and resolutions must be approved by a majority of the votes cast. The Board of Directors may enact the following resolutions:
- Establish or dismiss commitees responsible for overseeing specific WASC activities and initiatives.
- Establish or dismiss personnel positions in WASC responsible for carrying out specific job duties.
- Appoint volunteers to serve as committee leaders in an established WASC committee.
- Appoint volunteers to serve in established personnel position.
The Board of Directors meets bi-monthly (in the form of virtual meeting) unless otherwise specified. The Board will discuss any old business, carry out current responsiblities, and discuss WASC's progress.
Officers are individuals whose participation in the consortium and contributions to the security community have been recognized by WASC. Officers are recognized experts who serve as industry thought leaders. Officers are responsible for the election of the Board of Directors as well as nominating additional Officers. Acting as an individual or on behalf of an organization, Officers collectively guide the direction of the consortium through voting and contribution. They coordinate their efforts through mailing list, conference calls, and annual meetings.
The Officer selection process is governed by the Board of Directors and is approved by a majority vote of the current Officers. All candidates must be nominated by an existing Officer and must have been a Member for a minimum of four months. Officers submit candidates for consideration in writing prior to the periodic Board of Directors meeting. Officer candidates must outline their qualification as part of the review and voting process. An Officer vote will be held to accept or deny the candidate as an Officer of WASC. Candidates may only submit themselves for consideration once every four months.
Upon acceptance, new Officers must show consortium participation by the next Board of Directors meeting. Failure to meet the requirements may be grounds for Officer conversion to emeritus status.
* There is a twenty person limit on the total number of non-emeritus Officers.
Subject to the appropriate charter process, an Officer may:
- Participate in the semi-annual voting process to elect the Board of Directors.
- Submit himself or herself as a candidate for consideration of a Board of Directors seat during the next election cycle. Provided they have participated in the previous Board of Directors or Charter amendment vote.
- Vote on new Officer candidates.
- Invite individuals for membership and nominate members for Officer positions.
- Submit new Project proposals for consideration by the Board of Directors.
- Vote on Project proposals and final Project deliverables.
- Propose and vote on amendments to the Charter during the semi-annual board election cycle.
- Participation in WASC Projects - Officer must participate in at least one Project at any given time. (periods of WASC Project inactivity excluded)
- Direct or indirect involvement in the Web Application Security industry.
- Support the adoption of WASC Projects in vendor products and industry standards.
When an Officer is converted to Emeritus status the Officer’s right to vote, responsibities, and ability to be counted for quorum is suspended until reinstated by action of the Officers. Emeritus status can be applied to an Officer voluntarily or by action of the other Officers. Officers in Emeritus status may still participate in WASC, attend meetings, and receive consortium correspondence.
An Officer may be converted to Emeritus status in the following ways:
- Voluntary conversion of Officer to Emeritus status through written notification by the Officer to the Board of Directors.
- Involuntary conversion of Officer to Emeritus status through a vote of two-thirds of the eligible Officers.
An Officer may be reinstated from Emeritus status by:
- Written request to the Board of Directors and an affirmative vote of two-thirds of the eligible Officers.
Committees are small groups of three to seven Members commissioned to oversee and carry out specific WASC business issues. Each Committee is responsible for developing their own agenda and operating procedures. Under the oversight of ths Committee Leader, Committees are granted decision-making authority for the content and direction of their group.
Committees are established by the Board of Directors and directed by a Board of Directors appointed Committee Leader.
Committee Leaders are Members, appointed by the Board of Directors, to lead a particular committee. Committee Leaders coordinate the direction of a Committee by developing its focus, assigning duties, and overseeing group progress. Committee Leaders have the responsibility for selecting Committee Members to assist the group activities.
Committee Leaders must report Committee activity and progress prior to each Board of Directors meeting.Committee Member
Committee Members are Members selected by Committee Leaders to assist with Committee activities.
Members are individuals or organizations whom registered with WASC to become involved in Projects and show their community support. Members are vital to the success of WASC since it is they who essentially define the market and who’s support demonstrates progress throughout the industry.
WASC has two types of members - Individual Members and Organizational Members. Individual Members are those not affiliated with any organization but rather participate on their own behalf. Organizational Members are organizations (corporate, government, academic, etc...) who support WASC activities.
Members who are employed by companies that have direct involvement in web application security are urged to become Organizational Members.
Any individual or organization is able to register with WASC free of charge.
- Register on the WASC website with their real name, organization, and valid contact information.
- WASC will verify submitted information.
- Notification will be sent upon acceptance.
- A member listing on the WASC website including the name of the member, title, organization, logo, and member-since date.
- Ability to display a WASC Member logo on a personal or organization website.
- Ability to participate in WASC Projects.
Projects are official consortium initiatives managed by Project Leaders with the participation of Members. Projects are created to supply the documentation required for the rest of the consortium and also fill a need within the industry at large.
Any Officer may submit Project proposals prior to the periodic meeting of the Board of Directors. Project proposals must include a Project plan describing the proposed Project Leader, scope of work, required activities, final deliverables, time frame, etc... The Project Leader will be in charge of identifying contributors who will assist with the Project and coordinating Project activities.
The acceptance of a Project proposals is subject to the following process:
- Project Proposal Submission
Board of Directors Project Nomination Review
- An Officer, prior to the next Board of Directors meeting, submits a formal project proposal.
New Project Vote
- Board of Directors reviews the Project plan for qualified Project Leader, scope of work, required activities, final deliverables, time frame, etc...
- Board of Directors reviews the plan for direction, completeness, and thoroughness.
- Board of Directors announces the Project proposal to the Officers or asks the submitting Officer for additional clarification.
New Project Announcement
- A vote of the Officers is held to accept or deny the Project proposal. Acceptance requires a majority vote.
- Upon acceptance of the Project proposal an announcement is made to all Officers.
- A public announcement is made.
Completion of Work
- Project Leader creates the Project team.
- Project team works to complete Project plan.
- The Project Leader submits periodic progress updates to the Board of Directors.
Project Deliverable Announcement
- Upon completion, Project Leader submits deliverable to Board of Directors for review.
- Board of Directors accepts deliverable or requests continued work/clarification by Project Leader.
- An Officer majority vote is held to accept or deny the Project deliverables.
- Upon acceptance of the Project deliverable announcement made to all Officers.
- Public announcement.
Project Leaders are Officers, approved by the Board of Directors, who serve as the technical lead for a consortium Project. Working directly with community contributors Project Leaders are responsible for creating development schedules, assigning duties, and carrying out day-to-day Project activities. Each individual Project has the technical decision-making authority for the content and direction of their group.
The voting process is managed by the Board of Directors. Ballots are cast openly.
- The Board of Directors receives a proposal or scheduled voting initiative.
- The Board of Directors is allowed 1-2 weeks to review proposals and additional time if further consideration is required.
- Officers are given one week prior notification of an impending vote.
- A standard format email voting ballot is sent to the Officers’ mailing list.
- Officers have one week to openly cast their votes to the mailing list.
- The Board of Directors tallies the casted ballots and submits the final outcome to the Officers’ mailing list.
In order to limit the influence of any particular group in the consortium certain limitations are placed on Officers during certain voting processes:
- Officers may nominate co-workers from the same employer, but Officers from the same employer may not particpate in the voting process.
- Only one Officer from the same organization may participate in the Charter ammendment voting process. The senior Officer, meaning the one with the earlier date of being elected an Officer, shall be given the right to vote.
Founded January, 2004.
Grossman, CTO, WhiteHat Security, Inc.
– CGI Security