Thursday, February 21, 2013

Speaking at RSA for OWASP

I'll be speaking at RSA 2013 on behalf of OWASP. Hope to see you there.

Friday, March 1
10:20 AM - 11:20 AM 

Room 123

Security: Looking Forward - Protecting Critical Applications with OWASP  

Top 10 application security risks, free online security training, advanced application security testing tools, guidance on secure development lifecycle – these are all free resources produced by the OWASP open source community. Join this session and find out how to support and leverage the OWASP organization to help the fight for secure applications!


Also make sure to check out Jerry Hoff and Jim Manico's 4 hr seminar on Approaching Secure Code/

Monday, February 25
1:00 PM - 5:00 PM

 Room 132

OWASP-001 - OWASP: Approaching Secure Code – Where do I Start? (Half Day)

Regardless of your chosen/mandated framework for building web applications: Spring, Struts, Rails, PHP, Python, etc., you want to make your life easier, and potentially less embarrassing. Don’t be the one who left the door open for hackers. Learn handy tips from one of the world’s leading AppSec experts. Recommended for: Developers (dev managers welcome, assign people from your team to attend). Bring yourself, no materials required.

-Michael Coates - @_mwc

Leading Change in an Open Organization

Below is an email I recently sent to the OWASP leader's list. I think this perspective applies to many open source projects.

(Minor corrections for typos.)


We had a lively debate of various points this week. The actual issues aside, I’d like to provide some perspective on leading change. 

The takeaway from the heated discussion was:
1. Some people feel X is bad
2. Other people feel X is fine
3. Some people feel some small tweaks would have made X better

There was some good civil discussion, some shouting occurred, accusations were thrown around, and in the end the issue slowly fell away.

What were the results of this conversation?
1. Some people felt better to share their thoughts on an issue
2. Other people were likely offended from accusations
3. A list of several hundred people watched the back and forth
4. We ended where we started – this may be because our current stance is acceptable or because our approach to initiating change was poor

My two cents on how to lead effective change at OWASP
Keep the stones you are about to throw in your pocket. Use those stones to build a bridge.

* Change happens when people evaluate a situation, receive a variety of feedback, and build consensus around a path forward
* Assume good intent – everyone is putting in countless hours of time, when situations get close to the grey zone, let’s assume good intent and act as a team
* Apply change in a forward-looking fashion.  Most people are happy to get on board with an approach that is well thought out, socialized with the community, and better for OWASP.
* Look at issues holistically. If the whole forest is on fire, it doesn’t do any good to pick a single tree and focus on that. Look at the overall incentive structure, and the public guidance – we likely need to rethink the overall program.

How does this manifest at OWASP?
Do you think X, Y, or Z can be better? If so, start a global initiative and get some people involved from various perspectives (for and against, various vantage points/backgrounds). Evaluate the situation and consider the various incentives at play. 

Is this red tape? Not really, you’re free to approach the problem however you choose. But please consider this advice as you drive to lead change in an organization that spans the world, is completely open and volunteer driven, and is trying to fundamentally change knowledge sharing around an area that many people don’t understand.

-Michael Coates - @_mwc