[Owasp-leaders] OWASP NoVA Chapter

Ofer Shezaf ofer at shezaf.com
Thu Sep 17 13:47:24 EDT 2009

I am sure that candid and open discussion of a product can be done. Such a
discussion would certainly have value, but I yet have to see one that is led
by a vendor and is candid and open. As a vendor employee, you just have to
be one sided and gloss over shortcomings of your product.

Can this be reconciled? Can a vendor provide a good overview of its product?
I tried to think about some measures that might help:

+ I wouldn't count on every chapter leader to organize such a thing. Maybe
it should be coordinated with the OWASP board? Alternatively, maybe a
chapter leader should get 5 leaders to say he will do right to proceed?

+ Publish the detailed content in advance, or at least communicate it to the
chapter leader. I actually require every speaker who work for a vendor to
submit the slides before the meeting to inspect them for over

+ Require specific speakers. It's the speaker who makes the presentation.
Just having a "company" present, sending an available sales engineer has a
huge potential of being a bummer. If you get an engineer from dev, or at
least a product manager who can shed some light on future directions you are
better off. 

My personal experience is that *religiously* staying away from product
presentations pays off. If helps differentiate OWASP from other security
organizations and ensures high participants satisfaction with the meetings.
I don't think there is anyone here in Israel who thinks about OWASP in the
terms Yiannis portrays in a parallel thread.

~ Ofer

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of John Steven
Sent: Thursday, September 17, 2009 7:26 PM
To: owasp-leaders at lists.owasp.org
Cc: Dinis Cruz
Subject: [Owasp-leaders] OWASP NoVA Chapter


Uncompromising? Thank you Dinis. I try--but rarely meet expectations
for myself. Yes, I'm pretty excited about this session. Since taking
on the chapter-leadership, I'm struck by how many individuals have
come to me asking "Is there anything you can do to help me understand
[tools]?" In a time of crunched budgets, people are looking to OWASP
to help them gain the knowledge needed to do their jobs.

To address this, I asked chapter membership to create a curriculum of
material on a wide-range of tools. We first reached out to Ounce and
Fortify (IBM's acquisition of Ounce stymied that thread temporarily),
and we've gotten sincere response. Fortify, I've got to say, was very
open to what we suggested. What did we suggest:

* Purely technical sessions, lead by a mix of chapter members and the vendor
* Hands-on exercise and laboratory work--not demos
* Material (tools) in the hands of chapter members

Where the vendor landscape is competitive, I've explicitly reached out
to what I believe are competing parties. I'm not focusing on
commercial tools exclusively--far from it. I've promised Dinis that I
would produce and give to him a next-generation O2 training course,
and personally help him train a cadre of influential and competent
OWASP leaders to not only use O2, but also give the course (Tom
Brennan and Dave Wichers participated in this conversation in

Our curriculum extends well beyond SA as well, though remains nascent.
We want to do a very experimental session on mod_security (which I
hope to rely on Wade Woolwine and Jack Maninno), and I'd love to get
Michael Coates in to both talk about and give our chapter hands-on
experience with the tooling he's been building for in-app IDS/IPS.

Eric Dalci and a compliment of others within the chapter have done a
ton of work on this lab, and I think those who attend will be thrilled
with the deeper capabilities they leave with (whether or not they
purchase Fortify tooling, others', or use freely available
alternatives). Likewise, as someone who makes his living threading
together both commercial tools purchased by his client base, readily
using OWASP resources, and at times, creating his own tooling, I think
participants will find Eric purpose-driven: "How do we leverage these
tools to get good results?"

Again, I hope other chapters can find value in what we're carefully
doing. My fear, and perhaps others' is that others might get slack and
allow de-evolution into pitches. My travels to other states' sessions
have sometimes landed me on the receiving end of such 'demos'. G'uh.
The NoVA chapter has published our curriculum and always offers WebEx
to geographically dispersed individuals who would like to participate
in our exploits. We're trying--as always--to be open and welcome

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list