[Owasp-on-the-move] OWASP on the move

Ofer Shezaf OferS at Breach.com
Mon Oct 22 06:17:32 EDT 2007

(Moving to the list. Tell me if it worked. For this e-mail I kept also
personal e-mails, just in case)

I think that it is a very good document describing the procedures (as
the title implies), but we need a "project plan" paper. I tried to write
down a few ideas I had. I know it is easy to make suggestion, but I am
also willing to take upon myself tasks from creating a plan to writing
the e-mails to mailing lists.

I have translated the "what is" section to goals:
+ Provide a valuable resource to chapters to enable them to extend their
activity and get more people to come.
+ Enable an additional sponsorship opportunity at OWASP.
+ Provide a bonus to OWASP more active contributors.

Currently OotM is a pretty well kept secret, mainly among the potential
speakers who are more of a problem. In the speaker <-> chapter
relationship, the suitor is the chapter, for which having someone known
from abroad speaking is easy, while (good) speakers who will travel for
a day to Idaho are harder to find.

	+ Announce the project e-mail to major mailing lists (do we want
also a PR? Might get some company to sponsor it as the 1st sponsorship).
	+ Monthly e-mails to leaders asking to list requirements
(dates/subject if any). 
	+ Periodical e-mail to leaders asking about ongoing
opportunities ("if you are in the area, you can come" sort of thing). I
noticed that many chapters do not have predefined schedule and CfP
process and a speaker can be an opportunity to arrange a meeting.
	+ Monthly to mailing lists (webasppsec, bugtraq) about the
opportunities for the coming months.

On the web we should present the information gathered, mainly the
ongoing ones:
	+ List of presentations and speakers offering to travel.
	+ List of speaking opportunities.

Contact marketing people in relevant companies about the opportunity.

This is a key issue, and we need more ideas here.

Sponsorship package is very important to attract sponsors:
+ Logo on the specific meeting page, brochures if any and invitation
+ Logo on OotM page if contributed more than X a year ($2000?)
+ (requires further thought) We send for them an e-mail to the event
attendees or chapter's list, might be limited to a questionnaire. I'm
trying to give sponsors some feel of "lead gen", which is the way to get
marketing money, while not really giving them any names.
+ Designating their speaker. I'm bluffing here. I can't and won't stop
companies from sending their speakers to OWASP meetings, I just want to
re-route it through the project.

Criteria for selection
I think that we should plan for success from now and determine who gets
the money. I suggest:

+ Chapters
	+ Past number of participates in chapter meetings - I think we
should also set a threshold for this one (25?). Waste of time and money
to send a person to speak in front of 10 people. It is also an important
criterion for a serious chapter leader.
	+ Larger & Longer events (full day vs. half day vs. evening as
it usually ensures larger events). 

+ Speakers:
	+ Past speaking engagements, preferably at OWASP events.
	+ Preferred presentation (see below).
	+ OWASP activity.
	+ Self (that is own companies) sponsorship.

Approved Presentations
Preferred presentation would be presentations that we listed as such.
Such a status ensures that:
+ The presentation is not commercial. Very important especially for
commercially sponsored travel.
+ Is of quality.
+ Serves OWASP goals (for example, is about application security).

Presentations do not have to be preferred to qualify but have
precedence. the list of such presentations would also serve as a key
element of the "OotM" project page.

This can be based on the OWASP education page. The main difference is
that it is a preso and a person, rather than just a preso. The list also
have to be shorter with just highlights.

~ Ofer

From: Sebastien Deleersnyder [mailto:seba at deleersnyder.eu] 
Sent: Thursday, October 18, 2007 8:53 PM
To: Ofer Shezaf
Cc: 'Knobloch, Martin'; 'Dinis Cruz'
Subject: RE: OWASP on the move


Thank you very much for your kind offer.

I absolutely agree that companies paying for their own speakers are a
good way to spread webappsec knowledge and the OWASP 'message'
We thus certainly welcome sponsors that want to pay for their own
speakers, as long as this stays in line with the chapter policy rules.

For you second suggestion: Martin Knobloch is the project leader.
What I want to suggest is that you join our project team and that we
take this up together.

See attached a first rules draft that we worked out on base of first
experience together with Dave and Dinis.
Your input is certainly appreciated.

I propose that we use the project mailing list and/or keep each other in
cc .

One of the first actions is a post to the leaders list to promote the
OotM project.




From: Ofer Shezaf [mailto:OferS at Breach.com] 
Sent: woensdag 17 oktober 2007 14:36
To: seba at deleersnyder.eu
Subject: OWASP on the move

Hi Seba,

I gave some thought to the OWASP on the move project. 

I think (and know from my experience at Breach) that it is easier to
make companies pay for their own people to travel, just than just
sponsor the project. Even keeping to the non vendor pitch rule, it is a
win-win situation where we promote web app sec and the companies get
recognized as thought leaders. 

Good examples are Brian Chess from Fortify and Jeremiah Grossman From
WhiteHatSec who go around talking, paid by their companies. We also did
our share - between Ivan, muself and Ryan Barnett, we have spoken in
Finland, Belgium, San Jose & Virginia, all paid by Breach.

1st, I would like to post on the project's page on the offering side,
something along this lines: we will come to speak, on such and such
subjects (we have a nice list of presentations we give), sponsored by
Breach, given a meeting of at least X (25? 40?) people.

And 2nd, I would like to suggest, only if it is OK with you, to take
this project of your hands, as you anyway do too many of them and work
to have other companies do the same. We can add a step in which the
presentations should be pre-approved for this project to prevent
commercial abuse, as I do locally for my chapter. If you prefer to keep
heading the project, I can just assist you in it.

What do you think?
~ Ofer

Ofer Shezaf
ofers at breach.com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119

CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule
Set Project

More information about the Owasp-on-the-move mailing list