Friday 4 December 2015

Request for OWASP board to approve 100K for a project Summit in 2016

(sent to the OWASP leaders list in early Dec 2015, following the original request made in June 2015)

Bumping this thread, since I believe not much has happened since.

I would like to request again for "OWASP board to approve 100K for a project Summit in 2016. And then ask for a team or OWASP leaders to lead that effort"
I know that Paul (prefers that "Step 1 is for the community to create the proposal, timeline & value proposition that can be presented to the Board for approval."

But having lead the organisation of two Summits before (with an amazing team), my view is that we need first that 100k commitment. 

OWASP can afford this 100k, and if we really care about our projects, a dedicated "OWASP Projects summit" is not just important, it could be vital for the future of OWASP 

Think about the amazingness of having the main OWASP project leaders and its users in one place for one week (of course that this would also include other OWASP Leaders, like the ones that run our chapters and conferences)

Specially since we now have projects that are big enough to create their own working tracks (and even villas/villages :): ZAP, Top 10, Testing Guide, ASVS, Dependency Checker, Cheatsheets, OWTF, OSAMM, AppSensor, ModSecurity Ruleset, etc...

VERY IMPORTANT: This OWASP Project Summit would also be the place were we could reclassify the OWASP Project status, since it will be the perfect opportunity to review/map properly our projects. Realistically, it will take the kind of energy and resources only made possible in a DEDICATED OWASP summit, to really make a dent in our current OWASP Projects situation

In fact, even if the main thing we would get from that Summit would be a massive cleanup of realignment of our OWASP Projects, THAT would be a massive success story, and worth every penny of it :)

That said, I think we can do much more than that at such summit, since that would be biggest concentration of AppSec knowledge in 2016 (focused on working on AppSec, vs participating in a conference).  But it's good to start the Summit planning with a focused target.

(see links below to multiple blogs posts I have written about OWASP summits, and how important they are for OWASP)


On 30 June 2015 at 22:28, Dinis Cruz <> wrote:
Hi Johanna, I stand by my original request (which you quoted):

"Request for OWASP board to approve 100K for a project Summit in 2016. And then ask for a  team or OWASP leaders to lead that effort"

I think that is the correct sequence of events to create another Summit like the two we had in Portugal in 2008 and 2011.

For the ones that were not there you can read more details about those two Summits at and . For the 2011 event Sarah Baso created this detailed report which contains a lot of what we achieved and the thinking behind how it was organised and structured.  

I have also written extensively about my ideas about OWASP Summits which you can find at On the current OWASP Project Summit efforts (in Feb 2015) that post contains links to other posts, but here are main 'Summit related ones':