Thursday, 17 September 2009

OWASP Internals: Leaders participation at OWASP conferences

Email I sent earlier today to the owasp-leaders list with some comments about the idea of 'giving free conference tickets' to active OWASP leaders

----------------------------------------------------------------------------------------------------------------

Hey Rex, AppSec DC team and owasp leaders

First I just would like to second (i.e. agree with) Jeff's earlier email (sent to Rex & AppSec DC team directly) saying that:
"...From my perspective, the planning of AppSec DC 2009 has been conducted with an extraordinary amount of professionalism and diligence. The Board is 100% behind your efforts. Please let us know how we can help promote the conference and make it an even bigger success. Thank you for all your great work on this..." (Jeff Williams)

That said :) and on the topic of giving Free attendance to active owasp-leaders, I would like to add a couple more points (which I'm doing here on the owasp-leaders list since (I think) this is owasp community wide issue):

  1. From my (personal) point of view OWASP is about building a great community of talented people which is focused on solving the ('small') problem of application security
  2. Although we have a great community with tons of great people across the world, I don't think we (OWASP as an organization) do ENOUGH to thank our most active contributors (who are, lets not forget, who make OWASP OWASP)
  3. I am also very aware that although we are all quite individual talented/knowledgeable (each with its own unique areas of expertise), there is ONLY SO MUCH we can do as INDIVIDUALS, and is it only when two-or-more OWASPers talk to each other and COLLABORATE that real MAGIC occurs
  4. Taking the view that in order to increase OWASP productivity, quality and 'products' we need "OWASP to work better with OWASP" and "OWASP to work better with the WORLD" (something we are not as good we should be), I view (as a Board member) my responsibility to help making these CONNECTIONS and help taking OWASP to the next level
  5. So when I asked the question on "... 'owasp chapter leaders to have to recruit other two attendees to get a free ticket?.." my objective was not to undermine or put in question the GREAT WORK REX AND THE APPSEC DC ARE DOING, but :) , to 'gently' raise the issue and see if we can help the 'owasp chapter/project' leaders to attend this conference.
  6. before, I describe why I don't agree with having the requirement for owasp-leaders to 'find two ticket buyers', I just want to make clear that this decision falls into the responsibility of the AppSec DC conference since they are the ones that are managing the budget for this conference :) . And remember that NOTHING in OWASP is set in stone, so if something make sense, IS DOABLE and respects OWASP's values, then it is better to change it sooner rater than later
  7. one more point on owasp leaders. As a sign of recognition of their great work and contributions, at the last OWASP board meeting we (finally!!!!!!) decided to make OWASP members ALL active & past owasp project & chapter leaders. There is currently a work thread at 3 Committees (Membership, Chapters and Projects) to try to figure out the criteria to do this, but basically the idea is to give all selected individuals (or companies) the option to: a) receive a free 1 year membership or b) pay for it. The irony is that I (Dinis) am not an OWASP member :) , and the main reasons is because I had no requirement to become one. Now with the forthcoming elections and this offer, I will HAVE to become a member, and I will gladly pay the 50 USD membership fee, since even adding the time I put in OWASP, I still have enough value received from OWASP to justify the 'business expense' of 50 USD :) :)
  8. finally, on the issue of owasp-leaders having to 'find two ticket buyers to get a free ticket for the AppSec DC' (and even other OWASP conferences
a) OWASP leaders are NOT paid for they contributions, so any successful OWASP leader has stories of sweet,blood,tears, long-hours, etc...
b) some OWASP leaders are able to 'work' on OWASP while on their employers time (sometime that we still fail to recognize is most cases), but I think it is fair to say that MOST of the work done is executed outside the work environment and in exchange for family/leisure/relaxing/sport time or (for independent contractors) in exchange for working on paid engagements (i.e. there is a significant PERSONAL or (short term) FINANCIAL cost in being an active OWASP leader
c) we can't underestimate the work and value created by these owasp leaders (both chapters and projects) since they are the reason for our success and for the fact that we have tons of exciting projects, conferences and chapter meetings
d) although OWASP is not a wealthy organization with Millions of Dollars in funds (like Mozilla or Wikipedia), and there WAS a significant DROP in INCOME of Corporate memberships in 2009 due to the (correct) decision to simplify the corporate membership to 5k USD and allocate 40% of it to the local chapter. That said OWASP DOES have (some available) funds, and it is our (the Board and you all) responsibility to make sure we use those funds wisely
e) so, on the question of 'giving free conference tickets to OWASP leaders' the question that I would like to see an answer is 'How much does that cost to OWASP?
f) maybe the solution is to push this cost to the OWASP Board (or even the local chapter if they have funds to support its chapter leader to participate on OWASP AppSec conferences (tickets, travel and accommodation)
g) back to the topic of the OWASP leader participating on OWASP AppSec conferences:
- this is something we should actively encourage and promote (it even has 'marketing value' : "come to the OWASP AppSec XYZ conference where you will be able to meet 15 OWASP Project and Chapter leaders!!"
- they (the leaders) should participate on the keynote OWASP presentation (representing his chapter or project)
- if it is a project leader he/she should be given a 5m/10m/15m/30m/45m' slot to present his work
- if it is a chapter leader he/she should be given a 5m/10m/15m/30m/45m' slot to present what happens at his/hers chapter, and give an 'quick' preview of the presentations that happened there on the last 6/12 months
- we have to remember that in a lot of cases (take Matt Tesauro case) in order to participate on these conferences they have to use their 'Holiday/Vacation' days (which can be quite a large personal sacrifice)
- as OWASP grows and is more and more successful, we have to make sure that we keep managing the expectations and views of the 'VERY IMPORTANT' OWASP contributors that happen NOT to be involved in a particular conference. I really worry when I hear comments like 'I work so HARD for OWASP and I have to PAY!! to attend a conference that exists (in part) of my contributions!'

Rex & Others, sorry for only sending these ideas and comments now (in an ideal world I should have been more involved with this conference organization), but as with everybody, I find it very challenging to find the time to participate and contribute as much as I should.

Again, the AppSec DC team is doing a GREAT Job (in a tough climate) and they deserve our maximum support!!!

Dinis Cruz