[Owasp-leaders] OWASP NoVA Chapter

David Campbell dcampbell at owasp.org
Wed Sep 23 12:11:54 EDT 2009

Interesting discussion.

In Denver we have an excellent track record of having high quality,
vendor-pitch free presentations.  However, it's notable that since the
economy tanked, it has become much moredifficult to recruit purely
independent speakers, or affiliated speakers who are skilled at
presenting without pitching.  This difficulty has manifested itself in
less frequent chapter meetings.

I agree with Ofer that it's difficult to let the vendors in without
having it turn into a commercial circus.  Our comrades up in Boulder
tried this model recently (with presenters from IBM/Rational) and
reviews were mixed to say the least.

Also, FWIW, based on feedback from our members expressing an interest in
doing a static analysis lab, I approached Fortify several months ago
requesting eval licenses.  After email exchanges with several Fortify
folks I was left empty handed.  Is the NoVA fortify meeting webex/video
online anywhere?  I'm keen to see how you guys did this -- and also to
see if the folks who put it together for NOVA are keen to come out to
Colorado sometime this ski season for an encore performance.



Ofer Shezaf wrote:
> I am sure that candid and open discussion of a product can be done. Such a
> discussion would certainly have value, but I yet have to see one that is led
> by a vendor and is candid and open. As a vendor employee, you just have to
> be one sided and gloss over shortcomings of your product.
> Can this be reconciled? Can a vendor provide a good overview of its product?
> I tried to think about some measures that might help:
> + I wouldn't count on every chapter leader to organize such a thing. Maybe
> it should be coordinated with the OWASP board? Alternatively, maybe a
> chapter leader should get 5 leaders to say he will do right to proceed?
> + Publish the detailed content in advance, or at least communicate it to the
> chapter leader. I actually require every speaker who work for a vendor to
> submit the slides before the meeting to inspect them for over
> commercialization.
> + Require specific speakers. It's the speaker who makes the presentation.
> Just having a "company" present, sending an available sales engineer has a
> huge potential of being a bummer. If you get an engineer from dev, or at
> least a product manager who can shed some light on future directions you are
> better off. 
> My personal experience is that *religiously* staying away from product
> presentations pays off. If helps differentiate OWASP from other security
> organizations and ensures high participants satisfaction with the meetings.
> I don't think there is anyone here in Israel who thinks about OWASP in the
> terms Yiannis portrays in a parallel thread.
> ~ Ofer
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of John Steven
> Sent: Thursday, September 17, 2009 7:26 PM
> To: owasp-leaders at lists.owasp.org
> Cc: Dinis Cruz
> Subject: [Owasp-leaders] OWASP NoVA Chapter
> All,
> Uncompromising? Thank you Dinis. I try--but rarely meet expectations
> for myself. Yes, I'm pretty excited about this session. Since taking
> on the chapter-leadership, I'm struck by how many individuals have
> come to me asking "Is there anything you can do to help me understand
> [tools]?" In a time of crunched budgets, people are looking to OWASP
> to help them gain the knowledge needed to do their jobs.
> To address this, I asked chapter membership to create a curriculum of
> material on a wide-range of tools. We first reached out to Ounce and
> Fortify (IBM's acquisition of Ounce stymied that thread temporarily),
> and we've gotten sincere response. Fortify, I've got to say, was very
> open to what we suggested. What did we suggest:
> * Purely technical sessions, lead by a mix of chapter members and the vendor
> * Hands-on exercise and laboratory work--not demos
> * Material (tools) in the hands of chapter members
> Where the vendor landscape is competitive, I've explicitly reached out
> to what I believe are competing parties. I'm not focusing on
> commercial tools exclusively--far from it. I've promised Dinis that I
> would produce and give to him a next-generation O2 training course,
> and personally help him train a cadre of influential and competent
> OWASP leaders to not only use O2, but also give the course (Tom
> Brennan and Dave Wichers participated in this conversation in
> Ireland).
> Our curriculum extends well beyond SA as well, though remains nascent.
> We want to do a very experimental session on mod_security (which I
> hope to rely on Wade Woolwine and Jack Maninno), and I'd love to get
> Michael Coates in to both talk about and give our chapter hands-on
> experience with the tooling he's been building for in-app IDS/IPS.
> Eric Dalci and a compliment of others within the chapter have done a
> ton of work on this lab, and I think those who attend will be thrilled
> with the deeper capabilities they leave with (whether or not they
> purchase Fortify tooling, others', or use freely available
> alternatives). Likewise, as someone who makes his living threading
> together both commercial tools purchased by his client base, readily
> using OWASP resources, and at times, creating his own tooling, I think
> participants will find Eric purpose-driven: "How do we leverage these
> tools to get good results?"
> Again, I hope other chapters can find value in what we're carefully
> doing. My fear, and perhaps others' is that others might get slack and
> allow de-evolution into pitches. My travels to other states' sessions
> have sometimes landed me on the receiving end of such 'demos'. G'uh.
> The NoVA chapter has published our curriculum and always offers WebEx
> to geographically dispersed individuals who would like to participate
> in our exploits. We're trying--as always--to be open and welcome
> commentary.
> -jOHN
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list