[Owasp-board] FW: OWASP Con Tutorials

Dave Wichers dave.wichers at owasp.org
Wed Dec 26 20:59:48 UTC 2007

I agree with this and would like to get more company's involved, so we
probably need to promote this more in some manner.


-----Original Message-----
From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
Sent: Wednesday, December 26, 2007 12:30 PM
To: OWASP Board
Subject: Re: [Owasp-board] FW: OWASP Con Tutorials

Something that I really would like to see at the next OWASP
conferences is the 'opening' up of our training.

Basically what we need to have is the BlackHat model were there are a
bunch of courses being offered (see for example
that work in the following format:

 - Company X or individual contacts OWASP that they want to provide 1
or 2 courses at the next conference (& submits proposal)
 - OWASP conference comity analyses the proposal (for quality, past
delivery experiences, relevance to OWASP and conflict with other
courses) and says YES or NO (I would expect most answers to be YES)
- If YES, course is added to registration page and registration for
them is open.
- 1 month (or two weeks) before conference, courses that have less
than 5 students are dropped (unless the OWASP board or Conference
comity decides that they are strategic for OWASP and want to go ahead
with it)
 - course is delivered & students fill evaluation forms
- the courses with positive evaluation are invited for the next OWASP
conference, and the ones with 'not so good feedback' are dropped (note
that here there is some room for maneuver since the Conference comity
could decide to replace a 'not very popular' course with a new one)

Everybody should be able to submit a course proposal and we should
give preference to OWASP contributors. The financial model is the one
described by Dave (2,000 USD per training day + Expenses (with extra
1,000 USD if the course has more than 20 students)

Regarding my (Dinis) course for delivery at the next OWASP conferences
I will want to continue to deliver the course on OWASP since I think
it is a very important course for OWASP (and with a couple more
deliveries I will get it into a good shape). So for .NET I will see if
I can get a couple guys I know to propose one (note: The .NET course I
delivered was 100% add-libed so I could easily do it independently (I
could break these two courses into 1 day each, but that might be too
short for the materials to cover))


On 12/22/07, Dave Wichers <dave.wichers at aspectsecurity.com> wrote:
> Have you two started working on this at all to figure out how to roll it
> -Dave
> -----Original Message-----
> From: Tom Brennan - OWASP [mailto:tomb at owasp.org]
> Sent: Saturday, December 22, 2007 9:03 AM
> To: Dave Wichers; Sebastien Deleersnyder
> Cc: Alison McNamee
> Subject: Re: OWASP Con Tutorials
> Its a great oppertunity for a independant trainer or a commercial firm
that wants to donate the training offering to OWASP turn-key.
> Any news on the membership packs/credit to attend events etc?
> Tom Brennan
> OWASP Foundation Board Member
> Tel: 973-202-0122 | Url: www.owasp.org
> -----Original Message-----
> From: "Dave Wichers" <dave.wichers at aspectsecurity.com>
> Date: Sat, 22 Dec 2007 08:44:57
> To:"Sebastien Deleersnyder" <seba at deleersnyder.eu>,<tomb at owasp.org>
> Cc:"Alison McNamee" <alison.mcnamee at owasp.org>
> Subject: RE: OWASP Con Tutorials
> Are you asking about the revenue share model for people delivering the
courses? For people delivering classes, its $2K / day plus travel. And for
every 10 students above 20 they get in their class, it's another $1K/day.
> The pricing for the courses should be similar to last year in Milan. Could
be the same, or slightly higher. That's up to you.
> -Dave
> From: Sebastien Deleersnyder [mailto:seba at deleersnyder.eu]
>  Sent: Friday, December 21, 2007 11:57 PM
>  To: Dave Wichers; tomb at owasp.org
>  Cc: 'Alison McNamee'
>  Subject: RE: OWASP Con Tutorials
> Dave,
> I'll include your recommendation for Europe
> Aspect: 2-day general Web App Sec, AND 1-day Leader/Mgr followed by 1-day
Rich Internet Applications course.
> And will contact Gunnar & Dinis.
> How is the pricing model? Fixed for teachers?
> Regards
> Seab
> ----------------
> From: Dave Wichers [mailto:dave.wichers at aspectsecurity.com]
>  Sent: maandag 17 december 2007 23:03
>  To: tomb at owasp.org; Sebastien Deleersnyder
>  Cc: Alison McNamee
>  Subject: OWASP Con Tutorials
> Guys,
> Aspect is interested in being a tutorial provider at both conferences of
> What tutorials were you trying to get at your respective conferences in
terms of topics?
> I think a basic class, and language and topic specific classes are a good
idea. At the OWASP San Jose event we had these tutorials with the following
# of attendees:
> General two day Web Application Security (Aspect Security): abt 30 - We've
had 1 or 2 day versions of this at every conference
> Two-Day Java/J2EE Web Application Security (Aspect Security): About 17
> Two-Day .NET Web Application Security (Aspect Security): 5 Attendees
> Two-Day Web Services Security (Gunnar Peterson): abt 30 - We've had 1 or 2
day versions of this at every conference
> Two-Day OWASP Projects/Tools Class (Dinis Cruz): 5 attendees -
> Two-Day Mod Security Tutorial (Breach Security): 2 attendees
> The standard and web services classes are staples that should in every
conference. You can contact Gunnar at: gunnar at arctecgroup.net
> I'd recommend some language specific classes as well. Dinis does a great
.NET class, but he'd need to build it again from scratch. He previously used
IOActive's content and doesn't have access to that any more.
> Aspect has a 1-day class for managers that I would recommend for both
conferences. We've taught this class at least 40 times already. Aspect also
has a 1-day Rich Internet Applications/AJAX class that we could pair with it
to take up the 2-days.
> I'd also like to get other providers teaching there as well so I'd suggest
you solicit, find other vendors. Historically its been 1 class from Aspect,
1 from Gunnar, and 1 from Dinis. I'd like to get more providers and Aspect
would like to teach 2 different classes if we can. More if you want us to J.
> For Europe, I think we can only commit to 2, but for NY we could do as
many as you'd like us to teach, but I don't think its appropriate to be the
'Aspect' show, so 2 or at the most 3 from Aspect would probably be best.
> In summary: I'd recommend the following:
> Europe: 2-day general Web App Sec, AND 1-day Leader/Mgr followed by 1-day
Rich Internet Applications course.
> U.S. The above, plus the 2-day Java course.
> For both conferences I'd also recommend Gunnar's 2-day web services
security course. [Gunnar is also willing to help both of you organize a web
services security track. Please contact him about that.]
> I'd also encourage Dinis to build his own 2-day .NET class so he can offer
that class at both conferences as well. When Dinis offered a .NET class at
OWASP, he frequently got 15-20 attendees because people know he is REALLY
good at .NET stuff.
> -Dave
Owasp-board mailing list
Owasp-board at lists.owasp.org

More information about the Owasp-board mailing list