The OWASP Summit exceeded all expectations
I attended my first OWASP Summit last week and it has spoiled most other conferences for me. The summit is not a traditional conference where an “expert” is selected by the CFP panel and has 40 minutes to expound The Truth from a podium, while everyone else takes notes. I’d call this a “top down” style of conference, and most in the security and appsec space follow this format.
What made the OWASP Summit unique was that it was a “bottom up” conference. A large number of topics were selected months ago, thrown up onto a github page where anyone interested could sign up as an organiser or participant (no speakers). Participants could then suggest an outcome for the session, push some initial content and get the conversation going. If no-one registered for a given topic, then it was removed. Initially, I thought this system was chaotic and would result in 20 strangers sitting in a room waiting for someone to lead. The exact opposite happened.
Everyone participating in a session had a real interest in being there and contributing or listening and the participants spanned the range from security consultants, to architects to CISOs. The result was engaging and informative discussion about key appsec topics where we could all challenge established ideas and dig deeper into the How and the Why of many practices.
Another key to the success was the calibre of the participants. I bumped into participants from Oracle, Microsoft, AXA, Adobe and Capital One. Participants who are actually implementing the practices contributed to the quality of the discussions during each session.
The premise was that each session should result in an outcome, something that can be published or used as a starting point for more material. While I don’t think many of the sessions achieved that goal, the real value was in the mental work and discussions during the sessions. In short, I’ll be attending every summit from now on and would love to see it becoming an annual event.
Many thanks to Sebastien Deleersnyder, Francois Raynaud and Dinis Cruz for organising the event as well as the many individual session organisers who made this event such a success. See you next year!
Did you like this article?
- Looking for a career in Threat Modeling? Talk to us!9 October 2017We’re looking for an experienced Security Architect or Threat Modeler who understands how to design and build secure systems and is technically orientated. The objectives of the role are to: Research, create and update threat models for key architectures, e.g. web, mobile and for specific technologies like React.js and AWS. Provide pre-sales support by creating […]READ MORE
- We’re hiring Security Architects/Threat Modelers29 September 2017We’re looking for an experienced Security Architect or Threat Modeler who understands how to design and build secure software and is technically minded. The objectives of the role are to: Research, create and update threat models for key architectures, e.g. web, mobile and for specific technologies like React.js and AWS. Provide pre-sales support by creating […]READ MORE
- Meet us at OWASP AppSec USA in Orlando20 September 2017Continuum Security is proudly sponsoring the OWASP AppSec USA event in Orlando this week. This year’s AppSec event has already kicked off with some great Threat Modeling and DevOps security training courses and we’ll be at booth S2 to demo and answer questions on IriusRisk and BDD-Security. Have you experienced the Software Security Risk dilemma?: […]READ MORE