Leanpub: Publish Early, Publish Often

3 OWASP Summits

This section has the following chapters:

3.1 Great description of why OWASP Summits are special

Abe (on the owasp-leaders list) just posted the text below in response to my Summits must be part of OWASP’s DNA reply and it provides one of the best descriptions of what makes Owasp Summit’s special and worthwhile doing (please read it).

If you’ve never been to one of our Summits, this is why they are so important and necessary (Imagine what we could achieve with regular Summits) On 6 Apr 2012, at 18:14, Abraham Kang <abraham.kang@owasp.org> wrote:

Although, I agree with Jim in spirit.

I have to admit that I was able to get things accomplished at the 2011 Summit that would have taken longer had I not attended the Summit.

I was kind of Stuck on the DOM based XSS cheat sheet because there were just so many existing ways and new ways of exploiting DOM based XSS. I was lost in trying to understand the exploiting instead of focusing on the Mitigating.

The Summit gave me an opportunity to work with some of top guys ( Jim Manico, Stefano Di Paola, Robert Hansen, Gareth Hazes, Chris Schmidt, Mario Heiderich, Eduardo Nava, Achim Hoffman, John Stevens, Arian Evans, Mike Samuel, Jeremy Long, Dinis Cruz, and others please forgive me if I forgot to mention you) in Web security to get their ideas and refine mine.

I also was able to bring up issues that were affecting adoption by large enterprises of OWASP materials with Jeff Williams and others.

Finally, I was also able to meet the people interested in OWASP Web Development Guide (which I have been trying to reboot but having started a new job have failed to make much progress on) to discuss issues related to the guide and try to address them.

All of this would have been impossible to do without the summit.

I was also hoping to suggest that this year we try to bring other security members of the community that haven’t traditionally participated (iSec Partners, Gotham Digital Science, etc.) in OWASP to the summit as I have great respect for those guys and think they could contribute greatly to the success of OWASP.

The conference is viewed as being private but I thought it was open to anyone interested in contributing to OWASP. I think people would be willing to pay to attend a conference where they could speak to other leaders in informal meetings on topics of interest and provide the additional benefit of OWASP deliverables.

We are a very disperse group, it helps to get people together to work things out, discuss and see the other people as human beings. I have to admit that the conference was also a lot of fun. I got to laugh with people I would have never had the chance to before this. Jokes don’t seem to go over as well when they are made over email. I got to hear stories of (Larry’s or Chris’s – the last names have been omitted to protect the Guilty) midget experiences/encounters. I got to know of other people skeleton’s in their closets.

This allowed all of us to bond in a way that couldn’t happen without a conference like this.

Another benefit of these types of interactions is that everyone that attended last summit was involved with an OWASP project (which may be a good requirement). I met Andras (my German brother) of WS-Attacks.org and although I haven’t done a good job of it yet, I was hoping to reboot the OWASP Web Development Guide (I will send another email on that thread to explain my struggles) and see if I could use the content from WS-Attacks.org in the new guide (seeing as I did the translation revision for Andras) for the Web Services chapter. If I didn’t attend the Summit I wouldn’t have met him and made this connection.

Yes there were a couple of things that could have been handled better related to the usurping of funds from individual Chapter’s accounts and we probably could have spent less money on the incidentals but there is great value in the Summit.

OWASP Rocks!

Warmest Regards,

Abe

Sorry for being so long winded.

3.2 I want to vote for a Summit Team+Vision , NOT for a venue

I wrote the text below in 11/Mar/12 and sent it originally to the OWASP Summit 2013 mailing list (you can see some comments to it there) and with the recent Cancelation of the OWASP Summit 2013 announcement, I wanted to write a number of blog posts about OWASP Summits (so here is the first one)

Subject: I want to vote for a Summit Team+Vision , NOT for a venue

Following the Summit call on Friday I finally realized what was worrying me with the current Summit 2013 planning process: **we are being asked to vote/select a venue, before we have chosen: **

a) who is going to lead the summit team,
**b) what is its vision and **
c) what team/energy can they generate.

When I asked at the end of the call “so who is going to be the leadership team of the Summit since that should be different depending on which venue is selected?” _I got the answer “..this time is going to be different.. this whole group (on the Summit mailing list) is that leadership team, and it doesn’t matter where the venue is, once it is chosen, we are all in charge…“_

Now I am the first to want open solutions, but you don’t organize a Summit by Committee (in fact you don’t even do it for conferences, chapters or projects).

There needs to be a core leadership team (1 to 4) that is all in sync with their vision for the Summit. Of course that we want as many OWASP leaders to be involved, BUT, there needs to be a core team with the vision and authority to make decisions, mainly because some of the decisions cannot be realistically made by a bigger group (not to say that the bigger group shouldn’t be involved, but there are moments when decisions need to be made, and not everybody will have the same opinion/vision on the best course of action).

Just to be clear this is what I would like to be asked to vote on.

A ‘Summit Proposal’ with:

**Summit Leadership Team **(1 to 4) who are responsible for defining and executing a proposed vision for the Summit (see below)
**Local Summit Team **(5++) who COMMIT to going to the Summit
**Remote Summit Team **(5++) who cannot go to the Summit but will help remotely (before, during, after) and even might try to organize a local (to them) event (Seba’s idea of other simultanious mini summits)
Advisory Team and Working Sessions Champions (5++) responsible for providing advice to the Summit Team and to help with the development, promotion and (ideally) execution of the Summit’s Working Session
External (to OWASP) participants (as many as possible) - who agree with the proposed vision and commit to going, promoting or helping
At the last Summit we (finally) had good success at brining a good number of external (to OWASP) participants (Mozila, Microsoft, Google, etc…). A large number of them already had good ideas on ‘_what the next Summit should be about’, _and we need to leverage these ideas and get them involved as soon as possible
Paid Summit Team - professional contractors that will help to run the event (at the last Summit we had 6 external contractors + travel agency)
A vision for the Summit:
- What are the topics/themes?
- What is it all about?
- What type of venue they would like to get?
- Where should be Summit be
A solution for improving the ‘Summit Deliverables’
- This is what will survive the Summit, and we need to do a much better job at creating and promoting a number of solid+useful deliverables
- This needs its own strategy, and should be a key reason of why we go with a specific Summit team (for example, should there be post-Summit group that stays on the venue to wrap up the deliverables?)
Budget and Dates
- How much money they would like to have from OWASP?
- When would they like to do the summit?
- Other sources of income

In this model, an owasp leader could be part of multiple teams (since the objective is the get the best out of available resources). For example, given their past involvement+contributions of (just to name a few) Lorna, Jason, Justin, John W, Jeff W, Colin W, Jim M, etc… , it would be crazy to not have them involved in these teams (even if only as ‘advisers’).

I’m very happy that after two Summits there is so much energy behind having another Summit, but we need to do this right.

Now, at the moment we have two realistic proposals for the Summit (Royal Holloway and Boat) which come from two different points of view (and visions) for what the Summit should be. The other proposals are either not realistic or too far away (we can’t have a Summit that takes 20h+ to get to from Europe, US or Asia)

For the record, I am not going to vote on the two venue proposals since both have what I consider to be ‘show stoppers’. We have talked about the positives of each venue, so there is no need to repeat them.

‘Show stoppers for Royal Holloway’

**There is no team behind this proposal **(see above)
**There is no active participation from the London/UK chapters **(after Dennis dropped his support)

‘Show stoppers for Boat Option’

**There is no team behind this proposal **(see above)
The venue is a 3000+ guest’s hotel on water - this will make it very difficult to re-create the Summit Experience in a boat with that size, and will mean that we will not ‘own the venue’. Since even in the unlikely case that that have 300ish participants, we will still be about 10% of the venue capacity. This for example might limit our:
**ability to bring in our own Food and Drinks - **This is very important since we know that we will need a good amount of beer (and wine) to be made available to the attendees
**Hard Limit on start and stop of the Summit **(i.e. mandatory boarding day) - at the last two Summits we had people arriving and departing all the time (some due to other commitments and some due to missed/delayed flights)
No ability to have ‘drop in’ participants - this is something we had a bit on the last summit (some Portuguese Government officials where there some a couple hours), and something that we should try to have a lot more in the next summit (think of special key note speakers, industry/government participants or special guests).
**No ability to go an ‘buy something that is needed ASAP’ - **I lost count how many ‘shopping trips’ happened during the last Summits. It doesn’t matter how much you plan (and we tried hard), but there is always something that is needed ASAP (from office supplies, to A3 paper, to network equipment, to medical supplies, to food, to drinks, etc …)

‘Not Show stoppers but areas of concern: for Boat Option’

‘Holiday perception’ - in addition to the fact that the argument _’…its a good holiday venue which will allow the participant partners to also attend’… _is not correct (no partners will want to attend the venue (neither will the attendees want them to go)), in the case of the boat, its ‘holiday’ perception actually backfires. I.e. there is good tradition to go to hotels/venues for Summits and work hard, there is less tradition to do that on boats.
Another issue with that many people on the boat is the ‘holiday atmosphere’ that will exist (with 90% of the other passengers on holiday).
Both will make it hard to justify the trip to employers
No experience at OWASP in doing an event on a boat - regardless of how much research we can do before hand, as far as I know there has been no previous events organized by owasp at a boat. This menas that the number of unknowns is even bigger.

Moving forward, I think we have two options:

Option A) go with the Boat option

Mark has done extended research on this option and as long as he takes the leadership role on the next Summit (i.e. he is one of the ‘Summit Leadership Team’) then we should trust him to make it a success
Mark has extended experience and track record at delivering owasp conferences, so since he feel so strongly about the boat option, he should ge given the change

Option B) wait for a ‘Summit Team+Vision’ proposal (as defined above)

Put a pause in the current ‘Summit Venue’ allocation process
Make a public request for ‘Summit Team+Vision’ proposals
Wait for those proposal to appear (wait if needed 1,2,3 or 6 months for it)
Vote on the best one

Sorry for not raising these issues before, but only on the last couple days I was able to rationalize my worries about the current Summit 2013 process, which come down to this simple concept:

I want to vote on a Summit Team+Vision, not on a Venue

3.3 OWASP Flight Booking using Amex and Project’s Mini-Summit at OWASP AppSec USA 2013

I just booked my flight using the new OWASP ‘Amex travel’ partnership and it was a great experience

The price is quite decent (for an transatlantic flight), and since OWASP is covering this flight I’m now very motivated to really deliver and help out during the conference :)

And what makes me really happy is how this happened!

Basically Samantha Groves deservers 100% of the credit for me attending this conference (I didn’t go to last year’s OWASP AppSec USA), namely for finding a space for the O2 Platform at the Project’s Mini-Summit that is going to happen during the conference (I’m calling it a mini-summit since the format is quite different from the previous Summits) and sorting out the budget to cover my flight expenses.

This means that Samantha is (finally) being much more proactive in her role as ‘OWASP Project Manager’ and is starting to push the OWASP Project leaders to be involved and to participate (which is what I’ve been asking her to do for a while, and she is finally doing it :) )

**So Thanks Samantha, and please keep up the pressure for getting OWASP project leaders together, **and to expose the OWASP community to the great stuff that is happening at these OWASP Projects:

OWASP AppSensor ,
OWASP Code Review Guide ,
OWASP Development Guide ,
OWASP Training and OWASP Academies (from OWASP Education Project )
OWASP Enterprise Security API ,
OWASP O2 Project ,
OWASP Open SAMM ,
OWASP Security Principles Project ,
OWASP Testing Guide ,
OWASP Zed Attack Proxy (ZAP)

3.4 Some proposed Visions for next OWASP Summit

Since Summits must be part of OWASP’s DNA , and in case some of you are thinking of putting energy in creating the next OWASP Summit, I really think that the ‘Summit Proposal’ concept I detailed here is a good model.

So starting from the point that first we need a strong theme/vision, here are a couple ideas:

OWASP Summit on OWASP Projects - This would actually be at least one or more ‘mini-Summit(s)’ followed by a bigger one. The mini-summit(s) would be focused on very specific OWASP project’s activities (project review, project’s normalization/mapping, project XYZ, work, project’s consolidation, GIT migration, etc…) with the bigger Summit the one where the results (of those mini-summits) would be presented, and the main stakeholders (i.e. the OWASP Projects users) would come together to learn, share and collaborate
**OWASP Summit on Web Frameworks - **This would be the location where the key players of Web Frameworks (like Spring, Struts, Apache Shiro, RoR, ASP.NET, J2EE Stack,Grails etc…) would come together with OWASP’s community, AND developers AND their ‘clients’. The key objective would be to figure out how to help to make those frameworks/platforms ‘secure by default’ or at least to allow developers to easily code them in a secure way. In fact we could even be a bit radical and do a **OWASP Summit on Apache Shiro **(http://shiro.apache.org/) since those guys are clearly doing something right and have the momentum in working with key frameworks
OWASP Summit on Static Analysis - This is one that I’m specially very interested in, and would be focused on figuring a way to really make Static Analysis work in a web security world. There is so much potential with SAST technology which currently is not fulfilled because the multiple parties (from tools developers, to security consultants, to users, to clients, to regulatory bodies, etc…) are not collaborating and working together to figure out a number of Open Standards which we call all use to communicate (for example why can’t we feed static analysis data to a web proxy/scanner like ZAP?)
OWASP Summit on Web Privacy - Privacy is becoming more and more a big issue in the Web World, and with: a) Browsers adding features like the Do not track header (http://donottrack.us/ ), b) new laws being passed, c) recent big privacies breaches, d) governments regulatory bodies wanting to do something about it , and … {many more recent developments} … Privacy is definitely a topic which will draw a good crowd (and although one day it might be big enough to have it’s own dedicated ‘Brower Summit’, I think in the short them, the Browser track (following the work done at the last Summit) should be part of this Summit).

Of course that there are many other hot topics or OWASP Projects we could create a Summit around (ESAPI, OpenSamm, Guide Trilogy, Cloud, DAST, Secure Coding, Code Review, PenTesting, etc…), what is needed to make it happen is a core team with passion and energy for it.

On the financial side of things, one thing that OWASP could do is to say:_ “Here is 50k seed money, the rest you need to find from other sources (including internally like OWASP Chapers)”_. And maybe even that 50k is not needed (if there is enough energy and supporters willing to buy ‘20k Summit tickets’ )

3.5 Summits must be part of OWASP’s DNA

The last OWASP Summit 2011 represents the best of what OWASP can do, and nothing we did that year come even close in generating so much work, energy, serendipity and connections (not projects, chapters or conferences)

What you had there was a week of massive collaboration, relationship creation, work , brainstorming and planning (just look at this amazing picture Ofer , Carlos, Vlatko (can you fell the energy!!! :) ).

That Summit was not a private/closed party, just take a look at the participants again (read it slowly paying attention to the name of the attendee , it’s company and reason for attending: [https://www.owasp.org/index.php/Summit2011_Attendee](https://www.owasp.org/index.php/Summit2011_Attendee) (even better, read their bio here).

Also take a look at the planned tracks to see the wide range of topics that were on the agenda. For what actually ended up as a session, see the Fixed Schedule and the Dynamic Schedule

Just about everybody that went to the Summit really worked hard, and we showed that OWASP is the only organisation in the world that is able to put in the same place (working together) individuals that are from different companies, races, religions and politics.

THAT is spectacularly unique.

One of my favourite comments about the Summit was: ‘Hey! This is just like the UN, but actually working!’

For example the crowd that John was able to assemble in the browser track had never meet before! (and some of them had even wrote a book together before). Also, they are not you typical OWASP crowd (ie we were reaching out)

Yes (on next summits) we need to be more focused on the deliverables, handle better the post-summit activities and bring (even more) developers/architects/business-reps/’non typical Owasp Contributor’. That said, if you haven’t already please go and read now the Summit Outcomes and Final Report (if you looking for an area of OWASP to be involved, there are lots of opportunities still left in those outcomes)

BUT!!!! let’s not confuse the problems with the failed Summit 2013 attempt with the need for Owasp to have more Summits.

I was publicly very critical of the Summit 2013 (namely when I stated that ‘I want to vote for a Summit Team+Vision, NOT for a venue’), but that doesn’t mean that we should abandon the Summit activities.

Summits should be key to OWASP’s DNA since that is where we should regularly meet to work hard, collaborate, present recent developments and create action plans.

Inside that last post I presented a really interesting concept of what a ‘Summit Proposal’ should look like.

That is how (in my view) successful Summits are set-up and executed (that is what I tried to do the last two Summits), so please let’s make another summit happen :)

3.6 When is the next OWASP Summit!!!!!

Looking at the OWASP Summit pictures reminded me of the amazing experience that the OWASP Summit 2011 was. There was so much positive energy in the air and we got much done (see the final report and the session’s outcomes).

We need another one!!!!

Surely we can have one in 2013!

But if we are going to do it, we have to do it right :)

Up next

4 OWASP Education