The OWASP FROC 2010 last week was a great conference. Or so I heard, because I, unfortunately, couldn’t make it due to some scheduling issues.
Denim Group’s Bryan Beverly and John Dickson were both there to present and their slides are now online:
Here are John Dickson’s comments on FROC 2010:
One again the FROC event hosted by local OWASP leaders in Colorado lived up to its billing. For those not familiar with the FROC (“Front Range OWASP Conference”), it is an annual conference hosted in Denver by web app security practitioners where appsec deep thinkers congregate to speak, exchange ideas, and drink the occasional beer. Over the past three years, conference organizers have put together the right mix of technical leaders and general industry types involved with application security market. Although most attendees are from Colorado, speakers were from nationally recognized appsec firms across the country. This year, over 200 attendees heard from the likes of Jeremiah Grossman, Brian Chess, and Tom Brennan, from the International OWASP Board.
Like last year’s FROC, the conference had an informal feel to it, which was appreciated by all. FROC, and other smaller regional conferences, are a breath of fresh air compares to the RSA and Black Hat conferences, which are really big and very corporate. I had the opportunity to speak twice this year, first in a one-hour track session, then as a moderator for the conference wrap-up panel discussion. My session, titled “The Permanent Campaign: How to Build a Successful Software Security Initiative” was attended by a spirited group of security pros and managers interested in pushing successful software security efforts. I tried to make the session lively – it was immediately after lunch and I feared the worse. The session attendees had a ton of great questions for me and kept me on my toes. Questions focusing on security metrics and ROI were the most prevalent.
As I emphasized during my session, building software is HARD. Building secure software is HARDER. Building a secure security software initiative may be the most daunting task of all. I hope those in attendance enjoyed my presentation and stay in touch. Some of the best war stories I hear are from folks in the crowd at conferences like this. The slide deck from the session can be downloaded here. For the companion white paper, e-mail me at john at denimgroup.com
Perhaps the highlight for many was the closing panel discussion. Jeremiah Grossman from WhiteHat Security, Andy Lewis from OWASP, Randy Barr from Qualys, and Chris Nickerson from Lares Consulting were panelists who answered questions, traded barbs with audience members, and generally had fun in one of the most free flowing security discussions to date. To characterize the FROC closing session as a “panel discussion” is probably a mistake from the start. At points the session was a more like a Jerry Springer show than an industry panel, but I doubt anyone really was too upset by that. As panel moderator, there were moments of sheer terror when I thought things might get truly out of hands. They didn’t. Did I mention that beer flowed freely throughoutDave Campbell and organizers: we need to deputize Brian Martin and have him as a fixture on next year’s panel. He’s smart, knows the history, plus others will be able to ask questions if he’s on stage ;-)
In the end, everyone had a blast. The back and forth was healthy, even if one or two folks might have got more animated than they had planned. We need more events like this… Plan to come in 2011 when I hope we do it again.
That must have been some panel because I also saw WhiteHat Security’s Jeremiah Grossman tweet “Best panel I’ve ever been on. OWASP FROC audience is very lively and totally rocks! What a great event!” Scheduling conflicts kept me from the conference this year, but after everyone else’s comments you can bet that I will find a way to make it next year. Hope to see folks there.
dan _at_ denimgroup.com