[Owasp-board] [Owasp-leaders] OWASP Milan Agenda (needs review and help fillingin)

Dave Wichers dave.wichers at owasp.org
Mon Mar 26 01:36:57 UTC 2007

I screwed this up and sent it to the leaders list/ not the board, but I
don't think it caused any harm.





From: Matt Fisher [mailto:mfisher at spidynamics.com] 
Sent: Sunday, March 25, 2007 9:29 PM
To: Dave Wichers; owasp-leaders at lists.owasp.org
Subject: RE: [Owasp-leaders] OWASP Milan Agenda (needs review and help


Re: the two proposed additional talks: I would vote "yes" on Gunnar's talk.
His various blog entries are informed, insightful, and articulate.
Honestly, I'm not sure the world needs another " I'll malcode your whole
subnet" talk, however.  


Re: WebGoat/Scarab: you could almost do a half-hour each to intro the
completely product, unless you strictly wanted to discuss the diff between


Top Ten is a venerable project and long overdue for an overhaul.  I would
"unveil" it directly after the opening talk and treat it with a little
fanfare. If you can't do that, then after Alex Lucas' talk would be a good
time since everyone will still be in 'single-track' mode.







From: owasp-leaders-bounces at lists.owasp.org on behalf of Dave Wichers
Sent: Sun 3/25/2007 9:02 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] OWASP Milan Agenda (needs review and help

Dinis (and Jeff/Andrew):


I have now put online what I have figured out so far:




please review and provide any suggested updates.  Particularly Dinis.


Here are four other proposed talks that haven't made it onto the agenda yet:


Pravir Chandra: CLASP Talk

SWAAT - Presentation (Speaker?)

Gunnar Peterson - project update on the XML Security Gateway evaluation
criteria project? Could be short like 20 min, or longer

Andre Ludwig - leveraging web application vulnerabilities to compromise
internal networks - This probably overlaps somewhat with PDP's talk so may
not make it.


I'm OK with these but I'd like to see how much room we have after all the
missing OWASP projects (from Dinis) get filled in.


a) What other OWASP Projects should we invite to participate?


I can make more or less room in a number of ways by the way:


1)    I have proposed that I do an hour+ on the new webgoat / webscarab. We
could compress this into a half hour somewhere.

2)    I have put the pdp and Simon's 2nd talk together into a single LONG
session. I would prefer to put two 40 minute talks into these long blocks
rather than have one LONG talk in these sessions.

3)    Metteo's Testing guide presentation could be one of the 4 refereed
paper slots which would free up a whole new slot.


b) Dinis, after we figure out what OWASP projects are presenting, can you
present a quick tour of the rest in your talk near the end of the 2nd day?


c) Also, we really should do a short presentation on the new top 10. Should
we do that as the kickoff to Dinis' talk right after Microsoft on the 1st
day? i.e., something like, here's the new OWASP Top 10 and how we created
it, and here's the stuff OWASP is doing to help people avoid these kinds of
problems. I think we need to particularly emphasize the importance of CSRF
and maybe even challenge some of the attendees to come up with generic
solutions to this problem (I.e., Microsoft is in the audience. It would be
nice if .NET defended against this automatically since I think they are so
close already).


d) I also need someone to take ownership of the 1st panel on day 1. Gunnar
is taking the second. Anyone you can think of that we can ask to moderate?


I'm also totally OK with rearranging anything I have here to make the talks
shorter or longer based on what we prefer or putting like talks together.
I.e., I don't really have any theme for the tracks yet.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070325/b6f11e37/attachment-0002.html>

More information about the Owasp-board mailing list