[Owasp-leaders] OWASP NoVA Chapter

Goldschmidt, Cassio cassio.goldschmidt at gmail.com
Wed Sep 23 15:32:52 EDT 2009


Many of the most valuable talks we had at OWASP Los Angeles chapter were
from OWASP chapter leaders and OWASP project leaders. If our goal is to get
more traction with OWASP projects and foster a community, I encourage every
chapter to consider taking advantage of the OWASP on the move funds.

http://www.owasp.org/index.php/Los_Angeles_Previous_Presentations

Cassio

On Wed, Sep 23, 2009 at 9:11 AM, David Campbell <dcampbell at owasp.org> wrote:

> Interesting discussion.
>
> In Denver we have an excellent track record of having high quality,
> vendor-pitch free presentations.  However, it's notable that since the
> economy tanked, it has become much moredifficult to recruit purely
> independent speakers, or affiliated speakers who are skilled at
> presenting without pitching.  This difficulty has manifested itself in
> less frequent chapter meetings.
>
> I agree with Ofer that it's difficult to let the vendors in without
> having it turn into a commercial circus.  Our comrades up in Boulder
> tried this model recently (with presenters from IBM/Rational) and
> reviews were mixed to say the least.
>
> Also, FWIW, based on feedback from our members expressing an interest in
> doing a static analysis lab, I approached Fortify several months ago
> requesting eval licenses.  After email exchanges with several Fortify
> folks I was left empty handed.  Is the NoVA fortify meeting webex/video
> online anywhere?  I'm keen to see how you guys did this -- and also to
> see if the folks who put it together for NOVA are keen to come out to
> Colorado sometime this ski season for an encore performance.
>
>
> Cheers,
>
> DC
>
>
>
> Ofer Shezaf wrote:
> > I am sure that candid and open discussion of a product can be done. Such
> a
> > discussion would certainly have value, but I yet have to see one that is
> led
> > by a vendor and is candid and open. As a vendor employee, you just have
> to
> > be one sided and gloss over shortcomings of your product.
> >
> > Can this be reconciled? Can a vendor provide a good overview of its
> product?
> > I tried to think about some measures that might help:
> >
> > + I wouldn't count on every chapter leader to organize such a thing.
> Maybe
> > it should be coordinated with the OWASP board? Alternatively, maybe a
> > chapter leader should get 5 leaders to say he will do right to proceed?
> >
> > + Publish the detailed content in advance, or at least communicate it to
> the
> > chapter leader. I actually require every speaker who work for a vendor to
> > submit the slides before the meeting to inspect them for over
> > commercialization.
> >
> > + Require specific speakers. It's the speaker who makes the presentation.
> > Just having a "company" present, sending an available sales engineer has
> a
> > huge potential of being a bummer. If you get an engineer from dev, or at
> > least a product manager who can shed some light on future directions you
> are
> > better off.
> >
> > My personal experience is that *religiously* staying away from product
> > presentations pays off. If helps differentiate OWASP from other security
> > organizations and ensures high participants satisfaction with the
> meetings.
> > I don't think there is anyone here in Israel who thinks about OWASP in
> the
> > terms Yiannis portrays in a parallel thread.
> >
> > ~ Ofer
> >
> > -----Original Message-----
> > From: owasp-leaders-bounces at lists.owasp.org
> > [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of John Steven
> > Sent: Thursday, September 17, 2009 7:26 PM
> > To: owasp-leaders at lists.owasp.org
> > Cc: Dinis Cruz
> > Subject: [Owasp-leaders] OWASP NoVA Chapter
> >
> > All,
> >
> > Uncompromising? Thank you Dinis. I try--but rarely meet expectations
> > for myself. Yes, I'm pretty excited about this session. Since taking
> > on the chapter-leadership, I'm struck by how many individuals have
> > come to me asking "Is there anything you can do to help me understand
> > [tools]?" In a time of crunched budgets, people are looking to OWASP
> > to help them gain the knowledge needed to do their jobs.
> >
> > To address this, I asked chapter membership to create a curriculum of
> > material on a wide-range of tools. We first reached out to Ounce and
> > Fortify (IBM's acquisition of Ounce stymied that thread temporarily),
> > and we've gotten sincere response. Fortify, I've got to say, was very
> > open to what we suggested. What did we suggest:
> >
> > * Purely technical sessions, lead by a mix of chapter members and the
> vendor
> > * Hands-on exercise and laboratory work--not demos
> > * Material (tools) in the hands of chapter members
> >
> > Where the vendor landscape is competitive, I've explicitly reached out
> > to what I believe are competing parties. I'm not focusing on
> > commercial tools exclusively--far from it. I've promised Dinis that I
> > would produce and give to him a next-generation O2 training course,
> > and personally help him train a cadre of influential and competent
> > OWASP leaders to not only use O2, but also give the course (Tom
> > Brennan and Dave Wichers participated in this conversation in
> > Ireland).
> >
> > Our curriculum extends well beyond SA as well, though remains nascent.
> > We want to do a very experimental session on mod_security (which I
> > hope to rely on Wade Woolwine and Jack Maninno), and I'd love to get
> > Michael Coates in to both talk about and give our chapter hands-on
> > experience with the tooling he's been building for in-app IDS/IPS.
> >
> > Eric Dalci and a compliment of others within the chapter have done a
> > ton of work on this lab, and I think those who attend will be thrilled
> > with the deeper capabilities they leave with (whether or not they
> > purchase Fortify tooling, others', or use freely available
> > alternatives). Likewise, as someone who makes his living threading
> > together both commercial tools purchased by his client base, readily
> > using OWASP resources, and at times, creating his own tooling, I think
> > participants will find Eric purpose-driven: "How do we leverage these
> > tools to get good results?"
> >
> > Again, I hope other chapters can find value in what we're carefully
> > doing. My fear, and perhaps others' is that others might get slack and
> > allow de-evolution into pitches. My travels to other states' sessions
> > have sometimes landed me on the receiving end of such 'demos'. G'uh.
> > The NoVA chapter has published our curriculum and always offers WebEx
> > to geographically dispersed individuals who would like to participate
> > in our exploits. We're trying--as always--to be open and welcome
> > commentary.
> >
> >
> > -jOHN
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090923/67c9b0d9/attachment.html 


More information about the OWASP-Leaders mailing list