Note on 13th September 2022: Unfortunately I linked some of the photos from the official AppSec USA photo album which seems to no longer be live. Hopefully the text is descriptive enough… 🙂
What is an OWASP Global event?
I recently had the privilege of attending and speaking at the OWASP AppSec USA 2018 conference in San Jose, California, one of OWASP’S global events. OWASP’s global events differ from local or regional events with the most obvious differences being the size of the event and the fact that they are priced more like a regular industry conference (although still nowhere near the expense of something like BlackHat). This is because the global conferences are intended to act as OWASP’s flagship events as well as to raise funds for OWASP’s ongoing activities. In return, you get to hear talks from and network with some of the top security professionals from all over the world.
This was the first time I had attended a OWASP global event despite having attended chapter meet-ups and regional conferences so I wanted to take this opportunity to pull out some of my highlights.
1. A focus on fixing
One of my personal frustrations with many Information Security conferences and meet-ups is the significant bias towards talks about breaking things. Breaking stuff is fun but too often the practicalities of what can be done get overlooked.
The programme at AppSec USA was very much the opposite with most of the talk subjects focusing on themes like “how to use this security measure or feature correctly” or “here’s how we do application internally” or “introducing a new OWASP project and how it can help you”.
This meant that a large portion of the attendees were in “defender” and “builder” job roles who are ultimately responsible for securing software and meant that attendees could expect to pick up skills and ideas which would be immediately applicable in their day jobs.
2. Friendly and fascinating community
I was a little nervous going into the conference as I knew almost no one there and am an introvert by nature. Going from that into the ballroom for lunch with about 800 people at tables was a challenging experience but overall I found that people were really friendly and happy to chat.
I got the chance to speak to the leader of what must be one of the largest OWASP chapters in the world as well as the leader of one of the newest. I met various project leads, people I knew only from Twitter and just generally had a lot of conversations with people from a variety of backgrounds and experiences who had come from all over the world to be at the conference.
Along the way I got pulled into a tequila party (although with absolutely no pressure to drink), tried to pick a lock whilst simultaneously holding a conversation with some seriously smart people and got invited to give my talk again at another conference on the west coast.
The networking event on the first night also really helped with this providing activities and exhibits to interact with which encouraged attendees to work together and discuss.
3. Cutting edge talks and keynotes
With three tracks of talks, (plus the Hush talk track and the OWASP project overview track) some hard decisions had to be made as the overall quality of the talks was really high. Most of the time I was torn in (at least) a couple of directions so I am glad that the talks were all recorded (see playlist here) so I can catch up with those which I missed.
Most of the talks were highlighting something that I had not already come across and I made an effort to chat with some of the speakers afterwards or later on in the conference to discuss further.
There were also some great keynotes from various leaders in the security and tech industry who provided their high level visions of how application security needs to adapt to the current technology landscape.
4. Big name sponsors
I probably didn’t speak to as many of the sponsors as I should have done although I did spend time talking to some of them, including having some really interesting discussions and meeting some really smart people. As a consultant, it is important for me to be familiar with the companies in the industry in case I have a client with a particular problem or I encounter their products at a client. To be honest, having an awareness of the key players in the industry will be valuable whatever your position.
Certainly, the quantity and quality of the sponsors reflected the high-profile of the conference and if you are a “swag” connoisseur then you will also be happy. 😉 Whilst I am generally too shy to load up on too much swag, I was able to pick myself up a nice backup battery for my phone which was invaluable for my sightseeing day in San Francisco after the conference.
5. Supporting OWASP
OWASP is certainly a unique and irreplaceable organisation. By attending a global conference, aside from the other benefits which I have highlighted in this post, you are helping to financially support this vital organisation and ensure that it can continue to support its chapters and projects.
If you are already an OWASP member then you generally get a discount on the conference fee which will cover your membership and if you aren’t already a member then a Global OWASP conference is a great place to sign up 🙂
Members get some dedicated swag but also access to the members lounge. Here you could get coffee and snacks all day whilst avoiding the crowds at the buffet during the coffee breaks but also it provided a quieter, less overwhelming environment to meet people and chat.
Just do it!
Overall, it was an incredible experience and I would strongly recommend anyone in the application and product security space to attend one of these events or, even better, submit a talk to one of these events. If you are looking for a solution-focused conference where you can hear practical talks, apply what you have learnt straight away and meet like-minded people, these are the conferences for you. Look out for announcements for the 2019 conferences!