Tag: Conference

The Grinch who stole AppSecEU

The Grinch who stole AppSecEU

A cultural experience

Being an Orthodox Jew, Christmas and the meaning, stories and culture associated with it were always something that I only really saw second-hand.

However, when it was announced earlier this year that OWASP’s AppSecEU Conference, one of the few truly global Application Security conferences, was going to be held on my door step in Tel Aviv in 2018, it truly felt like Christmas was coming. My excitement built from the energy of the OWASP Summit in May to my first time speaking at an OWASP local chapter meeting in June about the difficulties and improvements with the OWASP Top 10 Project (which I later spent some time proof reading and offering minor fixes).

It continued with my presentation at the regional OWASP conference, AppSecIL (over 700 participants) and spending a little time contributing to the OWASP Top 10 Proactive Controls project and the OWASP JuiceShop project. On that high, I had started preparing CFP submissions for AppSecEU and had even included the high quality training that usually comes with the conference in our Company’s training plan for next year.

(Before the shock…)

However, this came to a crashing halt last night when I came back online after the Jewish Sabbath and discovered that this December, the Grinch truly had stolen Christmas. In what appears to be an unprecedented move, the OWASP Global board had voted at their December meeting to arbitrarily move the conference to the UK (again) instead of Tel Aviv and had waited until Friday night, the 23rd of December to announce this. After the build up throughout 2017, this felt like a kick in the gut.

Of course, what I felt would have been nothing compared with how the local organisers must have felt having spent 100s of volunteer hours planning for this conference together with the global OWASP team.

But why?

https://www.dropbox.com/s/y9ahm0vzpml30a8/viss-why.gif?dl=0

At stupid o’clock on Saturday night, I dug out the meeting recording to try and figure out what had happened. A number of reasons were discussed in the meeting which you will hear about later but the thing that stuck out was pretty much the very first question:

Tom Brennan (Board Secretary): “Is anyone representing the local team…on this call to give their comments and feedback on those statements.”

Karen Staley (Executive Director): “I have spoken to…Avi in great detail…What I share with you…is absolutely what we discussed over the phone…”

I was truly astonished by this, not to mention the remainder of this segment where the entire discussion of expected problems with the conference seemed to be framed around the idea that these concerns were coming from the local OWASP chapter or that the issues were the fault of the local chapter for being disorganised.

The board went on to accept this at face value (although I appreciate there was some pushback from some members.) In relatively short order, the board voted unanimously to take the conference away from Tel Aviv (the only city other than Redmond where Microsoft hold their own BlueHat security conference and where it would have coincided but not clashed with CyberWeek at Tel Aviv University which last year had 6,000 attendees from over 50 countries) and move it somewhere else. Specifically to London.

Miscommunications

http://tembusu.nus.edu.sg/treehouse/wp-content/uploads/2015/10/Broken_telephone.jpg

It sounded to me like there had been some sort of miscommunication as from my interactions with the local team it seemed like planning was well underway. OWASP had even sent an employee over to be at AppSecIL and check out the venue which had been agreed. Additionally, I know that Avi, the conference chair has lived and breathed application security and especially OWASP for years now.

I waited impatiently to hear from the local chapter and once their statement was released, it became clear the extent to which the local chapter had been screwed over. As I said, Avi is a very strong proponent of OWASP and for him to have written such a strongly worded statement tells you something about the circumstances.

The statement from OWASP Israel

I would strongly recommend reading the full statement to understand the situation as whilst it is long, it comprehensively explains the extent to which the Israel team have been shoddily treated.

However, I do want to pull out a few key sentences from that statement:

“The OWASP Israel chapter is vehemently opposed to this move, and we do not accept nor agree with the official statement in any way.”

“It should be noted that this decision was made WITHOUT consulting with the local chapter and conference committee, or even gathering the relevant information from us.”

“Regardless of what the OWASP Leadership believes about the AppSec community in israel‍, I have the privilege of being part of one of the strongest, most active OWASP communities in the world.”

“For those companies that usually support or sponsor OWASP Foundation and AppSec conferences, I call on you to continue to support the OWASP communities and its mission — but support the local chapters that are actually doing the work.”

Closing thoughts

The conference that never will be?

The time when I have been writing this was supposed to be set aside for me to polish up and send some more CFP submissions for AppSecEU. Right now, I don’t know if I want to do that. If I get a CFP entry accepted, I don’t really look forward to having to get approval for travel and accommodation from my company for this conference after what the OWASP board has done.

I call on the OWASP Board to urgently consider the following points and act to fix this injustice, ideally restoring AppSecEU 2018 to Tel Aviv:

  • Can the December 6th vote on AppSecEU really be considered to be valid given that the entire discussion was predicated on the local chapters agreement? Surely it is clear that the board needs to receive a presentation from the OWASP Israel team on their position as it was not fairly presented at the board meeting.
  • How was it considered acceptable to release this news on Friday night, 23 December?
  • How can the board ensure that this type of catastrophic misrepresentation does not occur again?
  • How does this action create a “stronger” and “more engaged” community?
  • How is it possible that several months ago the OWASP board withdrew support for the Project Summit 2018 but that the new Executive Director has effectively based the change in AppSecEU on having spoken to the organizer and apparently joining with this summit (rather than speaking with the London chapter leaders).
  • Is it appropriate that this very large decision was considered to be “one little thing”(1:22:52 of the recording)?

I have been excited to get more and more involved with donating my time and energy to OWASP during the course of this year. I will be closely monitoring how this issue is addressed and I will have to consider my future OWASP involvement on this basis.

Reflections on attending and presenting at AppSec Israel 2017

https://appsecil.org/

For various reasons, this year was the first year I made it to OWASP AppSec Israel, the national Application Security conference here in Israel. Not only that but I was honoured to be accepted to present as well. It was a long day including a speakers/organisers dinner in the evening but as well as being tired I was also really buzzing with excitement and I thought I’d jot down a few notes about the day.

The agenda

There were a bunch of really great talks on the agenda (credit to Irene Abezgauz who chaired the content committee) with a big emphasis on talks aimed at sharing ideas and experiences for defenders and builders (with a few cool hacks thrown in as well). I thought having the agenda balanced in that way was really great as, like Avi said in his opening comments, defenders and builders are the main audience for OWASP.

The atmosphere

The overall atmosphere seemed really positive, supportive and open. People seemed to be socialising, people, were making an effort to talk to other people, there seemed to be a really happy buzz in the communal areas.

Presenting at the conference

This was my first time presenting at a major conference and I was pretty nervous. Ultimately I had practiced hard and I think it went OK (if a little fast) and hopefully people will get some benefit out of the ideas I shared. (Eventually I will try and post a blog based on the talk for those who missed it.) Despite my nerves, having friends, colleagues and my boss attending and supporting really made it special and made me feel a lot better. The organisers were really supportive as well with Or telling me a joke just before I was about to start.

Seeing friends and colleagues

It was great to hang out with friends who I work with, friends who I used to work with and friends who I’ve never worked with, especially catching up with those who I don’t see very often. As a presenter, having them there also made it more special. It was also great seeing colleagues who I’ve worked with on different client projects and catching up with them. A great thing about being a consultant is working with a wide range of different people it was great to see some of them there.

The sponsors

It was great to see so many local organisations sponsoring the conference including my employer, Comsec Group. Having these sponsors meant that the conference could be high quality but free to attend and it was great to see these organisations contributing back to the community.

I also thought that the sponsors area had a nice buzz to it with companies raising their profiles whilst also searching for new talent (and giving away some nice goodies as well like a showerproof Bluetooth speaker ☺.) It seemed like a win-win for everyone and I didn’t notice much aggressive attention seeking.

Fringe activities

The main conference was two tracks but there was also the CTF and workshops put on by GE Digital as part of their “Diamond” sponsorship of the conference as well as CV review sessions to help job seekers. Again, I thought these added extra facets to the day of the conference.

Meeting new people

This was a great day for meeting new people as well including people I’d never met before, fellow speakers and also people I’d had Twitter conversations with but not met face-to-face before.

Particular highlights were meeting local InfoSec superstar Keren Elazari and chatting to Tiffany Long, the OWASP Community Manager but I also had loads of great conversations with other presenters and other attendees, LobbyCon was definitely going strong.

OWASP Israel

“OWASP works!” — https://youtu.be/TfIky1agmDY?t=794

A few months back, Ian Amit gave a slightly brutal closing keynote at BSidesTLV lamenting the decline of the local InfoSec community. In that talk, he specifically praised the Israeli OWASP chapter for keeping regular meetings going and just generally staying active. The conference today was a great illustration of that strength and it’s a credit to the OWASP Israel board (led up to now by Avi Douglen with Or Katz taking the lead going forward) that the Global OWASP annual conference, AppSecEU is going to be in Tel Aviv for 2018.

These are exciting times for the local AppSec and InfoSec community and I’m looking forward to getting more involved in local and international OWASP activities in the future.

Thanks again to Avi, Or, Ofer, Hemed, Yossi and Irene (and all the others who volunteered their time and effort) for such a great conference!