Saturday, 3 December 2016

Please help to set the date for the next OWASP DevSecCon Summit. Great description of OWASP Summits

Hi, we are in the final stages of choosing the date for the next OWASP Summit and it would be great if you chipped in with your preference.

Please use the http://doodle.com/poll/e8d4p955rc8guuru doodle and join the other 44 participants.

The OWASP Summit is starting to shape up quite nicely with already a number of good workshops ideas in the works. Please check them out at https://github.com/OWASP/owasp-devseccon-summit/tree/master/Workshops and help to make them better:
  • what topic is missing?
  • who should be at those workshops?
  • what should the participants focus on?
  • what should the be objectives/outcomes?
If you have not been to an OWASP Summit before (i.e the 2008 and 2011 editions) please see below a great description of what they are (from an email sent by Abraham Kang on 6 Apr 2012).

Thanks for your help

Dinis, Seba & Francois

----------------------------------------

Although, I agree with Jim in spirit.  

I have to admit that I was able to get things accomplished at the 2011 Summit that would have taken longer had I not attended the Summit.

I was kind of Stuck on the DOM based XSS cheat sheet because there were just so many existing ways and new ways of exploiting DOM based XSS.  I was lost in trying to understand the exploiting instead of focusing on the Mitigating. 

The Summit gave me an opportunity to work with some of top guys  ( Jim Manico, Stefano Di Paola, Robert Hansen, Gareth Hazes,  Chris Schmidt,  Mario Heiderich, Eduardo Nava, Achim Hoffman, John Stevens, Arian Evans, Mike Samuel, Jeremy Long, Dinis Cruz, and others please forgive me if I forgot to mention you) in Web security to get their ideas and refine mine.  
I also was able to bring up issues that were affecting adoption by large enterprises of OWASP materials with Jeff Williams and others.

Finally, I was also able to meet the people interested in OWASP Web Development Guide (which I have been trying to reboot but having started a new job have failed to make much progress on) to discuss issues related to the guide and try to address them.

All of this would have been impossible to do without the summit.

I was also hoping to suggest that this year we try to bring other security members of the community that haven't traditionally participated (iSec Partners, Gotham Digital Science, etc.) in OWASP to the summit as I have great respect for those guys and think they could contribute greatly to the success of OWASP.  

The conference is viewed as being private but I thought it was open to anyone interested in contributing to OWASP.  I think people would be willing to pay to attend a conference where they could speak to other leaders in informal meetings on topics of interest and provide the additional benefit of OWASP deliverables.

We are a very disperse group, it helps to get people together to work things out, discuss and see the other people as human beings. I have to admit that the conference was also a lot of fun.  I got to laugh with people I would have never had the chance to before this.  Jokes don't seem to go over as well when they are made over email.  I got to hear stories of (Larry's or Chris's -- the last names have been omitted to protect the Guilty) midget experiences/encounters.  I got to know of other people skeleton's in their closets.  

This allowed all of us to bond in a way that couldn't happen without a conference like this.

Another benefit of these types of interactions is that everyone that attended last summit was involved with an OWASP project (which may be a good requirement).  I met Andras (my German brother) of WS-Attacks.org and although I haven't done a good job of it yet, I was hoping to reboot the OWASP Web Development Guide (I will send another email on that thread to explain my struggles) and see if I could use the content from WS-Attacks.org in the new guide (seeing as I did the translation revision for Andras) for the Web Services chapter.  If I didn't attend the Summit I wouldn't have met him and made this connection.

Yes there were a couple of things that could have been handled better related to the usurping of funds from individual Chapter's accounts and we probably could have spent less money on the incidentals but there is great value in the Summit.

OWASP Rocks!

Warmest Regards,
Abe

Sorry for being so long winded.