[Global_industry_committee] Here is the latest list of registrants for AppSec EU

Marco M. Morana marco.m.morana at gmail.com
Tue May 10 12:48:53 EDT 2011



I am on the list and I will be happy to join a meeting/discussion for ISOs
while at AppSec EU on June 9th along the topics of this email thread herein,
CISO survey etc.


I will be in Rome on the 8th for another security conference but I will be
the all day on the 9th in Dublin since giving my talk in the afternoon with
Tony UV.


I am also local to Joe Bernik here in Cincinnati so I would be able to
relate and follow up any topics that can be handled locally.




Marco Morana

OWASP Cincinnati Chapter Lead


From: global_industry_committee-bounces at lists.owasp.org
[mailto:global_industry_committee-bounces at lists.owasp.org] On Behalf Of Rex
Sent: Tuesday, May 10, 2011 12:29 PM
To: Sarah Baso
Cc: Fabio Cerullo; Eoin; Global_industry_committee
Subject: Re: [Global_industry_committee] Here is the latest list of
registrants for AppSec EU



Thanks for the information.  This does help.  My follow up questions are:

1) What is the list of invitees?
2) Do we have a critical mass to make it worth holding the session?

These questions are specifically targeted at Joe, David, Eoin and Fabio.

Sarah - to answer your question, I am certainly interested in continuing the
CISO session, but only if we have  adequate quality and quantity of
attendance planned.  If it's just a handful of folks who happen to work in
industry, then I'm not sure it's worth spending $2k each for Nishi and I to
travel to the conference.


On 5/10/2011 11:04 AM, Sarah Baso wrote: 

Rex - 
I understand your concern and also want to make sure we have clear
communication.  I do think we have covered most of the items you brought up
via email or call in the last couple of weeks, but maybe the message has not
been as consistent or clear as it should have been.  Here are my thoughts
about the issues/questions you brought up. (in red)

Although there were some vague discussions about the possibility of doing a
full day track, we have not had a GIC call that this was ever decided. On at
least the last 2 GIC calls we have talked about one or a few more restricted
sessions with a GIC focus. 

Here are my reservations/concerns that I'd like to solve before we set this
in stone:

1) What is the structure in broader context of the conference?  Is the GIC
session the only break-out session or does it one of many break-outs? If you
look at the Conference web page (www.appseceu.org/) or wiki page
(https://www.owasp.org/index.php/AppSecEU2011),  it is easy to find the
conference structure and the answer to your question. The conference is
offering 3 tracks (3 breakout sessions at most of the times that there is
not a key note speaker).  I have set up our sessions to correspond to
non-keynote times (10:15-11:00, 12:05-12:50, 3:00-3:45).  Additionally, the
chapter committee is having a chapter leader workshop from 2:30 to 6pm on
Thursday afternoon. 

2) What is our goal/mission?

As also discussed on the last two calls is to overall work toward achieving
the GIC's 2011 committee initiatives -- most importantly 1) Engage in
discussion with the appsec community (and various industry verticals) to
learn how GIC can become more relevant in the context of Industry.  2)
Communicate with people not currently involved in OWASP about what OWASP and
OWASP Tools can offer their organizations and determine what things are not
currently being offered to them that would make them interested in
sponsoring/supporting OWASP.

The idea was to determine the best ways to meet these goals.  

*	One of them was for Nishi to rollout the GIC outreach presentation
she has been working on (which looks great).  Nishi's presentation will
hopefully communicate to various industry personnel some of the things OWASP
has to offer. She should be able to get some feedback on the presentation at
the session.Nishi has provided me with a description of her session as

The purpose for this session is to help organizations understand why
application security is important and how OWASP can help in making their
applications more secure. It will give them an opportunity to learn what
documentation, training, architecture, tools and infrastructure is
available. The best part is all these materials are free. OWSAP provides the
solution for their application security needs. We are also looking to
improve collaboration by helping get more organization participating in
OWASP projects. This will help us ensure that we account for the various
needs of industry and develop well vetted best practices. 

*	Rex, you volunteered to attend AppSec EU and my understanding was
that you wanted to go with the purpose of furthering your CISO survey.
Although I have asked for particulars on the goal/mission of this particular
activity, I haven't received much other than "I'd like to take 30-60 minutes
to have a group discussion about what information they'd like to see in such
a survey...basically using our target audience to help develop the nature
and content of the survey." I would like to hear more on what you see as the
goals/mission of your session.

*	Since our committee really needs to learn more from certain members
from industry about what ROI they are looking for when supporting/sponsoring
OWASP... Joe and I determined that I could lead that session (with him
dialing in/using webex) to share some our committee ideas on what we have to
offer them and in turn hopefully get some honest feedback on whether that
would be appreciated/utilized

3) If it's scheduled on the 10th, do we have a feeling for how many people
will stay during the last day?

While it is the "last day", since the conference is 2 days, i think there is
a pretty good chance that most of the people will still be there.  I don't
know how else we can gauge this than to invite people and see what they

4) How do we identify invitees and how do we invite them?

As also noted on our last call and a few emails that you have been included
on, both Joe and David have said they were willing to go through the list of
current registrants to determine who we should send targeted invitations to
(although this won't be a closed door session so anyone can attend).  Also,
Eoin said he has some people he wants to send targeted invites to and other
GIC members are open to send their thoughts (Joe and David will be doing
this too).  The goal is to not have a session saturated with vendors, but
instead target personnel from various industries that are more the client
(for lack of a better term). So, individuals coming from financial
institutions, government, education, retail, etc.

I will invite them by sending a paperless post (Joe apparently has been
getting other business related invitations through this form of media, and
we both thought it would work well for this): http://www.paperlesspost.com/ 

5) Have we invited anybody thusfar?  If so, who?

I sent a preliminary invite to Rob Mann from google (one of David's
contacts) to the GIC roundtable discussion, and told him I would follow up
this week with other details. I also spoke with Charles Schmidt from The
MITRE corp in person this morning (at Secure 360). He is speaking at AppSec
EU and said he would be very interested in attending one (or more of our
sessions).  I told him I would follow up later this week with details.

6) What is the incentive for invitees to attend?

That is part of what I was asking you to put together for your session. I
have asked Nishi the same thing.  As one of the GIC reps who volunteered to
put things together for this event, I would expect you to be part of this
planning process.  Thoughts?

7) What is the opportunity cost for invitees to attend and how do we
mitigate that?

The opportunity cost would be that they would be missing other
speakers/break out sessions that they had hoped to attend or would get
informational benefit from.  In order to mitigate that we can do a couple of
things (my ideas off the top of my head):

*	Offer our sessions when there are not other sessions that the
attendees we are targeting would be interested in attending 
*	Offer just as much informational benefit (maybe not the same, but a
comperable benfit) at our session(s)
*	Offer them some conference discount?  Or some other financial
benefit... a free OWASP membership or one for their organization?  In order
to make this fair to conference planners, GIC might have to make up this
cost our of our budget.

Does this help clarify things?  
I am going to keep moving forward with this committee initatives - for the
sessions that Nishi and I will be running.  Depending on where you are at in
terms of your session, maybe you think it would be better for you to skip
the CISO survey session at AppSec EU and just target AppSec USA for

Sarah Baso

- Show quoted text -


On Mon, May 9, 2011 at 1:59 PM, Rex Booth <rex.booth at owasp.org> wrote:


I know the below may be a wall of text, but we have some important questions
to answer.  Eoin and Fabio - if you can weigh in (particularly on the
industry outreach for attendees), I'd greatly appreciate it.


On 5/8/2011 8:34 PM, Rex Booth wrote:

This is where I'm not entirely comfortable with the GIC break-out.  My
initial understanding was that there would be a focused outreach to industry
leaders to attend a GIC-sponsored track dedicated especially to their needs.
What we have planned now is a far cry from that vision and, frankly, of
questionable ROI given the expected travel expenses.

Here are my reservations/concerns that I'd like to solve before we set this
in stone:

1) What is the structure in broader context of the conference?  Is the GIC
session the only break-out session or does it one of many break-outs?
2) What is our goal/mission?
3) If it's scheduled on the 10th, do we have a feeling for how many people
will stay during the last day?
4) How do we identify invitees and how do we invite them?
5) Have we invited anybody thusfar?  If so, who?
6) What is the incentive for invitees to attend?
7) What is the opportunity cost for invitees to attend and how do we
mitigate that?

Most importantly, the reality is that we struggle to get industry
representatives to attend any of our events, let alone cross the Atlantic to
do so.  Accordingly (and fair or not), the GIC is relying heavily on our
European friends to find the right attendees for this.  If this is an
unrealistic expectation, we need to revisit our commitment to the break-out.

I would very much enjoy attending AppSec EU and am grateful for Eoin and
Fabio's hospitality, but without resolution on the above, I don't think it
makes sense to spend the money to send representatives from the US
(especially when Colin is already there and may be able to represent us -
don't let me assume too much, Colin).

Let's get some answers to the above before we start confirming logistics.


On 5/8/2011 5:01 PM, Sarah Baso wrote:

Eoin- I should be getting that from david, Joe, Rex and nishi so I can
send out the invites in the next day or two. I will send it to you and
if you have anyone to add I would be happy to include them.


On 5/8/11, Eoin<eoinkeary at gmail.com>  wrote:

Do we have a list of invited delegates please?

Sent from my HTC hero.

owasp board member

On 8 May 2011 20:30, "Colin Watson"<colin.watson at owasp.org>  wrote:


Great, I just wanted a "sanity check", and didn't mean to put down any
of the efforts on these initiatives. I missed a couple of GIC calls so
wasn't entirely up to speed.


On Sunday, 8 May 2011, Sarah Baso<sarah.baso at owasp.org>  wrote:

Hi Colin,
Thanks for your comme...

I know you are busy with other


Global_industry_committee mailing list
Global_industry_committee at lists.owasp.org
@appsecusa, @owaspmsp @OWASPSummit

Dir: 312-869-2779
skype: sarah.baso
sarah.baso at owasp.org<lorna.alamri at owasp.org>

Global_industry_committee mailing list



OWASP Operational Support for Global Chapters, Conferences, and Industry

OWASP MSP: Host to OWASP AppSec USA 2011
September 20-23 Training, Talks, CTF, Showroom, and More
www.appsecusa.org <http://www.appsecusa.org/> 
@appsecusa, @owaspmsp @OWASPSummit

Dir: 312-869-2779
skype: sarah.baso
sarah.baso at owasp.org <mailto:lorna.alamri at owasp.org> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20110510/5d757f55/attachment-0001.html 

More information about the Global_industry_committee mailing list