I attended my first OWASP Summit last week and it has spoiled most other conferences for me. The summit is not a traditional conference where an “expert” is selected by the CFP panel and has 40 minutes to expound The Truth from a podium, while everyone else takes notes. I’d call this a “top down” style of conference, and most in the security and appsec space follow this format.
What made the OWASP Summit unique was that it was a “bottom up” conference. A large number of topics were selected months ago, thrown up onto a github page where anyone interested could sign up as an organiser or participant (no speakers). Participants could then suggest an outcome for the session, push some initial content and get the conversation going. If no-one registered for a given topic, then it was removed. Initially, I thought this system was chaotic and would result in 20 strangers sitting in a room waiting for someone to lead. The exact opposite happened.
Everyone participating in a session had a real interest in being there and contributing or listening and the participants spanned the range from security consultants, to architects to CISOs. The result was engaging and informative discussion about key appsec topics where we could all challenge established ideas and dig deeper into the How and the Why of many practices.
Another key to the success was the calibre of the participants. I bumped into participants from Oracle, Microsoft, AXA, Adobe and Capital One. Participants who are actually implementing the practices contributed to the quality of the discussions during each session.
The premise was that each session should result in an outcome, something that can be published or used as a starting point for more material. While I don’t think many of the sessions achieved that goal, the real value was in the mental work and discussions during the sessions. In short, I’ll be attending every summit from now on and would love to see it becoming an annual event.
Many thanks to Sebastien Deleersnyder, Francois Raynaud and Dinis Cruz for organising the event as well as the many individual session organisers who made this event such a success. See you next year!