Friday, 6 April 2012

Some proposed Visions for next OWASP Summit

Since Summits must be part of OWASP's DNA , and in case some of you are thinking of putting energy in creating the next OWASP Summit, I really think that the 'Summit Proposal' concept I detailed here is a good model.

So starting from the point that first we need a strong theme/vision, here are a couple ideas:
  • OWASP Summit on OWASP Projects - This would actually be at least one or more 'mini-Summit(s)' followed by a bigger one. The mini-summit(s) would be focused on very specific OWASP project's activities (project review, project's normalization/mapping,  project XYZ, work, project's consolidation, GIT migration, etc...) with the bigger Summit the one where the results (of those mini-summits) would be presented, and the main stakeholders (i.e. the OWASP Projects users) would come together to learn, share and collaborate
  • OWASP Summit on Web Frameworks - This would be the location where the key players of Web Frameworks (like Spring, Struts, Apache Shiro, RoR, ASP.NET, J2EE Stack,Grails etc...) would come together with OWASP's community, AND developers AND their 'clients'. The key objective would be to figure out how to help to make those frameworks/platforms 'secure by default' or at least to allow developers to easily code them in a secure way. In fact we could even be a bit radical and do a  OWASP Summit on Apache Shiro (http://shiro.apache.org/) since those guys are clearly doing something right and have the momentum in working with key frameworks
  • OWASP Summit on Static Analysis  - This is one that I'm specially very interested in, and would be focused on figuring a way to really make Static Analysis work in a web security world. There is so much potential with SAST technology which currently is not fulfilled because the multiple parties (from tools developers, to security consultants, to users, to clients, to regulatory bodies, etc...) are not collaborating and working together to figure out a number of Open Standards which we call all use to communicate (for example why can't we feed static analysis data to a web proxy/scanner like ZAP?)
  • OWASP Summit on Web Privacy - Privacy is becoming more and more a big issue in the Web World, and with: a) Browsers adding features like the Do not track header (http://donottrack.us/ ), b) new laws being passed, c) recent big privacies breaches, d) governments regulatory bodies wanting to do something about it , and ... {many more recent developments} ...  Privacy is definitely a topic which will draw a good crowd (and although one day it might be big enough to have it's own dedicated 'Brower Summit', I think in the short them, the Browser track (following the work done at the last Summit) should be part of this Summit).
Of course that there are many other hot topics or OWASP Projects we could create a Summit around (ESAPI, OpenSamm, Guide Trilogy, Cloud, DAST, Secure Coding, Code Review, PenTesting, etc...), what is needed to make it happen is a core team with passion and energy for it.

On the financial side of things, one thing that  OWASP could do is to say: "Here is 50k seed money, the rest you need to find from other sources (including internally like OWASP Chapers)". And maybe even that 50k is not needed (if there is enough energy and supporters willing to buy '20k Summit tickets' )