[Owasp-leaders] ISSA Intl. @ Baltimore

John Steven John.Steven at owasp.org
Tue Oct 25 08:30:55 EDT 2011


In my day job, we do "trip reports" on summits, conferences, and
similar. Recently, on behalf of OWASP, I set up, manned, and tore down
the OWASP booth at the ISSA Intl. conference @ Baltimore [IC1].  I
apologize in advance, our "trip report" format follows an informal
story-telling approach, inter-mixing actions.

Several exhibitors complained that, from a logistic perspective, the
conference wasn't well run. For instance, it took me about 25 minutes
to arrive at the facility by car but I bailed out of the exhibitor
registration line @ 35 minutes to conduct booth set up. The OWASP
booth was positioned facing the back wall, furthest away from the main
conference hall. Neighbors included phishme.com, Accuvant, and

Sarah Baso and Mark Bristow arranged for the booth banners, branded
handouts (foam darts and pens), and a select number of printed
"Top-10" booklets left over from a previous conference to be sent.
Everything they sent arrived early and though we had far too many pens
(not so popular) we had *just enough* darts(*1). Next time, I'd print
far more "Top-10 booklets". The booklets provided a great
talking-point with booth visitors and one that drove us into
content-based discussions of what OWASP can provide its guests and

**ACTION: Produce and cache "Top-10" booklets, cheat-sheets, and
"LiveCDs" for the next conference opportunity. Both resources will
concretely demonstrate OWASP value and drive conversation to
practical, technical benefit we as a community provide. Balance Top-10
and Cheat Sheet production based on the expectations of the technical
strength of conference attendees.

Foot traffic to the booth was "moderate" and I don't know how much it
would have improved given a better placement. About 75 people stopped
by the booth and solid conversations results from about 25. Folk
around the conference claimed "about 700" attendees but my gut tells
me the number was closer to half that. By both volume and energy, the
conference felt vastly smaller and sleepier than OWASP MSP. Most
commonly, the attendee that stopped by ran a local ISSA chapters.

**ACTION: those OWASPers in Denver, the NYC --> Boston, the NoVA, DC,
Maryland, and San Diego should reach out because interest in
collaborating exists.

The second largest group was GovE (DHS, specific department folk) and
these individuals often represented the longest average conversation @
booth. After a small amount of conversation, it was easy to gauge
where the GovE visitor's program was and suggest appropriate OWASP
projects. Each avidly wrote down OWASP resources to follow up on. The
third largest group was independent contractors, which yielded
interesting but wide-ranging conversations.

Less than a handful of booth visitors demonstrated discernible
technical prowess. I'll save this list some of the gems I overheard in
the interest of civility.

When we planned attendance, we discussed two people manning the booth.
This process somehow broke down and I manned the booth alone (this may
very well have been my fault?). Because I had immovable conference
calls, this left the booth manned but by some guy on the phone for
times, which would have put me off as a visitor. Likewise, I had
commitments Friday, so we had no booth coverage on "Day #2" of the

**ACTION: confirm two attendees to support the booth for future conferences.

Without contest, the top two questions asked by booth visitors were:

1) What the heck do you guys [do||sell]?
2) I know what OWASP is--why are you here?

If OWASPers intend to do booth swaps at conferences beyond ISSA's
scope, it may make sense to upgrade the banners and booth set-up.
OWASP does a great job with its own conferences but nothing about the
set-up I had helped with out-reach. I have some ideas on this topic,
but I'll save them for Mark, Sarah, or whomever else is appropriate.

The main reason *I* agreed to support the booth was regionally driven.
Having attended the OWASP/ISSA LA conference, I was pleasantly
surprised by ISSA's organizational/conference machine, and their
expanded audience/attendance. Likewise, in the DC-metro (Maryland,
Virginia) area, ISSA attendance out-strips that of OWASP. Yet, more
than one regional ISSA leader has reached out to local OWASP leaders
for content, speakers, and to orchestrate joint functions.
Facilitating this connection was in fact my main purpose--and I feel
like it was a success. Expect to see more DC-Metro OWASP talks at
local ISSA events, as well as more attendance (and hopefully)
membership from its ISSA members at our events.

...and, finally: those of you who plan to support OWASP conferences in
the future: prepare yourself for the 50 Lbs. "brick" that Sarah sends
you. There aren't instructions for OWASP banner set up... ...and the
OWASP-branded table cover has stains on it. The whole experience will
definitely remind you of that time you filled in as a roadie for your
college roommate's Ska band... Find some bit of solace in the fact
that set-up for the two included banners doesn't particularly warrant
instruction and that, if you can hoist it above your shoulder (*2),
carrying the 50 lb case isn't as bad as lugging it by handle.


Phone: 703.727.4034
Rss: http://feeds.feedburner.com/M1splacedOnTheWeb

* [IC1] -  https://www.issa.org/conf/?p=105
* (1) -  The foam darts surprised me as the 'big hit' for our booth.
They played well with both visitors and fellow booth operators. Take
note of this folks, if... say... HP Enterprise or Oracle have some
sweet booth schwag, the darts are _definitely_ weighty-enough currency
for trade. While I didn't engage in any in-kind trade myself, I might
not fault future booth operators for doing so.
* (2) - It might even draw some interesting dinner offers from fellow
booth operators.

More information about the OWASP-Leaders mailing list