[Owasp-leaders] OWASP NoVA Chapter

John Steven John.Steven at owasp.org
Thu Sep 17 12:25:48 EDT 2009


Uncompromising? Thank you Dinis. I try--but rarely meet expectations
for myself. Yes, I'm pretty excited about this session. Since taking
on the chapter-leadership, I'm struck by how many individuals have
come to me asking "Is there anything you can do to help me understand
[tools]?" In a time of crunched budgets, people are looking to OWASP
to help them gain the knowledge needed to do their jobs.

To address this, I asked chapter membership to create a curriculum of
material on a wide-range of tools. We first reached out to Ounce and
Fortify (IBM's acquisition of Ounce stymied that thread temporarily),
and we've gotten sincere response. Fortify, I've got to say, was very
open to what we suggested. What did we suggest:

* Purely technical sessions, lead by a mix of chapter members and the vendor
* Hands-on exercise and laboratory work--not demos
* Material (tools) in the hands of chapter members

Where the vendor landscape is competitive, I've explicitly reached out
to what I believe are competing parties. I'm not focusing on
commercial tools exclusively--far from it. I've promised Dinis that I
would produce and give to him a next-generation O2 training course,
and personally help him train a cadre of influential and competent
OWASP leaders to not only use O2, but also give the course (Tom
Brennan and Dave Wichers participated in this conversation in

Our curriculum extends well beyond SA as well, though remains nascent.
We want to do a very experimental session on mod_security (which I
hope to rely on Wade Woolwine and Jack Maninno), and I'd love to get
Michael Coates in to both talk about and give our chapter hands-on
experience with the tooling he's been building for in-app IDS/IPS.

Eric Dalci and a compliment of others within the chapter have done a
ton of work on this lab, and I think those who attend will be thrilled
with the deeper capabilities they leave with (whether or not they
purchase Fortify tooling, others', or use freely available
alternatives). Likewise, as someone who makes his living threading
together both commercial tools purchased by his client base, readily
using OWASP resources, and at times, creating his own tooling, I think
participants will find Eric purpose-driven: "How do we leverage these
tools to get good results?"

Again, I hope other chapters can find value in what we're carefully
doing. My fear, and perhaps others' is that others might get slack and
allow de-evolution into pitches. My travels to other states' sessions
have sometimes landed me on the receiving end of such 'demos'. G'uh.
The NoVA chapter has published our curriculum and always offers WebEx
to geographically dispersed individuals who would like to participate
in our exploits. We're trying--as always--to be open and welcome


More information about the OWASP-Leaders mailing list