The OWASP Summit exceeded all expectations

 | Conferences, SecDevOps

I attended my first OWASP Summit last week and it has spoiled most other conferences for me. The summit is not a traditional conference where an “expert” is selected by the CFP panel and has 40 minutes to expound The Truth from a podium, while everyone else takes notes. I’d call this a “top down” style of conference, and most in the security and appsec space follow this format.

What made the OWASP Summit unique was that it was a “bottom up” conference. A large number of topics were selected months ago, thrown up onto a github page where anyone interested could sign up as an organiser or participant (no speakers). Participants could then suggest an outcome for the session, push some initial content and get the conversation going. If no-one registered for a given topic, then it was removed. Initially, I thought this system was chaotic and would result in 20 strangers sitting in a room waiting for someone to lead. The exact opposite happened.

Everyone participating in a session had a real interest in being there and contributing or listening and the participants spanned the range from security consultants, to architects to CISOs. The result was engaging and informative discussion about key appsec topics where we could all challenge established ideas and dig deeper into the How and the Why of many practices.

Another key to the success was the calibre of the participants. I bumped into participants from Oracle, Microsoft, AXA, Adobe and Capital One. Participants who are actually implementing the practices contributed to the quality of the discussions during each session.

The premise was that each session should result in an outcome, something that can be published or used as a starting point for more material. While I don’t think many of the sessions achieved that goal, the real value was in the mental work and discussions during the sessions. In short, I’ll be attending every summit from now on and would love to see it becoming an annual event.

Many thanks to Sebastien Deleersnyder, Francois Raynaud and Dinis Cruz for organising the event as well as the many individual session organisers who made this event such a success. See you next year!

Did you like this article?

  • Adam Shostack joins Continuum Security’s board
    Adam Shostack joins Continuum Security’s boardWe at Continuum Security are absolutely delighted to announce that Adam Shostack has joined our Advisory Board. Adam brings with him considerable experience and wealth of knowledge that dovetails perfectly with Continuum Security’s mission to bring security into the software design & development process through threat modeling. Whilst at Microsoft, Adam was the lead designer […]READ MORE
  • Building GDPR compliant software with IriusRisk
    Building GDPR compliant software with IriusRiskThe EU General Data Protection Regulation (GDPR) comes into effect on the 4th May 2018 and has wide ranging implications for any company anywhere that processes the personal data of EU citizens.  A lot has been written about how GDPR applies at the organisation level, and what general controls should be in place to comply with […]READ MORE
  • Schedule a meeting with us at RSA to discuss #EasyThreatModeling
    Schedule a meeting with us at RSA to discuss #EasyThreatModelingThe Continuum Security team will be at RSA in San Francisco to answer all your threat modeling and DevSecOps questions.  Threat Modeling is often seen as a complex activity that can only be performed by skilled security analysts who have to invest significant time and energy into producing a useful threat model and its corresponding […]READ MORE