29 Jun, 2017

Three Reasons Why You Should Consider Attending the OWASP Summit 2018

by Brian Glas

After I returned home from the OWASP Summit last week, I started with my typical valuation of my time. I asked myself whether or not this was a good use of a week, did I contribute, what did I learn, and most importantly, would I do it again? The answer to the first and last question was an emphatic “YES!”. After further introspection (completing the feedback loop!), I realized there were three primary reasons I was planning to return for the next summit.

“Stay and Play” vs. “Show and Go”

If you are tired of “show and go” style conferences where you shuffle from room to room trying to find some nugget of useful information and would rather spend your time working with small, diverse teams to further a goal, the OWASP Summit might be the place for you.

Leading up to the summit, a lot of work went into preparation: all the typical event planning logistics in addition to organizers contributing session schedules along with descriptions, goals, etc. This second part was essential in helping to convince >200 people that they needed to spend their time at the Summit. Many came for a full week, others came for a day or two, the rest were remote.

The sessions had organizers, participants, and goals. The organizer’s role was to ensure the discussion stayed on track and contributed to the stated goal. The participant’s role was to participate (and a high percentage of them did). There were four main sessions a day with a two hour morning session, followed by lunch, an hour and a half session in the afternoon, a coffee break (love working in the UK/EU), and a pair of one hour sessions to finish up the afternoon. Many projects continued with more informal evening sessions after dinner. Google Hangouts was used to allow remote participation, which worked pretty well for the most part. I’m fairly certain we overwhelmed the venue’s WIFI network at times, but we adapted. Most of the sessions with remote participation had minimal issues and allowed the people who were unable to travel to the UK to contribute.

The 2017 Summit was focused on outputs and objectives. Almost every session had a tech writer that would take notes and consolidate them after each session. During dinner, tech writers and organizers would meet to ensure the outputs from each session were recorded and summarized into a couple of slides for the daily debrief. This helped to drive the community of organizers to create actionable output because no one wants to be the person that didn’t accomplish anything that day. The daily debrief also helped keep everyone abreast of what was going on in the sessions they didn’t attend. With so much going on, participants often had to pick one of two or three sessions that they really wanted to participate in. For instance, I was trying to balance between organizing SAMM sessions and helping with the Top 10, and I wanted to participate in the Threat Modeling, but decided that would have to be another day and time.

The People

I believe most everyone present (I’m in security, I don’t deal in absolutes) was there to learn and contribute. It was an amazing collection of people that wanted to take some of their precious time to contribute to projects in OWASP. I know there is some controversy at times, regardless, there are a large number of committed individuals who believe they can help to make a difference in securing software.

At the summit there were approximately 150 people from all over the world (Belgium, Canada, Croatia, Germany, India, Ireland, Israel, Italy, Mexico, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Singapore, Spain, Sweden, United Kingdom, United States, & Uruguay). It was an amazing collection of people coming from very different backgrounds. We had security consultants, researchers, students, developers, security “hobbyists,” product managers, management, and more. There were independent folks alongside small businesses and global companies. In talking to a number of people, the common thread was that they enjoyed the working aspect of the conference. More is gained, more is retained, and in many cases, there was a motivation and desire to continue to contribute after the summit was over.

I heard from a few people that they had the perception that many OWASP projects, especially flagship and more mature projects, were closed projects that were not looking for their contributions. There is also a bit of perceived “imposter syndrome,” wherein they believed that they couldn’t really contribute because they wouldn’t measure up. Hopefully, most of this misunderstanding was corrected. At least in my experience, the majority of the project leads welcome genuine contributions from people interested and passionate about their project.

Giving Back

This overlaps a bit with the first two sections, but who really wants to click on a blog article that is titled “Two Reasons Why…?” There is just something magical about the power of “Three.” Plus, this is something that is very important to me personally and I wanted to call it out. Every day we work in this field, we build knowledge, tools, processes, solutions, and other things that can be managed in many ways. Sometimes, we need to protect the output as intellectual property and sell it as a product or service to help pay the bills or fund future projects. Sometimes, we need to contribute that product to the greater goal of more globally secure software. It’s a tough line to walk at times. Honestly, there are some contributions that I (and others) have made to SAMM that could have easily been kept in-house and sold to clients. But, we can’t do that with everything. There needs to be a balance, and from my perspective, it still needs to tip more towards the giving back rather than the holding in.

One of the things I loved most about the OWASP Summit 2017 was the amount of giving back–the time spent sharing stories, the lessons learned, the knowledge gained through trials, and the other (sanitized) outputs from our day jobs–it was awesome. There were long, tiring days, but they were totally worth it. I plan on returning for the Summit 2018 and I really think you should consider it as well.


You can find the outcomes for each of the summit topics on the site (draft): OWASP Summit Outcomes

Stephen De Vries of Continuum Security had some similar thoughts on the summit: OWASP Summit Exceeded Expectations

Matteo Meucci of Minded Security also had good things to say about the summit: OWASP Summit 2017: what’s new?