Announcing the First Ever ZAPCon - Call For Papers

[psiinon]

I'm delighted to be able to announce the first ever ZAPCon will be taking place virtually on March 9th, and will (of course) be completely free for attendees.

We are looking for topics and speakers for this event - for more details see this blog post: https://www.zaproxy.org/blog/2021-01-28-announcing-the-first-ever-zapcon/

Hope to see you there, and big thanks to the sponsors of this event: StackHawk.

Simon

--

OWASP ZAP Project leader

[Kevin W. Wall]

Simon,

I know that this really has nothing to do with ZAP, the product per se, but it has everything to do with ZAP, the development process which of course directly affects the product, ZAP.

What am I talking about? I am talking about the magic of how you have kept so many developers engaged over the past 10+ years or so, all during the time when OWASP ESAPI and many thousands of other FOSS projects were begging to find help. So many FOSS projects get abandoned, long before 5 years. (I think I read that it was close to 50%.)

I recall the halcyon days of ESAPI. When I first joined there was great excitement. ESAPI had at least a half-dozen core developers who were working on getting ESAPI 2.0-RCsomething out the door. Besides those 6 or so core developers, we also had another 4-6 developers making substantial contributions on a part time basis. But as soon as the official 2.0 release went GA and was uploaded to Maven Central, pretty much everyone stopped regularly participating except Jim Manico, Chris Schmidt, and myself. And shortly after that, Manico left and Chris stopped contributing and I was the only one making regular commits but could get no help doing a release. (No one had left instructions how to do releases either and Chris stopped answering my emails because he was busy with a new company and I think his wife grew ill.) No one is to blame, but ESAPI almost completely died off during that time.

Anyway, what I'd really LOVE to see at your first ZAPCon is a retrospective look back as to what made ZAP work and why you think people remained so committed to it when so many other FOSS projects are totally abandoned after just a few years. Commitment from you and your company's sponsorship no doubt helped immensely, but we both know that that alone is not enough to carry forth a FOSS project (unless it is really small) and make it as successful as ZAP. (I mean, ESAPI tried GSoC a few times as well, but never drew any interest.)

So, as a fellow OWASP comrade and FOSS participant, I know we'd all love to hear your wisdom and perspective of what made ZAP so successful. Because in my opinion, it is head and shoulders above every other OWASP flagship code project.

Anyway, something to think about. I am thinking of writing up a "lessons learned" on ESAPI in the not-too-distant future (after my taxes are filed), but that mostly will be a story of a project gone wrong and things to avoid rather than an inspiring story like ZAP. And during this depressing pandemic, I think we could all gain some measure of hope from an inspiring success story like ZAP.

Thus, I hope you or some other long-time core ZAP developer will consider it for ZAPCon.

Thanks,

-kevin

P.S.- If you feel this is not off-topic or otherwise inappropriate, feel free to repost to your mailing list if you wish. I just figured it was mostly OT.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/CAORxfg4MiNExvVJzG42LEuoO9G%3DTGX49hPObew4ia2QDU8gOoQ%40mail.gmail.com.

-kevin

--

Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI project co-leader
NSA: All your crypto bit are belong to us.

[psiinon]

Hey Kevin,

Many thanks for that suggestion Kevin, and also for your very kind words!

I do have another talk planned for ZAPCon and I dont want to give more than one, but I'll seriously think about which one of those 2 options would be best.

It so happens that I have been accepted to talk at another big online industry conference about the history of ZAP and the lessons learned.

Thats going to be in March as well and I havnt really started preparing for it as, well, its WEEKS away ;) I won't say which one yet as it doesnt look like the talks are live yet, but I will of course announce full details as soon as I can.

But your suggestions will definitely feed into that talk and make my preparation that bit easier :D

Cheers,

Simon

[Kevin W. Wall]

Simon,

Fantastic.  I guess it doesn't really matter at which con you present it at as long as the information gets out there and it's available for FOSS people to watch without any charges. 

-kevin

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/5c79d1ae-a00c-431c-8a3e-6d3444cd1f76n%40googlegroups.com.

[psiinon]

FYI its now public, so I can now confirm that the conference I mentioned is RSA :)

https://www.rsaconference.com/usa/agenda/evolution-of-appsec-perspectives-from-a-decade-of-building-owasp-zap

Evolution of AppSec: Perspectives from a Decade of Building OWASP ZAP

The open source ZAP project was born from the need to have a view into the security of an app and tooling to support ongoing testing. Since its founding over a decade ago, ZAP has become increasingly popular and software security has only increased in importance. This session will review the evolution of application security, where we stand today, and offer a glimpse into the future.

Cheers,

Simon