2.16.2011

Dear OWASP Summit, Obrigado

It has been a couple days since I returned from my trip to Portugal for the OWASP 2011 Summit in Lisbon; and I can almost speak again. Last week was truly one of the most incredibly productive weeks I think I have ever witnessed. Of course, when you throw almost 200 security professionals from around the globe in a small space for several days with a seemingly limitless supply of (horrible) beer and wine - would you expect any less?

Day 1
After arriving at DIA at around 8am for my 10am flight to Newark I tinker on some ideas while sitting in the airport lounge. Finally it is time to board the plane and I arrive in Newark. As soon as I make it out to where the restaurants are at Newark I run into Tom Brennan and we immediately head up to the Presidential Club for some free Bloody Mary's, some Superbowl, and some geek talk about plans for the week. We sat in the bar for about 3 hours, saw about 15 minutes of the Superbowl and ran into another big group of OWASPers at the gate from Newark to Lisbon. After what seems like an eternity, I arrive in Lisbon at 8am GMT. Customs was almost non-existent in Lisbon. Arriving at the passport counter, the lady simply scanned my passport and handed it back to me without so much as a glance at me or my picture. After the passport counter we had to go through customs - nothing to declare? Ok, just follow the green line, all the way out without ever speaking to another person until we were outside getting on the bus. A handful of people are already at the Campo Real Resort when we arrive and we are quickly assimilated into various smaller sects of security pros running around in shorts and flipflops or 3-piece suits. Broke fast with a big group and then headed up to the Library Bar where the wireless was decent to sit on the patio and prepare for the week ahead.

Day 2
Up and at it early for the first actual day of the summit. Spent the morning working on the finishing touches for the working sessions that I was leading on ESAPI and a global security disclosure policy for OWASP then started shooting off e-mails to connect with some people that I don't have the opportunity to see very often and spent a good deal of the morning talking about how different security needs are around the world compared to what I am used to here in the US of A. Around lunchtime, I was invited to participate in the Global Project Committee in planning out the new platform with OWASP Projects. I spent the rest of the day sequestered in a hidden cove with Jason Li and Brad Causey plotting for the Projects working session. After the day was called and dinner was served I spent the evening regaling the crowds with stories and jokes while the first part of the Governance session raged on across the street.

Day 3
Not quite as early as yesterday, but still early enough. Headed to the main hotel to meet up with Jason and Brad to continue our work on the Projects refactor. Things are getting done at an unreal pace. Yesterday there was just a brief sketch and some ideas bouncing around - by the time we finish today, we have a full-fledged plan of attack and something reminiscent of a roadmap. We even have little icons and some fancy process diagrams to show off at our session later today! First actual session I manage to make it to is with Micheal Coates on AppSensor. I am a huge fan of AppSensor, and Mike is a pretty genuinely cool guy to hang out with (after a few drinks XD) so I go to lend my support and help hash out some ideas for the project. Next on the agenda is our projects working session. Some heated debate sparks up regarding the website, and how this ties into it, and what should happen first; but somehow, we manage to make it through the entire plan - show off all our diagrams and process stuff, and smooth out some of the rough edges with the crowd. After this, I sneak away to go mingle with some of the AppSec Elite, like John Stevens from Cigital and a few others that have super secret identities. The evening wraps up with snacks, beer, and wine in the hotel followed by dinner and OWASP Band Practice.

Day 4
Moving a little slower than yesterday, but I am at the hotel shortly before 10am for my first working session of the day. I have 4 scheduled that I was prepared for and get pulled into another one that somehow ended up leaderless. My first session of the day goes well - what do we need from Framework Developers as it applies to Output Encoding. We outline a set of 4 high-level requirements that are to be later formulated into an official request from OWASP to the framework developers (Spring, Struts, etc.) to make contextual output encoding part of their frameworks. Immediately following that session I get pulled onto a working session to go through the ESAPI validation code and talk about Jim Manico's ESAPI-Lite project. We do a thorough deep-dive into the ESAPI validators and basically run through a code review with a room full of smart people and the code up on a projector. Some great ideas and bugfixes will be coming out of that session! Finally it is time for lunch, but not before we all get coraled into the inner patio area of the hotel for a group picture and quick pow-wow with the summit organizers. I lunch on some particularly dry tiny sandwiches with Jeff, Dave, and a crazy hacker girl from the UK then head off to start preparing for my afternoon sessions. I also get pulled away to take care of some work related stuff (having a conference call, over a very flooded wifi network is a very interesting adventure) then head back for my second to last session of the day. The OWASP Security Vulnerability Disclosure Policy is born and noted on the patio over espresso and beer in the warm late afternoon sun and at long last the last working session for the day, where we were to be roadmapping the future of the ESAPI project get's cancelled because we are going to have an actual ESAPI summit sometime in early Spring. Now it's time to have a few drinks, so I head to the wine tasting in the control center and run into the guys from Hacker News Network, who have been trying to find me for days so we could do an interview. I grab my stuff and head up to the presidential suite in the hotel where I spend about 30 minutes chatting it up with the guys and then another 15-20 doing the actual interview. Now it's time to head out for dinner and the much anticipated OWASP band performance. We managed to practice and get down 4 songs the night before, so we knew we would be doing a lot of improv. We get the host house all set up for the concert and brazillian bbq that will happen in a couple hours while the final working sessions for the night wind down. As people start filtering in the house, a couple people are jamming away on the equipment that was provided by Dinis' brother (local) and we pick up one of his students to play Guitar, his brother to play guitar and bass, and Stephen from the Netherlands (OWASP CTF) to hop on bass as well. We start jamming out around 11pm and run through about 2 hours of music, including but not limited to an original song, that I made up on the spot called 'The SQL Injection Blues' which largely featured quotes and friendly jabs at Jim Manico (who quite unfortunately was actually in his room at the hotel, sick as a dog), along with some old favorites like La Bamba, Sweet Child of Mine, Enter Sandman (with John Wilander rocking out), Born to be wild, and a ton of others that I can't remember right now. By the end of the night, my voice was completely gone, but I was having a blast eating brazillian bbq as soon as it was coming off the grill and chatting it up with Mark and Doug outside the party house.

Day 5
Somehow, I managed to peel myself out of bed long enough to attend the closing ceremonies at the hotel around 10am and promptly headed back to the villa for another hour or so of sleep afterwards. My voice was still completely gone (good thing I did the interview before the show!) and I spend most of the day catching up with everyone and chatting about the conference, getting contact info for everyone and planning my last day in Lisbon. We have dinner down at the resteraunt that evening where I have a little bit of Ouzo and then we all head for the Library Bar to chat it up before finally heading for bed.

Day 6
Up bright and early for my big Turbo-tour of Lisbon. I managed to rally up about 9 people for the day so we split the cost of transportation and head into the city. A couple of the guys (and gal) from the group are staying that night in Lisbon so we all meet up at the hotel and head down into the City Centre of Lisbon. It is a long arduous journey through the City Maze in Old Town as we wind our way up the mountain to see the Castle of St. Jeorge (stopping many times along the way to look at stuff, or peruse shops, or just take some pictures) and finally after a couple hours we are up at the castle. It is huge, and we spend about an hour walking around the walls and towers, admiring the view of the city and the river from the highest points of the castle before finally getting in to see what most of us went to the castle to see. The Camera Obscura was invented by Leonardo Da Vinci and it is basically a really old school periscope projector that projects a view of the entire city of Lisbon onto a kind of upside-down planetarium screen. We get a history lesson as the keeper of the camera swoops the camera around showing us different parts of the city and relating tales about those parts and things that have happened there. It was awesome, and well worth the climb and the wait. After we are done at the castle, we decide to head back down the hill and find a place that was recommended to us for lunch. We find it after a bit of walking and have some awesome portugeuse food and arguably the best Sangria that I have ever tasted. After that the group splits up, some going to the Tower of Betel to take pictures, and the rest of us down the hill for shopping and sunset. We head down the hill, miss the sunset over the ocean - but that's okay because we find an amazing street artist set up on the side of the road and I ended up buying a painting to bring home and remind me of my trip. After that we head further down the hill and find an awesome little cafe that has some of the custard cups that Lisbon is famous for so we sit down for an Espresso and some pastries and chat a bit about the day so far and what else we want to do. After we are done there we have a little over an hour until we are supposed to meet back up with the rest of the group for dinner - so we head down into the main drag of Lisbon. The huge pedestrian street that is lined with touristy shops and sights and walk down the strip, stopping to buy a few trinkets for the family on our way back to the hotel. Once we meet up with everyone at the hotel, we sit in the bar for a few to have a glass of port and figure out where we want to go for dinner. We end up heading to a little resteraunt not too far away called Sancho, which is supposed to be one of the best places in Lisbon to go for seafood. The food was awesome, the wine was good, and the conversation was unbeatable. Finally after about 2 1/2 hours for dinner we head back to the hotel for a nightcap before most of us head back to the resort and turn in for the night.

Day 7
Literally, 22 1/2 hours of travel, I reached my home - promptly laid down my luggage, shared trinkets with the family and finally passed out in my own bed; millions of ideas and thoughts from the summit still running through my head.

Summary
I have said it a zillion times over the last week, but I will say it again - the experience was truly unbeatable. The opportunity to work with so many brilliant people from our community and really get things done was amazing. Learning about the security needs and political struggles from the stories of the attendees was incredible. Seeing Europe for the first time was beautiful. I can't wait for the next summit. I have already put in my vote for either South America or Prague. :)

3 comments: