Denim Group has been acquired by Coalfire. Learn More>>

2010 OWASP FROC Wrap Up

The OWASP FROC 2010 last week was a great conference.  Or so I heard, because I, unfortunately, couldn’t make it due to some scheduling issues.

Denim Group’s Bryan Beverly and John Dickson were both there to present and their slides are now online:

·         John Dickson: – The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise

·         Bryan Beverly – Application Security Program Management with Vulnerability Manager

Here are John Dickson’s comments on FROC 2010:

One again the FROC event hosted by local OWASP leaders in Colorado lived up to its billing.  For those not familiar with the FROC (“Front Range OWASP Conference”), it is an annual conference hosted in Denver by web app security practitioners where appsec deep thinkers congregate to speak, exchange ideas, and drink the occasional beer.  Over the past three years, conference organizers have put together the right mix of technical leaders and general industry types involved with application security market.  Although most attendees are from Colorado, speakers were from nationally recognized appsec firms across the country.  This year, over 200 attendees heard from the likes of Jeremiah Grossman, Brian Chess, and Tom Brennan, from the International OWASP Board.

Like last year’s FROC, the conference had an informal feel to it, which was appreciated by all.  FROC, and other smaller regional conferences, are a breath of fresh air compares to the RSA and Black Hat conferences, which are really big and very corporate.  I had the opportunity to speak twice this year, first in a one-hour track  session, then as a moderator for the conference wrap-up panel discussion.   My session, titled “The Permanent Campaign:  How to Build a Successful Software Security Initiative” was attended by a spirited group of security pros and managers interested in pushing successful software security efforts.   I tried to make the session lively – it was immediately after lunch and I feared the worse.   The session attendees had a ton of great questions for me and kept me on my toes.   Questions focusing on security metrics and ROI were the most prevalent.

As I emphasized during my session, building software is HARD. Building secure software is HARDER.  Building a secure security software initiative may be the most daunting task of all.  I hope those in attendance enjoyed my presentation and stay in touch.  Some of the best war stories I hear are from folks in the crowd at conferences like this.  The slide deck from the session can be downloaded here.  For the companion white paper, e-mail me at john at

Perhaps the highlight for many was the closing panel discussion.   Jeremiah Grossman from WhiteHat Security, Andy Lewis from OWASP, Randy Barr from Qualys, and Chris Nickerson from Lares Consulting were panelists who answered questions, traded barbs with audience members, and generally had fun in one of the most free flowing security discussions to date.  To characterize the FROC closing session as a “panel discussion” is probably a mistake from the start.  At points the session was a more like a Jerry Springer show than an industry panel, but I doubt anyone really was too upset by that.   As panel moderator, there were moments of sheer terror when I thought things might get truly out of hands.   They didn’t.  Did I mention that beer flowed freely throughoutDave Campbell and organizers: we need to deputize Brian Martin and have him as a fixture on next year’s panel.   He’s smart, knows the history, plus others will be able to ask questions if he’s on stage ;-)

In the end, everyone had a blast.  The back and forth was healthy, even if one or two folks might have got more animated than they had planned.  We need more events like this…  Plan to come in 2011 when I hope we do it again.

That must have been some panel because I also saw WhiteHat Security’s Jeremiah Grossman tweet “Best panel I’ve ever been on. OWASP FROC audience is very lively and totally rocks! What a great event!”  Scheduling conflicts kept me from the conference this year, but after everyone else’s comments you can bet that I will find a way to make it next year.  Hope to see folks there.

Contact us for help building your organization’s software security program.


dan _at_


Posted via email from Denim Group’s Posterous

About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

One Response to “2010 OWASP FROC Wrap Up”

  1. Christy

    Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your site? My blog site is in the exazct same niche as yours and my visitors would genuinely benefit from some of the information you present here. Please let me know if this alright with you. Many thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *