Tag: Conference

5 reasons to attend an OWASP Global Event

5 reasons to attend an OWASP Global Event

What is an OWASP Global event?

I recently had the privilege of attending and speaking at the OWASP AppSec USA 2018 conference in San Jose, California, one of OWASP’S global events. OWASP’s global events differ from local or regional events with the most obvious differences being the size of the event and the fact that they are priced more like a regular industry conference (although still nowhere near the expense of something like BlackHat). This is because the global conferences are intended to act as OWASP’s flagship events as well as to raise funds for OWASP’s ongoing activities. In return, you get to hear talks from and network with some of the top security professionals from all over the world.

This was the first time I had attended a OWASP global event despite having attended chapter meet-ups and regional conferences so I wanted to take this opportunity to pull out some of my highlights.

1. A focus on fixing

One of my personal frustrations with many Information Security conferences and meet-ups is the significant bias towards talks about breaking things. Breaking stuff is fun but too often the practicalities of what can be done get overlooked.

The programme at AppSec USA was very much the opposite with most of the talk subjects focusing on themes like “how to use this security measure or feature correctly” or “here’s how we do application internally” or “introducing a new OWASP project and how it can help you”.

This meant that a large portion of the attendees were in “defender” and “builder” job roles who are ultimately responsible for securing software and meant that attendees could expect to pick up skills and ideas which would be immediately applicable in their day jobs.

2. Friendly and fascinating community

I was a little nervous going into the conference as I knew almost no one there and am an introvert by nature. Going from that into the ballroom for lunch with about 800 people at tables was a challenging experience but overall I found that people were really friendly and happy to chat.

I got the chance to speak to the leader of what must be one of the largest OWASP chapters in the world as well as the leader of one of the newest. I met various project leads, people I knew only from Twitter and just generally had a lot of conversations with people from a variety of backgrounds and experiences who had come from all over the world to be at the conference.

Along the way I got pulled into a tequila party (although with absolutely no pressure to drink), tried to pick a lock whilst simultaneously holding a conversation with some seriously smart people and got invited to give my talk again at another conference on the west coast.

The networking event on the first night also really helped with this providing activities and exhibits to interact with which encouraged attendees to work together and discuss.

3. Cutting edge talks and keynotes

With three tracks of talks, (plus the Hush talk track and the OWASP project overview track) some hard decisions had to be made as the overall quality of the talks was really high. Most of the time I was torn in (at least) a couple of directions so I am glad that the talks were all recorded (see playlist here) so I can catch up with those which I missed.

Most of the talks were highlighting something that I had not already come across and I made an effort to chat with some of the speakers afterwards or later on in the conference to discuss further.

There were also some great keynotes from various leaders in the security and tech industry who provided their high level visions of how application security needs to adapt to the current technology landscape.

4. Big name sponsors

I probably didn’t speak to as many of the sponsors as I should have done although I did spend time talking to some of them, including having some really interesting discussions and meeting some really smart people. As a consultant, it is important for me to be familiar with the companies in the industry in case I have a client with a particular problem or I encounter their products at a client. To be honest, having an awareness of the key players in the industry will be valuable whatever your position.

Certainly, the quantity and quality of the sponsors reflected the high-profile of the conference and if you are a “swag” connoisseur then you will also be happy. 😉 Whilst I am generally too shy to load up on too much swag, I was able to pick myself up a nice backup battery for my phone which was invaluable for my sightseeing day in San Francisco after the conference.

5. Supporting OWASP

OWASP is certainly a unique and irreplaceable organisation. By attending a global conference, aside from the other benefits which I have highlighted in this post, you are helping to financially support this vital organisation and ensure that it can continue to support its chapters and projects.

If you are already an OWASP member then you generally get a discount on the conference fee which will cover your membership and if you aren’t already a member then a Global OWASP conference is a great place to sign up 🙂

Members get some dedicated swag but also access to the members lounge. Here you could get coffee and snacks all day whilst avoiding the crowds at the buffet during the coffee breaks but also it provided a quieter, less overwhelming environment to meet people and chat.

Just do it!

Overall, it was an incredible experience and I would strongly recommend anyone in the application and product security space to attend one of these events or, even better, submit a talk to one of these events. If you are looking for a solution-focused conference where you can hear practical talks, apply what you have learnt straight away and meet like-minded people, these are the conferences for you. Look out for announcements for the 2019 conferences!

(All photo credits to the official AppSec USA 2018 photo album here: https://www.eversnappro.com/album/794043)
The Grinch who stole AppSecEU

The Grinch who stole AppSecEU

A cultural experience

Being an Orthodox Jew, Christmas and the meaning, stories and culture associated with it were always something that I only really saw second-hand.

However, when it was announced earlier this year that OWASP’s AppSecEU Conference, one of the few truly global Application Security conferences, was going to be held on my door step in Tel Aviv in 2018, it truly felt like Christmas was coming. My excitement built from the energy of the OWASP Summit in May to my first time speaking at an OWASP local chapter meeting in June about the difficulties and improvements with the OWASP Top 10 Project (which I later spent some time proof reading and offering minor fixes).

It continued with my presentation at the regional OWASP conference, AppSecIL (over 700 participants) and spending a little time contributing to the OWASP Top 10 Proactive Controls project and the OWASP JuiceShop project. On that high, I had started preparing CFP submissions for AppSecEU and had even included the high quality training that usually comes with the conference in our Company’s training plan for next year.

(Before the shock…)

However, this came to a crashing halt last night when I came back online after the Jewish Sabbath and discovered that this December, the Grinch truly had stolen Christmas. In what appears to be an unprecedented move, the OWASP Global board had voted at their December meeting to arbitrarily move the conference to the UK (again) instead of Tel Aviv and had waited until Friday night, the 23rd of December to announce this. After the build up throughout 2017, this felt like a kick in the gut.

Of course, what I felt would have been nothing compared with how the local organisers must have felt having spent 100s of volunteer hours planning for this conference together with the global OWASP team.

But why?

https://www.dropbox.com/s/y9ahm0vzpml30a8/viss-why.gif?dl=0

At stupid o’clock on Saturday night, I dug out the meeting recording to try and figure out what had happened. A number of reasons were discussed in the meeting which you will hear about later but the thing that stuck out was pretty much the very first question:

Tom Brennan (Board Secretary): “Is anyone representing the local team…on this call to give their comments and feedback on those statements.”

Karen Staley (Executive Director): “I have spoken to…Avi in great detail…What I share with you…is absolutely what we discussed over the phone…”

I was truly astonished by this, not to mention the remainder of this segment where the entire discussion of expected problems with the conference seemed to be framed around the idea that these concerns were coming from the local OWASP chapter or that the issues were the fault of the local chapter for being disorganised.

The board went on to accept this at face value (although I appreciate there was some pushback from some members.) In relatively short order, the board voted unanimously to take the conference away from Tel Aviv (the only city other than Redmond where Microsoft hold their own BlueHat security conference and where it would have coincided but not clashed with CyberWeek at Tel Aviv University which last year had 6,000 attendees from over 50 countries) and move it somewhere else. Specifically to London.

Miscommunications

http://tembusu.nus.edu.sg/treehouse/wp-content/uploads/2015/10/Broken_telephone.jpg

It sounded to me like there had been some sort of miscommunication as from my interactions with the local team it seemed like planning was well underway. OWASP had even sent an employee over to be at AppSecIL and check out the venue which had been agreed. Additionally, I know that Avi, the conference chair has lived and breathed application security and especially OWASP for years now.

I waited impatiently to hear from the local chapter and once their statement was released, it became clear the extent to which the local chapter had been screwed over. As I said, Avi is a very strong proponent of OWASP and for him to have written such a strongly worded statement tells you something about the circumstances.

The statement from OWASP Israel

I would strongly recommend reading the full statement to understand the situation as whilst it is long, it comprehensively explains the extent to which the Israel team have been shoddily treated.

However, I do want to pull out a few key sentences from that statement:

“The OWASP Israel chapter is vehemently opposed to this move, and we do not accept nor agree with the official statement in any way.”

“It should be noted that this decision was made WITHOUT consulting with the local chapter and conference committee, or even gathering the relevant information from us.”

“Regardless of what the OWASP Leadership believes about the AppSec community in israel‍, I have the privilege of being part of one of the strongest, most active OWASP communities in the world.”

“For those companies that usually support or sponsor OWASP Foundation and AppSec conferences, I call on you to continue to support the OWASP communities and its mission — but support the local chapters that are actually doing the work.”

Closing thoughts

The conference that never will be?

The time when I have been writing this was supposed to be set aside for me to polish up and send some more CFP submissions for AppSecEU. Right now, I don’t know if I want to do that. If I get a CFP entry accepted, I don’t really look forward to having to get approval for travel and accommodation from my company for this conference after what the OWASP board has done.

I call on the OWASP Board to urgently consider the following points and act to fix this injustice, ideally restoring AppSecEU 2018 to Tel Aviv:

  • Can the December 6th vote on AppSecEU really be considered to be valid given that the entire discussion was predicated on the local chapters agreement? Surely it is clear that the board needs to receive a presentation from the OWASP Israel team on their position as it was not fairly presented at the board meeting.
  • How was it considered acceptable to release this news on Friday night, 23 December?
  • How can the board ensure that this type of catastrophic misrepresentation does not occur again?
  • How does this action create a “stronger” and “more engaged” community?
  • How is it possible that several months ago the OWASP board withdrew support for the Project Summit 2018 but that the new Executive Director has effectively based the change in AppSecEU on having spoken to the organizer and apparently joining with this summit (rather than speaking with the London chapter leaders).
  • Is it appropriate that this very large decision was considered to be “one little thing”(1:22:52 of the recording)?

I have been excited to get more and more involved with donating my time and energy to OWASP during the course of this year. I will be closely monitoring how this issue is addressed and I will have to consider my future OWASP involvement on this basis.

Reflections on attending and presenting at AppSec Israel 2017

https://appsecil.org/

For various reasons, this year was the first year I made it to OWASP AppSec Israel, the national Application Security conference here in Israel. Not only that but I was honoured to be accepted to present as well. It was a long day including a speakers/organisers dinner in the evening but as well as being tired I was also really buzzing with excitement and I thought I’d jot down a few notes about the day.

The agenda

There were a bunch of really great talks on the agenda (credit to Irene Abezgauz who chaired the content committee) with a big emphasis on talks aimed at sharing ideas and experiences for defenders and builders (with a few cool hacks thrown in as well). I thought having the agenda balanced in that way was really great as, like Avi said in his opening comments, defenders and builders are the main audience for OWASP.

The atmosphere

The overall atmosphere seemed really positive, supportive and open. People seemed to be socialising, people, were making an effort to talk to other people, there seemed to be a really happy buzz in the communal areas.

Presenting at the conference

This was my first time presenting at a major conference and I was pretty nervous. Ultimately I had practiced hard and I think it went OK (if a little fast) and hopefully people will get some benefit out of the ideas I shared. (Eventually I will try and post a blog based on the talk for those who missed it.) Despite my nerves, having friends, colleagues and my boss attending and supporting really made it special and made me feel a lot better. The organisers were really supportive as well with Or telling me a joke just before I was about to start.

Seeing friends and colleagues

It was great to hang out with friends who I work with, friends who I used to work with and friends who I’ve never worked with, especially catching up with those who I don’t see very often. As a presenter, having them there also made it more special. It was also great seeing colleagues who I’ve worked with on different client projects and catching up with them. A great thing about being a consultant is working with a wide range of different people it was great to see some of them there.

The sponsors

It was great to see so many local organisations sponsoring the conference including my employer, Comsec Group. Having these sponsors meant that the conference could be high quality but free to attend and it was great to see these organisations contributing back to the community.

I also thought that the sponsors area had a nice buzz to it with companies raising their profiles whilst also searching for new talent (and giving away some nice goodies as well like a showerproof Bluetooth speaker ☺.) It seemed like a win-win for everyone and I didn’t notice much aggressive attention seeking.

Fringe activities

The main conference was two tracks but there was also the CTF and workshops put on by GE Digital as part of their “Diamond” sponsorship of the conference as well as CV review sessions to help job seekers. Again, I thought these added extra facets to the day of the conference.

Meeting new people

This was a great day for meeting new people as well including people I’d never met before, fellow speakers and also people I’d had Twitter conversations with but not met face-to-face before.

Particular highlights were meeting local InfoSec superstar Keren Elazari and chatting to Tiffany Long, the OWASP Community Manager but I also had loads of great conversations with other presenters and other attendees, LobbyCon was definitely going strong.

OWASP Israel

“OWASP works!” — https://youtu.be/TfIky1agmDY?t=794

A few months back, Ian Amit gave a slightly brutal closing keynote at BSidesTLV lamenting the decline of the local InfoSec community. In that talk, he specifically praised the Israeli OWASP chapter for keeping regular meetings going and just generally staying active. The conference today was a great illustration of that strength and it’s a credit to the OWASP Israel board (led up to now by Avi Douglen with Or Katz taking the lead going forward) that the Global OWASP annual conference, AppSecEU is going to be in Tel Aviv for 2018.

These are exciting times for the local AppSec and InfoSec community and I’m looking forward to getting more involved in local and international OWASP activities in the future.

Thanks again to Avi, Or, Ofer, Hemed, Yossi and Irene (and all the others who volunteered their time and effort) for such a great conference!