[Owasp-summit-2013] (Why Summits are special) Re: Cancelation of the OWASP Summit 2013
dinis.cruz at owasp.org
Mon Apr 9 22:47:37 UTC 2012
Andrew, the idea of OWASP paying its leaders to work on OWASP projects has
expired a couple years ago (at the last SoC actually).
Chris made a number of good points against it and It is one of those ideas
that could actually implode our entire community. This is why I pushed hard
for the concept of '*OWASP Leaders cannot be paid by OWASP*' while I was a
at the Board. In some ways is it a self-defense mechanism for OWASP
Now, of course that ideally those leaders should be paid for their work and
effort. It just can't be OWASP funds.
I think the Linux Foundation example is interesting, and I can see that
working where for example ESAPI, AppSensor, O2, Testing Guide, etc...
coders/writers are funded by (for example) an ESAPI Foundation or companies
that want to see it evolve. And OWASP must be independent in this. In a way
it is the project that needs to be relevant enough that it has financial
supporters that want to 'invest' on it (what OWASP can do, it is make that
Unfortunately you have not been able to attend one of our last Summits, so
I think your view of its effectiveness are affected by that. The energy and
work that it is done is off the charts. That said, yes we should measure if
effectiveness (if anything to know what to do better next time)
That said, we absolutely need to put a lot more energy and resources into
our projects, and I go back to the idea that the first thing that we need
to do is* to review them all.*
We still don't know we have!!
There is so much work and energy that has been put into our projects. And
the least we should do to respect the effort those project leaders put in,
is to review them and to figure out the next steps for each of those
On 9 April 2012 23:30, vanderaj vanderaj <vanderaj at owasp.org> wrote:
> I've read a lot for and against summits. Honestly, we need to do less big
> bang things, and provide organisational focus.
> Think about this:
> The Royal Society has for over 300 years provided fellowships that have
> produced more world changing research than any other organization on the
> planet. They also provided a place for like minded folks to meet and
> research (salons). Individual salons provided the shoulders of giants to
> rub, but in the end, we remember the achievements, not the salons. More to
> the point, the Royal Society doesn't just fund British researchers, they
> are an international organization.
> We as an organisation must set ourselves up for long term relevance by
> providing the enablers for our projects to succeed. By using most of our
> annual income on a summit robs us of the opportunity to do something else
> (or many other things). OWASP needs focus and to support researchers doing
> what we have not done before. We don't need to create a multitude of
> developer, testing or coding guides, we need only a few good ones. We need
> to provide a space where the next Gareth Heyes can discover (or more likely
> fuzz) a universal solution for XSS.
> That isn't in my view by paying out for folks to fly half way around the
> world. Let's replace the annual event with monthly or weekly virtual
> salons. We need community that has low barriers to entry. I CAN'T make it
> to an event on the other side of the planet - my family circumstances just
> don't allow it, let alone my hectic working schedule, and I bet many others
> are in the same boat. I would love to be involved, but if you take me away
> from my work for a week or more, I just can't. Many employers (who fund
> most of us) can't - or won't let me go to a conference that has almost zero
> relevance to my day job, and will not result in a single additional sale in
> the next five years.
> Even if working on OWASP projects was relevant to my job, the best we have
> in the industry is 20% time (i.e. Google), so one day a week. If I'd
> written the OWASP Developer Guide using 20% time starting in 2004, I would
> have finished in 2010, and probably much later than that as it would have
> required significant revision by the end, as it does now.
> So I see OWASP Foundation to be like the Royal Society or any number of
> foundations. They employ key researchers and help a multitude of others to
> succeed. The Linux Foundation employs the best of the best to do what no
> commercial entity can really afford - to employ Linus to work solely on the
> kernel. Yes, Canonical and Red Hat could do this, but it's hard for the
> folks who employ us to do the same thing. I couldn't have written the OWASP
> Guide or the Top 10 2007 during my day job - one took more than a working
> year and the other six months.
> We need the OWASP Foundation to stop splashing cash on airfares and
> hotels, and really supporting the projects. We are famous for our projects,
> not our summits.
> I really think this should mean:
> a) virtual salons for special interest working groups scheduled such that
> we can all participate. I can't go to 2 AM meetings and I bet you can't
> b) We have huge public interest in some of our biggest deliverables, all
> of which are a bit long in the tooth. The OWASP Foundation should fund
> folks to take time off and get 'er done. This would be immense return on
> c) Obtain sponsorships for key individuals to become OWASP Fellows. I for
> one would love to see Gareth Heyes and a few others be full time
> researchers paid for by OWASP (I have not discussed this with Gareth, so my
> apologies if he doesn't want to do this)
> d) Do some curation. We have too many projects. Not all are equal and many
> are very similar. I would like the GPC to go through all our efforts and
> provide a "Design - Build - Test - Maintain" lifecycle approach.
> e) Our current "Builders / Breakers / Defenders" community maps into this
> okay, but that doesn't match what happens in software engineering practice.
> If we're not aligned with industry, we're irrelevant. We need to be more on
> the left hand side - policy, education and architecture is where most if
> not all of our issues start and we have nothing or so close to nothing,
> it's not funny.
> I love the hallway track of every conference I go to, so don't get me
> wrong - I am sure that summits are awesome, but I don't think OWASP should
> pay for them. It's moderately easy under existing employers' funding
> arrangements to get employers to pay to get conferences as part of the
> average training budget. It's impossible to get substantial amounts of time
> off to do the basic research and writing time to produce works like ASVS /
> Developer Guide / Testing Guide, as it's simply not relevant to 99.99% of
> the work we do during the day, despite using them extensively. Getting the
> right people to work on these projects is key to OWASP's long term success.
> Lastly, the Summits in 2008 and 2011 documented outcomes at the end of
> some sessions. Has anyone measured the outcomes to see if they came true?
> There's been enough time to see the effectiveness of the spend.
> Has *any* of this come to pass? Has any of it actually started? If not, we
> need to look at why not, and I personally think that it's because we are
> not helping the folks best able to *drive* and *finish* these efforts to
> produce concrete results. We can't do that if we're spending $200k+ on
> summits that produce more to do lists, without first getting the previous
> to-do's done.
> The OWASP Foundation is in a position to make this happen. Let's make it
> My $0.05*
> * (rounded up; we haven't had $0.01 or $0.02 c coins for 20+ years)
You received this message because you are subscribed to the Google Groups "OWASP Summit 2013" group.
To post to this group, send email to owasp-summit-2013 at owasp.org.
To unsubscribe from this group, send email to owasp-summit-2013+unsubscribe at owasp.org.
For more options, visit this group at http://groups.google.com/a/owasp.org/group/owasp-summit-2013/?hl=en.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-summit-2013