[Owasp-summit-2013] (Why Summits are special) Re: Cancelation of the OWASP Summit 2013
vanderaj at owasp.org
Mon Apr 9 22:30:17 UTC 2012
I've read a lot for and against summits. Honestly, we need to do less big
bang things, and provide organisational focus.
Think about this:
The Royal Society has for over 300 years provided fellowships that have
produced more world changing research than any other organization on the
planet. They also provided a place for like minded folks to meet and
research (salons). Individual salons provided the shoulders of giants to
rub, but in the end, we remember the achievements, not the salons. More to
the point, the Royal Society doesn't just fund British researchers, they
are an international organization.
We as an organisation must set ourselves up for long term relevance by
providing the enablers for our projects to succeed. By using most of our
annual income on a summit robs us of the opportunity to do something else
(or many other things). OWASP needs focus and to support researchers doing
what we have not done before. We don't need to create a multitude of
developer, testing or coding guides, we need only a few good ones. We need
to provide a space where the next Gareth Heyes can discover (or more likely
fuzz) a universal solution for XSS.
That isn't in my view by paying out for folks to fly half way around the
world. Let's replace the annual event with monthly or weekly virtual
salons. We need community that has low barriers to entry. I CAN'T make it
to an event on the other side of the planet - my family circumstances just
don't allow it, let alone my hectic working schedule, and I bet many others
are in the same boat. I would love to be involved, but if you take me away
from my work for a week or more, I just can't. Many employers (who fund
most of us) can't - or won't let me go to a conference that has almost zero
relevance to my day job, and will not result in a single additional sale in
the next five years.
Even if working on OWASP projects was relevant to my job, the best we have
in the industry is 20% time (i.e. Google), so one day a week. If I'd
written the OWASP Developer Guide using 20% time starting in 2004, I would
have finished in 2010, and probably much later than that as it would have
required significant revision by the end, as it does now.
So I see OWASP Foundation to be like the Royal Society or any number of
foundations. They employ key researchers and help a multitude of others to
succeed. The Linux Foundation employs the best of the best to do what no
commercial entity can really afford - to employ Linus to work solely on the
kernel. Yes, Canonical and Red Hat could do this, but it's hard for the
folks who employ us to do the same thing. I couldn't have written the OWASP
Guide or the Top 10 2007 during my day job - one took more than a working
year and the other six months.
We need the OWASP Foundation to stop splashing cash on airfares and hotels,
and really supporting the projects. We are famous for our projects, not our
I really think this should mean:
a) virtual salons for special interest working groups scheduled such that
we can all participate. I can't go to 2 AM meetings and I bet you can't
b) We have huge public interest in some of our biggest deliverables, all of
which are a bit long in the tooth. The OWASP Foundation should fund folks
to take time off and get 'er done. This would be immense return on
c) Obtain sponsorships for key individuals to become OWASP Fellows. I for
one would love to see Gareth Heyes and a few others be full time
researchers paid for by OWASP (I have not discussed this with Gareth, so my
apologies if he doesn't want to do this)
d) Do some curation. We have too many projects. Not all are equal and many
are very similar. I would like the GPC to go through all our efforts and
provide a "Design - Build - Test - Maintain" lifecycle approach.
e) Our current "Builders / Breakers / Defenders" community maps into this
okay, but that doesn't match what happens in software engineering practice.
If we're not aligned with industry, we're irrelevant. We need to be more on
the left hand side - policy, education and architecture is where most if
not all of our issues start and we have nothing or so close to nothing,
it's not funny.
I love the hallway track of every conference I go to, so don't get me wrong
- I am sure that summits are awesome, but I don't think OWASP should pay
for them. It's moderately easy under existing employers' funding
arrangements to get employers to pay to get conferences as part of the
average training budget. It's impossible to get substantial amounts of time
off to do the basic research and writing time to produce works like ASVS /
Developer Guide / Testing Guide, as it's simply not relevant to 99.99% of
the work we do during the day, despite using them extensively. Getting the
right people to work on these projects is key to OWASP's long term success.
Lastly, the Summits in 2008 and 2011 documented outcomes at the end of some
sessions. Has anyone measured the outcomes to see if they came true?
There's been enough time to see the effectiveness of the spend.
Has *any* of this come to pass? Has any of it actually started? If not, we
need to look at why not, and I personally think that it's because we are
not helping the folks best able to *drive* and *finish* these efforts to
produce concrete results. We can't do that if we're spending $200k+ on
summits that produce more to do lists, without first getting the previous
The OWASP Foundation is in a position to make this happen. Let's make it
* (rounded up; we haven't had $0.01 or $0.02 c coins for 20+ years)
You received this message because you are subscribed to the Google Groups "OWASP Summit 2013" group.
To post to this group, send email to owasp-summit-2013 at owasp.org.
To unsubscribe from this group, send email to owasp-summit-2013+unsubscribe at owasp.org.
For more options, visit this group at http://groups.google.com/a/owasp.org/group/owasp-summit-2013/?hl=en.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-summit-2013