[Owasp-board] Update on 2016 AppSec Conference & 'Call to Host'

Jim Manico jim.manico at owasp.org
Fri Feb 27 15:26:38 UTC 2015

I like it.

Another idea to consider is having a conference in the same location 
every year. This is my preference.

This is one reason why blackhat, defcon and similar became so popular.

But don't get me wrong, I like where this conversation is going.


On 2/27/15 4:23 PM, Michael Coates wrote:
> Regarding US I think the two permanent locations is a good idea. I 
> proposed NYC on the east coast and San Francisco on the west coast. We 
> just alternate between the two each year.
> On Feb 27, 2015, at 6:54 AM, Helen Gao <helen.gao at owasp.org 
> <mailto:helen.gao at owasp.org>> wrote:
>> Hi Andrew and the board.
>> Based on my experience with Asia Pacific since 2008, it makes sense 
>> to have a different strategy for that area.  I am not a board member 
>> but I care about OWASP deeply. So here are my two cents.
>> It's quite difficult to travel to another country to attend a 
>> conference. Many don't have passports, a credit card to pay for the 
>> registration in foreign currency, or the fund to apply for a visa. 
>> It's understandable that AppSec in one country will have less 
>> attendees from other countries. But if we continue to let each 
>> country get a chance to host then nobody will feel left out. I think 
>> the foundation has been doing an excellent job so far being sensitive 
>> to the diversity of the area.
>> Coming back to US, is it possible to have 2 permanent cities, one on 
>> east  and the other on the west coast?
>> Helen Gao, CISSP
>> Organizer of AppSec APAC 2010 and 2011
>> Founder and leader of OWASP Long Island Chapter
>> Leader of OWASP Chinese Project
>> Former Chair of Global Membership Committee
>> Women for AppSec in AppSecUSA 2012
>> On Fri, Feb 27, 2015 at 12:16 AM, Andrew van der Stock 
>> <vanderaj at owasp.org <mailto:vanderaj at owasp.org>> wrote:
>>     +1
>>     It's a lot of work to do an appsec conference. Having so much of
>>     our income tied to folks who are starting from scratch every year
>>     is a lot to ask.
>>     Considering I don't think we have an AppSec Asia Pac this year
>>     (or at least I can't find it), having the hybrid model is a great
>>     idea.
>>     In AsiaPac, Singapore is one of the best locations as it's almost
>>     equi-distant to all parts of South East Asia. Japan is a bit
>>     expensive, and Hong Kong a bit far for many when incomes in our
>>     region are not that high. We only had 100 folks at the last
>>     AsiaPac conference held in Australia, so I would support it being
>>     in Singapore or KL over us.
>>     thanks
>>     Andrew
>>     On Fri, Feb 27, 2015 at 9:24 AM, Michael Coates
>>     <michael.coates at owasp.org <mailto:michael.coates at owasp.org>> wrote:
>>         Seems like there is lots of support for hybrid that puts much
>>         stronger foundation role for global events and leaves all
>>         regional and local events to local teams to lead (as they
>>         currently are).
>>         For global events (at least AppSecUSA) I'd float they idea of
>>         alternating NYC and San Francisco. Two huge markets where
>>         we'll have established location and partners. But I'd push
>>         back on our planning for local support - I think we should
>>         map out all the activities for an established location and
>>         see how many could be accomplished by foundation (with
>>         necessary staffing) and how many would need feet on the
>>         ground in the location. I bet we could find a model that
>>         worked pretty well. Plus, combine that with a task force of
>>         previous AppSecUSA advisors (i.e. previous planners) and
>>         you've got a great mix of skills.
>>         --
>>         Michael Coates | @_mwc
>>         <https://twitter.com/intent/user?screen_name=_mwc>
>>         OWASP Global Board
>>         Join me at AppSecUSA <http://AppSecUSA.org> 2015 in San
>>         Francisco!
>>         On Thu, Feb 26, 2015 at 2:18 PM, Noreen Whysel
>>         <noreen.whysel at owasp.org <mailto:noreen.whysel at owasp.org>> wrote:
>>             Josh,
>>             At my old job,the IA Institute relied on a tiered
>>             combination of global and local sponsors. It is a model
>>             that works best for regional events, but for
>>             international level events, gives local companies
>>             potential exposure to a global market if they have the
>>             interest and means to expand globally. We tended to see
>>             global sponsors signing on for exhibitor tables, donating
>>             software, and writing big checks to cover operational
>>             expenses, while local sponsors who know the lay of the
>>             land would play host by doing networking events or
>>             speaker dinners at local taverns and restaurants, or
>>             cover food (local caterers) and venue (if held at a
>>             corporate office).
>>             Noreen Whysel
>>             Community Manager
>>             OWASP Foundation
>>             On Feb 26, 2015, at 3:57 PM, Josh Sokol
>>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>             Having been the Chair of AppSecUSA 2012, I can say that
>>>             hosting an AppSec Conference is a lot for a local team
>>>             of volunteers to handle. We did it with minimal
>>>             assistance from the Foundation for everything from
>>>             Sponsorships (had to find our own) to Sessions (had to
>>>             solicit our own speakers). There was no Laura (or
>>>             equivalent) at the time and Sarah's feedback was about
>>>             all we had in terms of guidance from the Foundation. 
>>>             I'm pretty sure we've come a long ways since then, but I
>>>             believe that we still have a very heavy focus on the
>>>             local boots on the ground doing the majority of the
>>>             work. It's extremely tiresome and I literally told
>>>             people afterward that I would never do it again.  This
>>>             situation was actually a large part of my rationale for
>>>             the Foundation to stop trying to take money from the
>>>             chapters who decide to put on conferences.  Every dollar
>>>             taken away from them is one less reason for them to want
>>>             to host one of these.  We should be trying to
>>>             incentivize as many chapters as possible to attempt
>>>             local conferences because it gives leaders the skills
>>>             necessary to tackle the big show.
>>>             My suggestion here, based on my experience, is to find a
>>>             chapter with strong project planning skills and a solid
>>>             location. When we move the event year after year we lose
>>>             every bit of experience with the venue and processes and
>>>             have to renegotiate everything from scratch.  Conference
>>>             planning is easiest when it's a formula, like LASCON. 
>>>             Same location, very few unknowns, solid performance
>>>             YOY.  When you know what to expect, you can focus more
>>>             time and energy on improving the formula, rather than
>>>             re-inventing it.  If NYC or San Francisco fits that
>>>             bill, and the local planning team is willing to take it
>>>             on, then I say we go all in and commit to it. 
>>>             Simultaneously, we need to commit to the local chapter
>>>             leaders that they will be rewarded handsomely for their
>>>             efforts.  OWASP Austin got exactly $0 from AppSecUSA
>>>             2012.  I believe that the profit sharing policy was
>>>             changed the next year though so that may already be
>>>             addressed.  Regardless, if you are asking these leaders
>>>             to spend a year of their lives to make the conference a
>>>             success, then they should be rewarded with a year of
>>>             chapter funding.  I also think that we need to
>>>             significantly bump up the level of support from the
>>>             Foundation.  Perhaps it's changed since we ran it, but
>>>             conference planners should handle venue, schedule,
>>>             speaker selection, volunteers, etc.  They should not be
>>>             responsible for finding sponsors.  That should be
>>>             handled entirely by the Foundation as it takes a huge
>>>             weight off their shoulders.  I'm sure there's more
>>>             that's not coming to mind right now, but hopefully
>>>             that's helpful for this conversation.
>>>             ~josh
>>>             On Thu, Feb 26, 2015 at 2:32 PM, Michael Coates
>>>             <michael.coates at owasp.org
>>>             <mailto:michael.coates at owasp.org>> wrote:
>>>                 One other note: I do think the path forward is
>>>                 likely a hybrid model. But to be far, the
>>>                 announcement for 2016 went out on Dec 26 and I
>>>                 haven't seen another email since. I wouldn't be
>>>                 surprised if everyone missed it. That said, we'd
>>>                 still likely only get 1 or 2 submissions and it's
>>>                 unknown if we'd want to go to that location.
>>>                 --
>>>                 Michael Coates | @_mwc
>>>                 <https://twitter.com/intent/user?screen_name=_mwc>
>>>                 OWASP Global Board
>>>                 Join me at AppSecUSA <http://AppSecUSA.org> 2015 in
>>>                 San Francisco!
>>>                 On Thu, Feb 26, 2015 at 12:30 PM, Jim Manico
>>>                 <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>>>                 wrote:
>>>                     Michael,
>>>                     I'm a fan of that as well. A stable location has
>>>                     a better potential for growth. These events are
>>>                     so crucial to our fiscal health I like the idea
>>>                     of additional professional support to run a
>>>                     stable event. We sure do run these major events
>>>                     with minimal staff...
>>>                     NYC seems to have huge potential. Perhaps SF
>>>                     too, lets see how we do this year.
>>>                     Details aside, I agree with your general vision
>>>                     here.
>>>                     Cheers,
>>>                     --
>>>                     Jim Manico
>>>                     @Manicode
>>>                     (808) 652-3805 <tel:%28808%29%20652-3805>
>>>                     On Feb 26, 2015, at 9:25 PM, Michael Coates
>>>                     <michael.coates at owasp.org
>>>                     <mailto:michael.coates at owasp.org>> wrote:
>>>>                     I'm not surprised and was prepared that this
>>>>                     day would come. It is a tall order to host and
>>>>                     lots of risk for our org to nearly start from
>>>>                     scratch each event.
>>>>                     I'd like to discuss a hybrid model that is led
>>>>                     by foundation in preset locations where we can
>>>>                     leverage known resources for repeatability and
>>>>                     scale. We can still rotate to some degree but
>>>>                     it's between known locations. This combined
>>>>                     with a community effort for some aspects and
>>>>                     dedicated new staff resources would work well.
>>>>                     We gain stability and still leverage community
>>>>                     for some aspects while driving from the
>>>>                     foundation.
>>>>                     On Feb 26, 2015, at 12:13 PM, Paul Ritchie
>>>>                     <paul.ritchie at owasp.org
>>>>                     <mailto:paul.ritchie at owasp.org>> wrote:
>>>>>                     Hello OWASP Board members:
>>>>>                     Issue: During our OWASP staff meeting today we
>>>>>                     discussed that we have not received any
>>>>>                     proposals to host an AppSec Conference in 2016.
>>>>>                     Laura put out the call for proposals back in
>>>>>                     late December, and it was followed up in our
>>>>>                     Connector newsletter. The Deadline for
>>>>>                     submissions was February 27. Although several
>>>>>                     people looked seriously at the prospect of
>>>>>                     hosting, none have submitted a formal proposal
>>>>>                     to host the 2016 AppSec.
>>>>>                     Next Steps: I plan to extend the 'Call for
>>>>>                     Proposals' period another 3 weeks to see if we
>>>>>                     can stimulate some additional interest for our
>>>>>                     AppSec conferences in Europe & US. To
>>>>>                     accomplish that, I have streamlined Laura's
>>>>>                     original email and plan to resend no later
>>>>>                     than Monday, March 2 to our Leaders &
>>>>>                     Community email group lists.
>>>>>                     During our Staff meeting today we discussed
>>>>>                     several good options in case we don't receive
>>>>>                     a proposal, but first, lets give the Community
>>>>>                     another opportunity to 'step up' and 'take the
>>>>>                     lead' for our 2016 events.
>>>>>                     Just FYI for now since several of you were
>>>>>                     asking about progress in this area.
>>>>>                     Paul
>>>>>                     ========== TEXT OF APPSEC2016 CALL FOR
>>>>>                     PROPOSALS =============
>>>>>                     Hello All,
>>>>>                     Is your Chapter or Region interested in
>>>>>                     hosting our 2016 AppSec Conference for Europe
>>>>>                     or USA? OWASP is actively seeking proposals
>>>>>                     and we encourage any community member
>>>>>                     interested in hosting a​n *OWASP**​ ​**Global
>>>>>                     **Conference*to submit a proposal.
>>>>>                     Hosting a conference requires commitment,
>>>>>                     responsibility and a lot of time, energy and
>>>>>                     effort to properly plan and implement a
>>>>>                     conference. For more information see the How
>>>>>                     to Host a Conference page.
>>>>>                     https://www.owasp.org/index.php/How_to_Host_a_Conference
>>>>>                     The dates of each OWASP Global AppSec
>>>>>                     conference vary somewhat each year but ideally
>>>>>                     the conference is held:
>>>>>                     ·Europe ​- Q2​2016
>>>>>                     ·North America​- Q3​2016
>>>>>                     To bid for a 201​6OWASP Global AppSec please
>>>>>                     complete the OCMS form
>>>>>                     http://www.tfaforms.com/301382 with the
>>>>>                     following information *by March 2**​**0th,
>>>>>                     201**​**5**.**   Please include the following
>>>>>                     information.*
>>>>>                     1. The proposed city and host chapter.
>>>>>                     2. The name of the intended local organizer
>>>>>                     and his/her team committed to the task for 201​6​
>>>>>                     along with a brief explanation on why the
>>>>>                     conference committee wants to organize an
>>>>>                     OWASP Global AppSec. Include anticipated help
>>>>>                     from volunteers before and at the conference.
>>>>>                     3. Previous conferences or local/regional
>>>>>                     events experience of the conference committee.
>>>>>                     4. The intended dates for the conference.
>>>>>                     (Typically includes 2 days of pre-conference
>>>>>                     training, followed by 2 days of conference talks).
>>>>>                     5. Venue recommendations. If possible,
>>>>>                     assurance that the following will be available:
>>>>>                     - A large auditorium with multiple training /
>>>>>                     lecture rooms near the main auditorium.
>>>>>                     - Projection & internet facilities in all
>>>>>                     rooms up to modern standards.
>>>>>                     - A suitable networking space near the rooms
>>>>>                     for registration, breaks and other activities.
>>>>>                     - A hall near the rooms for sponsor exhibitions.
>>>>>                     - Green room, storage room, breakout room,
>>>>>                     capture the flag area, etc.
>>>>>                     6. Budget. Please use the form on google docs
>>>>>                     https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AhOGWXgQrDnddE9nZnh1UEZzUHJ2cl85R2hVd2IxRGc&usp=drive_web#gid=0
>>>>>                     (Since many of the categories of expenses are
>>>>>                     optional, consider this a check list. You can
>>>>>                     add as many items as you want and you do not
>>>>>                     need to fill in every box if you do not want
>>>>>                     it to be included in your event.)
>>>>>                     7. Possible "big name" speakers in AppSec who
>>>>>                     might be plenary speakers with low travel costs.
>>>>>                     8. Realistic prospects for obtaining
>>>>>                     sponsorship from outside bodies, e.g.,
>>>>>                     companies, universities, scientific
>>>>>                     institutes, media, government, etc.
>>>>>                     By submitting an application, you are already
>>>>>                     demonstrating your commitment to OWASP. We
>>>>>                     really appreciate every proposal we receive,
>>>>>                     however not every proposal will be approved.
>>>>>                     The selection process that will be made by the
>>>>>                     OWASP operations team with input from previous
>>>>>                     AppSec organizing teams.
>>>>>                     · Preference will be given to the community
>>>>>                     that demonstrates more engagement.
>>>>>                     · Preference will be given to the team that
>>>>>                     has successful experience organizing
>>>>>                     local/regional events.
>>>>>                     · Preference will be given to a location that
>>>>>                     has not recently hosted a Global AppSec
>>>>>                     conference.
>>>>>                     · Geographic coverage will be considered when
>>>>>                     selecting conference sites.
>>>>>                     *The deadline for applications is March 20th. *
>>>>>                     Should you have any questions concerning the
>>>>>                     proposal process or need assistance with your
>>>>>                     application, please do not hesitate to contact
>>>>>                     me. We are looking forward to your proposals!
>>>>>                     Paul Ritchie, OWASP Executive Director
>>>>>                     paul.ritchie at owasp.org
>>>>>                     <mailto:paul.ritchie at owasp.org>
>>>>>                     _______________________________________________
>>>>>                     Owasp-board mailing list
>>>>>                     Owasp-board at lists.owasp.org
>>>>>                     <mailto:Owasp-board at lists.owasp.org>
>>>>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>                     _______________________________________________
>>>>                     Owasp-board mailing list
>>>>                     Owasp-board at lists.owasp.org
>>>>                     <mailto:Owasp-board at lists.owasp.org>
>>>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>                 _______________________________________________
>>>                 Owasp-board mailing list
>>>                 Owasp-board at lists.owasp.org
>>>                 <mailto:Owasp-board at lists.owasp.org>
>>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>             _______________________________________________
>>>             Owasp-board mailing list
>>>             Owasp-board at lists.owasp.org
>>>             <mailto:Owasp-board at lists.owasp.org>
>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>         _______________________________________________
>>         Owasp-board mailing list
>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>> -- 
>> Helen Gao, CISSP
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150227/fc796d96/attachment-0001.html>

More information about the Owasp-board mailing list