[Global_chapter_committee] Fwd: [Global_conference_committee] [OCMS] AppSec DC 2012 has been placed on hold

Seba seba at owasp.org
Fri May 20 10:09:19 EDT 2011


Valid remark on chapter's financials (see below).
Let's focus on some clear guidelines, prepare and discuss them at the next
conference call?
---------- Forwarded message ----------
From: Kate Hartmann <kate.hartmann at owasp.org>
Date: Fri, May 20, 2011 at 4:04 PM
Subject: Re: [Global_conference_committee] [OCMS] AppSec DC 2012 has been
placed on hold
To: Mark Bristow <mark.bristow at owasp.org>
Cc: Doug Wilson <doug.wilson at owasp.org>, global_conference_committee <
global_conference_committee at lists.owasp.org>

 So, maybe we have more than 4.  I was under the impression that the
*goal*was to have 7 – one on each continent.  Mark, if the Conferences
can make a decision regarding the revenue allocation, why can’t the
committee make the decision to grow our outreach with more AppSec

I am well aware of the debates over AppSec DC 2010 … it’s name, its
location, its size…everything.  In every facet other than where it’s been
categorized in the “event bracket” it is an AppSec event.  You really can’t
make an argument that it’s not.  Two days of training, two days of plenary
sessions, huge budget, revenue producing.  So, really, Mark, let’s call it
what it is.  That’s NOT a bad thing.

Let’s have 7 AppSec conferences globally.  Let’s have the training and the
attendance.  Let’s formalize the OWASP Track and add it to the 7 Global
events.  The world is big enough and our mission and purpose is so important
that this can be easily supported.  What is the downside?

Let the local chapters drive their mission locally and benefit from the
sponsorship and membership revenue this might create.  EVERYONE on the
Conferences committee knows how difficult yet how rewarding it is to host an
event.  The true, ongoing benefit from a local or regional or whatever you
want to call it event is *not* the profits from ticket sales or table sales,
but the ongoing membership and growth that demonstrates success.  Let the
carrot be a “reward” of hosting an AppSec event.  Maybe instead of a call
for conferences, it is an invitation only selection.

So, from where I sit … and from what I hear, we need to stop the arguing and
focus on why we are all so passionate about what we are doing.  It’s
important stuff, guys.

Maybe, instead of debating over how a local chapter benefits financially
from a conference, the chapter’s committee should take a look at setting
some “policies” around chapter finances (does the balance in your account
expire?  Do you “pay” a fee to the foundation annually based on your
chapter’s balance?  Do we require each chapter with a balance over $1,000 to
have a treasurer?  Do we require these chapters to submit an annual budget?

There are so many directions we can approach this from.  Let’s not let
ourselves get so distracted by the foot stomping.

Kate Hartmann

Operations Director



Skype:  Kate.hartmann1

*From:* Mark Bristow [mailto:mark.bristow at owasp.org]
*Sent:* Friday, May 20, 2011 9:07 AM
*To:* Kate Hartmann
*Cc:* Benjamin Tomhave; John Wilander; Doug Wilson;

*Subject:* Re: [Global_conference_committee] [OCMS] AppSec DC 2012 has been
placed on hold

Ooh and to Ben's point right now there are only 4 Global AppSecs permitted
each year (cap was placed by board in 2010 as part of the AppSec DC 2010
debate Doug mentioned ).  There is also a requirement to move them around in
their regions (NA, SA, LA, ASIA) to at least different cities so that we can
reach more people (Again, re board).  Perhaps these requirements don't make
sense anymore and should be discussed by the GCC.

On Fri, May 20, 2011 at 9:04 AM, Mark Bristow <mark.bristow at owasp.org>

FYI AppSec DC 2010 was a REGIONAL/THEME event, not a local one.  I also
agree that AppSec DC is different, it's bigger than other regional events
but frankly I think it should serve more as a model than some sort of one
off anaomoly.  It reaches it's stated target market (government), it's
profitable, and attracts a large (for a regional event) audience
(outreach).  I'd like to see more of these events reaching out then less.
After all our mission is to make Application Security Visible.

On Fri, May 20, 2011 at 8:53 AM, Kate Hartmann <kate.hartmann at owasp.org>

AppSec DC is indeed different from the other local/regional events.  I think
we need to look at a couple of different measurements:  size, scope,
purpose, duration, and cost

Having participated in both AppSec DC 2009 (the Global AppSec for that year)
and AppSec DC 2010 (categorized as a local event) I did not really notice
much of a difference.  DC is definitely unique in that it houses the US
government.  It is a very, very concentrated area of military and political
leaders.  In today’s climate of cyber threats on a global level, I think
that AppSec DC should serve as an example to others as a way to promote our
mission in the government sector.

I, by the way, am very interested in EU government.  Those who do not study
history are destined to repeat it.  I would welcome an EU government focused
AppSec conference.  I know that AppSec LA is very much involved with the
Brazilin government.  I think that the tone and theme of the conference is
really driven by the planners.  AppSec USA is definitely a different animal
than AppSec DC, just as AppSec EU could be different from an AppSec Berlin.

Kate Hartmann

Operations Director



Skype:  Kate.hartmann1

*From:* global_conference_committee-bounces at lists.owasp.org [mailto:
global_conference_committee-bounces at lists.owasp.org] *On Behalf Of *Benjamin
*Sent:* Friday, May 20, 2011 8:33 AM
*To:* John Wilander
*Cc:* global_conference_committee; Doug Wilson
*Subject:* Re: [Global_conference_committee] [OCMS] AppSec DC 2012 has been
placed on hold

Geo-politically, I couldn't disagree more, John. More importantly, AppSec DC
is way more than just a regional event. It's more appropriate to treat it
like a "Global AppSec" event than as a regional/theme event. It's also
unfair to other regional events to have AppSec DC included as an example; it
skews the measure.

On Fri, May 20, 2011 at 2:46 AM, John Wilander <john.wilander at owasp.org>

I attended AppSec DC 2009 which was the AppSec USA that year. When Americans
on-site told me "DC" automatically means government focus I was surprised
and slightly disappointed. The DC-government connection wasn't made clear
for non-American attendees. For instance in Europe capital cities are not
only political centers but also cultural, financial, business, scientific,
and shopping centers of their respective countries. An "AppSec Berlin"
wouldn't imply any specific focus at all (except for great beers and night

As a non-American attendee of global OWASP AppSec conferences I'm as
interested in the US Federal Government as American attendees would be of
the EU parliament. I'm guessing "not so much" :).

AppSec DC is a very important conference for OWASP and even more so for the
American appsec business. But it's not a global AppSec. Maybe "national" if
that makes sense.

Regards, John


In English (frequent tweets) https://twitter.com/johnwilander

På svenska (sporadiska tweets) https://twitter.com/johnwilanderswe

20 maj 2011 kl. 01:52 skrev Benjamin Tomhave <benjamin.tomhave at owasp.org>:

 Thanks for the detailed background. I've removed the hold and voted to
approve. That said, I strongly believe that this event should be classified
under the "Global AppSec" header. OWASP is making a considerable investment
in this event, it's clearly bigger than a regional event, and it serves a
purpose vital to the Foundation. While I don't want to hold things up any
more than I already have, I do not believe AppSec DC should ever be used as
a measure for how other regional (and local) events should be managed from
the OWASP/GCC perspective.

On Thu, May 19, 2011 at 3:48 PM, Doug Wilson <doug.wilson at owasp.org> wrote:

On Thu, May 19, 2011 at 2:56 PM, Benjamin Tomhave <
benjamin.tomhave at owasp.org> wrote:

It is? I thought it was a DC chapter event with regional draw. If this is a
formal OWASP event, then I'm again confused by the classification. It seems
like AppSec DC is enjoying a unique status, and that, per the other thread,
you're trying to force all other regional, theme, and local events to
operate in the same fashion. This loops right back to my questions on the
types of events, who classifies them, and how responsibilities are divided
between event organizers and the Foundation.

On May 19, 2011 9:39 AM, "Mark Bristow" <mark.bristow at owasp.org> wrote:

Ben, et al,

Mark is trying to do his best at not having conflict of interest, so he's
not going to cheerlead too much on the conference. I have no such qualms, so
here's my $.02:

We had a similar debate last year. Here's how it played out. Hopefully you
can see the same discussion echoed in your current one, and it may or may
not help.

The first round of AppSec DC (2009) was as a "Global AppSec US."

We were asked by the board specifically if we would undertake doing a
conference in DC for 2009. They charged us with three things:

1. Raise the bar of what it means to do an OWASP conference

2. Come in on budget (if not turn a profit)

3. Establish a relationship with the Federal Government, as only those
positioned in DC can uniquely realize.

We did the first two just fine. It was great, wonderful, and everyone said
"oh, we should do this again." We also realized that although we were off to
a great start, there is no way that 3 can be completely realized in a year,
or even several years. It needs to be an ongoing, evolving entity.

However, when we went to do it the next year, there were a variety of
complications at the greater OWASP political layer.

One of which was board members (who regardless of what they say, at that
point, had absolute power over decisions allocating budget) saying

1. Isn't this a regional event?

2. Because it's regional, maybe it should be called something else?

3. Because it's regional, aren't you supposed to get less money?

To this, we responded yes, it's a regional event -- but it's also a unique
event with established branding, because it's not only about the region, but
it's about OWASP and the federal sector. So therefore, it's regional in the
same way that the federal government is regional to DC -- that happens to be
the center of it, but it's much more far-reaching in scope and effect.

Having one event does not make a relationship. Having an event that only
happens every five years will not make a relationship. And stepping down in
scale (to the point of not being able to have it be in DC in a professional
venue) will not build a relationship either. If you really want us to
establish a relationship with the US Government, it has to be done on a
recurring basis, and over time.

So, we said, we can continue as a unique entity, retaining our branding,
location, venue, etc, and further the goals you charged us with, or we can
pretty much waste the success of the prior event, because as a strictly
regional event, we won't be able to build or improve on the prior year (in
fact, not even come close).

After similar debate, they finally told us to go ahead, because they still
wanted the core values that they had charged us with the year before, and we
had a sound model. And, despite a variety of political issues in OWASP, the
AppSec DC folks making tons of concessions and getting very little in return
at the national level, and various other issues, we STILL had a successful
conference and STILL came out in the black. We also had a markedly larger
level of federal involvement, and many entities involved in that are looking
forward to the next one to contribute even more.

In light of last year, we've moved the target date, de-conflicted a bunch of
things, and are poised to execute the plan that has worked for the last two
times around having removed a lot of obstacles and gotten things ready to
grow and build on our past success. We have a working budget model that is
realistic (being based on a worst case of the past two years when we expect
much better). And we have (most importantly) a lot of presenters, attendees,
and volunteers who are eagerly awaiting the announcement of the next one.

But we can NOT do this without OWASP's backing. Well, we could, but it would
involve shopping the idea out to corporate sponsor and that's a commitment
that Mark and I are not prepared to do at this time. We have lives with a
lot going on, and it's one thing to work with a known entity of OWASP and a
known model, it's another to have to go start from scratch on the finance
side. So thus the need for the decision and approval of the GCC -- and
sometime soon. The Convention Center has already been more than generous in
letting us hold onto space based on our past track record, but they won't do
it indefinitely.



PS -- AppSec as a term is used by everyone and their mother now. "AppSec DC"
however denotes a very specific event to those who have attended and heard
about it.

Doug Wilson



OWASP DC Chapter Co-Chair


AppSec DC 2010 Organizer


Global_conference_committee mailing list

Global_conference_committee at lists.owasp.org


Global_conference_committee mailing list
Global_conference_committee at lists.owasp.org

Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org

Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org

Global_conference_committee mailing list
Global_conference_committee at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_chapter_committee/attachments/20110520/8aa0caf0/attachment-0001.html 

More information about the Global_chapter_committee mailing list