This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit
Projects Summit 2013/Home
![]() |
2013 OWASP Project Summit Report
The OWASP Project Summit is a smaller version of the much larger OWASP Summits. This event activity gives our project leaders the opportunity to showcase their project progress, and have attendees sit down and work on project tasks before, during and after the annual fundraiser (AppSec) regional event. It is an excellent opportunity to engage the event attendees, and it gives project leaders the chance to move forward on their project milestones while meeting new potential volunteers that can assist with future milestones.
Call to Action by Samantha Groves/OWASP Projects Manager
Hello OWASP Leaders,
The 2013 OWASP Summit is happening! We had to overcome a few obstacles to get to where we are now, but we have had incredible support from the community after our intentions where made public. It's now time to start working on OWASP 5.0 at this year's AppSec USA in New York. I do realize that we still have a massive workload to complete before the event, but I am confident that we can make this Summit a great success for our community and beyond. We need to ensure that the culture of our OWASP Summits continues, and I am dedicated to making this a great success for our community so we may continue our efforts for years to come.
Help design the 2013 OWASP Summit in New York!
As OWASP Leaders, I would like you to take some time to help us design this year's Summit. We currently have a handful of tracks and session ideas, but I would love to have your input on what you think we should focus on. Please have a think about the projects, topics, working sessions, and tracks you would like to see or participate in at this year's summit. The Summit team will take these ideas, and create a cohesive and comprehensive schedule of sessions based on your input so I encourage you to summit your ideas straight away. I encourage you to have a look at the current track and session ideas.
We need your ideas, energy, and input NOW! Please add your name to the attendee list if you are joining us or would like to attend!
We will see you at AppSec USA in New York City!
Samantha Groves
OWASP Projects Manager
Summit Organisation Pages
These are pages with organization details about this event
- Projects Summit 2013 Attendees
- Mailing list (at Google Groups: owasp-project-summit-2013
- Projects Summit page at main AppSec USA website
- Working_Sessions
- Venue
- Remote_Participation
- Budget
Do I need to purchase a Full Conference Pass to attend the OWASP Project Talks and Project Summit?
No! We want these activities to be open to the community to attend and participate – so if you can’t afford a full conference pass or aren’t interested in attending the main conference talk sessions (in the Ballroom), but DO want to participate in the Project Talks, Project Summit and other activities such as the CTF, Career Fair, Lockpick Village, and Exhibit Hall: Register for FREE for the “Expo and Career Fair Only Pass” and use the following discount code at checkout: NYC13_SUMMIT
How do I sign up for a session?
Please visit the individual summit session page on to sign up for each session. You might need to create an account before you sign up. We are encouraging all those who wish to join to use this method. We will be using the attendees on this session page to do our pre-conference planning for each session so please make sure to sign up if you plan to join. You can find each session's sign up page, below:
Monday: Nov 18th
- OWASP Projects Review Session
- OWASP Media Project Session
- OWASP PHP Security and RBAC Projects: An Introduction
- OWASP AppSensor 2.0 Hackathon
- ESAPI Hackathon Session
- Bug Bounty Hack Session
Tuesday: Nov. 19th
- OWASP Training Development Session
- OWASP Academies Development Session
- Mobile Security Session
- ESAPI Hackathon Session
- Bug Bounty Hack Session
Wednesday: Nov. 20th
- Writing and Documentation Review Session
- ESAPI Hackathon Session
- Bug Bounty Hack Session
- OWASP PCI Toolkit Session
- OWASP O2 Documentation Session
Thursday: Nov. 21st
Marriott Marquis: New York City, USA
![]() |
![]() |
Space allocated
- Sky Lounge: Monday, Tuesday, Wednesday, Thursday: 9AM - 5PM
- Bag stuffers room (Monday: They will need part of the room.)
- Additional Hotel Suite available as well.
Below is the Sky Lounge floor plan. this is the room we will be working with for all of the summit sessions. We have an additional suite that we can use if we find that we will need to divide up the session during the on site logistics planning. If room changes are made, attendees will be notified during registration.
![]() |
Project Summit 2013
Back to the Projects_Summit_2013 page.
Tracks and Sessions
Click on the working session name to see the home page for that particular session. During the Summit those working session home pages will be used to document discussions and outcomes.
If you're interested in adding a Working Session for the 2013 Summit, there still is time to start a session! Please review the Working Session methodology for Working Session rules.
NOTE: The current session below are tentative. Track topics are subject to change.
Current Daily Schedule
Monday: Nov 18th
- OWASP Projects Review Session
- OWASP Media Project Session
- OWASP PHP Security and RBAC Projects: An Introduction
- OWASP AppSensor 2.0 Hackathon
- ESAPI Hackathon Session
- Bug Bounty Hack Session
Tuesday: Nov. 19th
- OWASP Training Development Session
- OWASP Academies Development Session
- Mobile Security Session
- ESAPI Hackathon Session
- Bug Bounty Hack Session
Wednesday: Nov. 20th
- Writing and Documentation Review Session
- ESAPI Hackathon Session
- Bug Bounty Hack Session
- OWASP PCI Toolkit Session
- OWASP O2 Documentation Session
Thursday: Nov. 21st
Suggested Tracks and Sessions
- Product Development Session
- Reference Implementation Session
Frequently Asked Questions
This page contains answers to frequently asked questions about the 2013 OWASP Summit.
What is the Global Summit? Is it like AppSec or other OWASP conferences?
The OWASP Global Summit is the place where application security experts meet to discuss plans, projects and solutions for the future of application security. The Summit is not a conference - there are no talks or training seminars - this is an opportunity to do actual work to further the field of application security. We are holding the summit as part of our AppSec USA 2013 conference, but it is a separate activity from the conference itself. Participants will stay in shared accommodations and collaborate to produce tangible progress towards influencing standards, establishing roadmaps, and setting the tone for OWASP and application security for the coming years. The Summit will consist of Summit Working Sessions with a variety of topics set by our community. Participants are free to attend any working session, but we encourage everyone to select working sessions for topics where they have the most to contribute.
Anyone can attend the Summit! OWASP community members, application security experts, industry players, and developers are all welcome at the Summit. If you would like to receive a personalized invitation for yourself or another person, see the contact either Samantha Groves or Kait Disney Leugers.
When is the Summit?
The Summit will be held November 18th-21st (Monday-Thursday), 2013.
Where is the Summit being held?
The summit will be held in the Sky Lounge of the New York Marriott Marquis Hotel in New York City.
New York Marriott Marquis
1535 Broadway
New York, New York 10036 USA
Who do I contact for help?
For general assistance in all matters related to the Summit, contact Samantha Groves, or Kait Disney Leugers.
For help with travel and accommodations, contact Samantha Groves.
Where do I stay?
There are a few hotels you can use for your accomodation needs; however, all of the staff and the majority of leaders will be staying at the New York Marriott Marquis.
Who is going to the Summit?
Please visit the the expected attendee page to see the most up to date list on who is attending the Summit.
OWASP Summit Sponsorship
I'm an OWASP leader - why isn't this free for me?
During the previous Summit, OWASP was fortunate enough to be able to fund all OWASP leaders to attend the Summit. Unfortunately, the budget for the 2013 Summit is not as large as our previous budgets. Moreover, due to the success of OWASP, the organization has grown on a world-wide level resulting in even more OWASP leaders that want to attend the summit (and who need funding). As a result, we are making the following compromise with our attendees: OWASP will provide the venue meeting rooms, the A/V equipment, and the venue supporting staff in order to enable attendees to work effectively; attendees just have to pay for travel and accommodations for themselves.
So who is being funded?
The first round of sponsored attendees was selected based on their contribution to AppSec USA. These sponsored leaders are our Project Talk Speakers and Summit Session Leaders. Leaders with funding in their projects have also decided to use those project funds to assist with the summit, and give project talks at AppSec USA since our funds are very limited this year. Key summit assistants were also funded as they will be key to the successful running of a 4 day summit.
What does it mean to be a "sponsored" Summit attendee?
A sponsored summit leader must prepare and chair their scheduled summit session, and a sponsored summit assistant must be available to help with on-site logistics throughout the entirety of the summit.
Why do they get funded and not me?
Please understand that we have very limited funds available. If you were not chosen to be funded, please do not take it personally. We simply do not have enough funds to sponsor all the great members of OWASP to attend.
Someone from OWASP said that I would be sponsored. What gives?
Unfortunately there has been a great deal of inconsistent information spread around about the Summit, even from people highest levels of OWASP leadership. The reality is that the budget for the Summit is not nearly as large as it needs to be to sponsor all deserving attendees. If you were told by someone in OWASP that you would be sponsored, we apologize for the confusion.
Employer Funding/Sponsorship
My employer needs an invitation letter/documentation to sponsor me to go? Where do I get this?
Please contact Samantha Groves with your request, and she will work with you on creating some personalized material for your employer/sponsor.
Can my company have a logo on the wiki page if they fund me?
Yes. Please visit the expected attendee page to see where your company's logo will appear if they fund your trip.
I need help convincing my employer to fund my Summit attendance - what should I tell them?
You can use the following points in your discussion:
This year's Summit will be a gathering of OWASP leaders and key industry players to focus on a variety of important application security topics including browser security and cross-site scripting eradication. Attending the Summit will provide <EMPLOYEE NAME> with opportunities to:
- Participate in the latest developments in application security and influence its trajectory
- Gain new skills and technical knowledge for current application security projects
- Find out where other companies are focusing their energy and resource
- Increase visibility for <COMPANY’S NAME>
We believe that <EMPLOYEE’S NAME>’s attendance at the Global Summit is an worthwhile investment for both <COMPANY NAME> and <EMPLOYEE NAME>. Therefore, we are asking you to consider supporting <EMPLOYEE’S NAME> participation at this important event by donating <HIS/HER> time to attend the Summit.
Working Sessions
I want to plan/run a Working Session. What do I need to do?
- If you haven't done so already, please add your name to the Summit Attendee page.
- After we know you plan to attend the Summit, visit the Summit working sessions page and determine if there is a working session already listed that you are interested in running/planning/leading, or if you have a new idea.
- If there is a session already listed without a leader, feel free to add your name as the leader and send Samantha Groves an email letting her know your intent. She can set you up with a working session page and let you know about any next steps. If a leader already is listed for the session you are interested in, add you your name as session member/attendee and email the leader to see what you can do to help.
- If you have a new idea, add your information to one of the blank rows under the appropriate track name, or under Track: OWASP if you don't see a good fit. Send Samantha Groves an email letting her know your intent. She can set you up with a working session page and let you know about any next steps.
I want to participate in a working session. Where do I sign up?
Visit the Summit working sessions page and click on "edit" in the left hand column next to the session(s) you want to participate in. When you get to the edit screen, scroll down to where you see:
| summit_session_attendee_name1 =
| summit_session_attendee_email1 =
| summit_session_attendee_wiki_username1 =
At a minimum, please enter your name and email address so the person leading the group can contact you to follow up.
If you don't see a session you are interested in and want to create one, or want to lead a session, see the answer under the previous question (above).
Corporate Sponsorship
My company wants to sponsor the Summit. What do I do?
Please send an e-mail to Samantha Groves to discuss current opportunities.
Back to the Projects_Summit_2013 page
Below, you will find an up-to-date list of our 2013 Project Budget and spending.
Leader Name | Hotel Covered by Projects | Flights Covered by Projects | Hotel Covered by Track | Flights Covered by Track | Nights | Room Rate | Total Room Costs | Track Fund | Additional Budget | Budget Total |
Andrew van der Stock | $1,545.00 | $1,520.60 | 5 | $309.00 | $1,545 | $3,065.60 | ||||
Kevin Wall | $610.60 | $610.60 | ||||||||
Samantha Groves | $1,081.50 | $ | 7 | $309.00 | $2,163 | $3,244.50 | ||||
Dennis Groves | $375.70 | $375.70 | ||||||||
Martin Knobloch | $4,123.00 | $730.30 | 7 | $309.00 | $4,123.00 | $4,853.30 | ||||
Steven van der Baan | ||||||||||
Dinis Cruz | $2,163.00 | $699.00 | $2,862 | |||||||
Jonathan Marcil | ||||||||||
Andrew Muller and Wife | $722.50 | $1,586.78 | 5 | $309.00 | $1,545.00 | $2,309.28 | ||||
Fabio and Wife | $618.00 | $520.50 | 4 | $309.00 | $1,236.00 | $1,138.50 | ||||
Kostas and Wife | $700.00 | $520.50 | 7 | $309.00 | $2,163.00 | |||||
Larry | $507.56 | 5 | $309.00 | $1,545.00 | ||||||
Chris Schmidt | $1,545.00 | $287.80 | 5 | $309.00 | $1,545.00 | |||||
Kait Disney-Leugers and Husband | $463.50 | 3 | $309.00 | $927.00 | ||||||
Michael Hidalgo and Wife | $463.50 | $554.06 | 3 | $309.00 | $927.00 | |||||
Abbas Naderi and Wife | $618.00 | 4 | $309.00 | $1,234.00 | ||||||
Total | $3,862.50 | $4,513.34 | $10,230.50 | $2,997.10 | $21,118.00 | $8,205.26 | $5,000.00 | $13,205.26
Monday, November 18th | Tuesday, November 19th | Wednesday, November 20th | Thursday, November 21st | Total | |
Food | |||||
Pizza | $16.25-$22.00 | $16.25-$22.00 | $16.25-$22.00 | $16.25-$22.00 | $16.25-$22.00 per pizza |
Tea and Coffee | $1,800 | $1,800 | $1,800 | $1,800 | $1,800.00 |
Water Bottles | $11.98 | $11.98 | $11.98 | $11.98 | $11.98 24pk |
Fruit | $14.00 assorted | $14.00 assorted | $14.00 assorted | $14.00 assorted | $56.00 |
Keg | $90-$250 | $90-$250.00 | |||
Office Materials | |||||
Markers | $3.90 | $3.90 | $3.90 | $3.90 | $3.90 4pk |
Paper Tablets | $16.79 | $16.79 | $16.79 | $16.79 | $16.79 12pk |
Staples | $3.29 | $3.29 | $3.29 | $3.29 | $3.29 each |
Staplers | $8.99 | ||||
Pens | $6.99 | $6.99 | $6.99 | $6.99 | $6.99 60pk |
Pencils | $1.69 | $1.69 | $1.69 | $1.69 | $1.69 12pk |
Notebooks | $1.29 each | $1.29 each | $1.29 each | $1.29 each | $1.29 each |
Printing | |||||
Black and White | $0.03-$0.32 | $0.03-$0.32 per page | |||
Full Color | $0.15- $2.00 | $0.15 - $2.00 per page | |||
Miscellaneous | |||||
Shuttle ride from Airport | $35.00 LGA, $50.00 JFK | $35.00 LGA, $50.00 JFK | $35.00 LGA, $50.00 JFK | $35.00 LGA, $50.00 JFK | $70.00 LGA, $100.00 JFK |
Dinner for Leaders | $200 | $200 | $200 | $200 | $800.00 |
Average fare for cab ride | $2.50 base | $2.50 base | $2.50 base | $2.50 base | $2.50 base |
Additional Travel | |||||
Eclipse Member | $2,000 | $2,000.00 | |||
Apache Member | $2,000 | $2,000.00 |
- Patzerias Perfect Pizza Inc.: 231 West 46th Street (Broadway and 8th Ave) 212) 575-7646
- Famous Original Ray's Pizza: 736 7th Avenue (212) 956-7297
- John's Pizzeria: 260 W. 44th Street (212) 391-7560
- Staples: 776 8th Ave (212) 265-4550
- Walgreens: 1471 Broadway (212) 302-0552
- Tower Copy East: 115 West 45th Street, Suite 502 (212) 679-3509
- priced per pack or size
Back to the Projects_Summit_2013 page
Click here for Summit attendee bios
Confirmed Summit Attendees: with Funding
2013 OWASP Projects Summit Attendees | ||||||||
Name | Company | Reason for Summit Participation Working Group Interest |
Summit Time Paid By | Summit Expenses Paid By | Reason for Sponsorship | |||
view edit | Dennis Groves @ | OWASP | |
![]() |
view edit | Dinis Cruz @ | Security Innovations |
![]() |
view edit | Simon Bennetts @ | Mozilla | ![]() |
![]() |
view edit | Martin Knobloch | PervaSec |
![]() |
![]() |
view edit | Konstantinos Papapanagiotou | Voice@Net |
![]() |
view edit | Chris Schmidt | Aspect Security | ![]() |
![]() |
view edit | Sam Groves @ | OWASP |
![]() |
![]() |
view edit | Michael Hidalgo | Security Innovation |
![]() |
![]() |
view edit | Kevin Wall | |
![]() |
view edit | Sebastien Deleersnyder | BNP Paribas Fortis |
![]() |
![]() |
view edit | Johanna Curiel @ |
view edit | Jason Haddix | Hewlett-Packard |
![]() |
view edit | Abbas Naderi @ | |
![]() |
view edit | Jonathan Marcil @ | OWASP |
view edit | Jack Mannino |
view edit | Jason Haddix |
view edit | Jonathan Marcil @ | Phéromone | |
![]() |
view edit | James Robertson | University of Maryland University College Maryland | |
![]() |
view edit | Riotaro Okada | AsteriskResearch, Inc. | |
![]() |
view edit | Beth Ritter-Guth | Union County College | |
![]() |
view edit | Suchit Mishra | Salesforce | |
![]() |
view edit | Serg Belokamen | Bugcrowd | |
![]() |
view edit | Casey Ellis | Bugcrowd | |
![]() |
view edit | Simon Roses Femerling | Vulnex | |
![]() |
view edit | Bev Corwin | OWASP | |
![]() |
view edit | Jeff Williams @ | Aspect Security | |
![]() |
view edit | Sasikumar Srinivasan | ZohoCorp | |
![]() |
view edit | Carlos Hoyos | IBM | |
![]() |
view edit | Chuck Cooper | Paylocity | |
![]() |
view edit | Tobias Gondrom | Thames Stanley | |
![]() |
view edit | Sean Bates | Farm Credit Canada | |
![]() |
view edit | Tony DeLaGrange | Fidelity National Information Services | |
![]() |
view edit | Jaydeep Dave | Trend Micro | |
![]() |
view edit | Guillermo Skrilec | GeneXus Consulting | |
![]() |
view edit | James Hurley | Texas Conference of Urban Counties | |
![]() |
Confirmed Summit Attendees: Seeking Funds/Sponsorship
2013 OWASP Projects Summit Attendees | ||||||||
Name | Company | Reason for Summit Participation Working Group Interest |
Summit Time Paid By | Summit Expenses Paid By | Reason for SponsorshipSummit 2013 Attendee/Attendee018 |
Unconfirmed Summit Attendees
2013 OWASP Projects Summit Attendees | ||||||||
Name | Company | Reason for Summit Participation Working Group Interest |
Summit Time Paid By | Summit Expenses Paid By | Reason for Sponsorship
Projects Participating
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.
The Code Review Guide focuses on secure code reviews and tools that aim to support the developer community. Such an activity is very powerful as it gives the developer community a place to start regarding secure application development.
The Development Guide is aimed at architects, developers, consultants, and auditors. It is a comprehensive manual for designing, developing, and deploying secure Web Applications and Web Services. The OWASP Developer Guide 2013 aims to focus the content from countermeasures and weaknesses to secure software engineering.
The OWASP Education Projects
The OWASP Education project is meant to centralize all educational initiatives of OWASP. The project will not deliver education material as such, but define standards and guidelines on education material. Furthermore, this project aims to create an easy entrance towards understanding application security and usage of the OWASP tooling. By creating education documentation papers, screen scrape video courses, and setting up an OWASP Boot camp, a controlled education process of a standardized quality can be created continuously.
OWASP Training
- OWASP Boot Camp
- OWASP Training Events
OWASP Academies
- OWASP Academy Portal
- OWASP University Outreach
- OWASP Student Chapter
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications.
The Software Assurance Maturity Model (SAMM) is an open framework that aims to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development.
This Testing Guide Project’s goal is to create a “best practices” web application penetration testing framework which users can implement in their own organizations. Contributors of this project are currently writing Version 4 of the guide, and are actively seeking authors.
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience, and as such, is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
The primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas that the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features.
Remote Participation
Unfortunately, we were not able to raise enough funds to facilitate remote participation for the 2013 Project Summit. It is certainly an aspect of our summits that we find incredibly important, and we will work hard to make sure remote participation is an option our contributors have in 2014.
Remote participation will be key for the success of this Projects Summit.
Ideally we should should have 10x remote attendees (vs local attendees), since that allows project leaders, contributors and users that cannot make it to the conference (or will arrive late) to also participate.
What would be really interesting is if the physical presence is the 'enabler' for the wide participation and deliverables. In fact we might find that the most important attendees might be remote
Starting with the basics here is what will be needed:
- Good Internet connectivity (ideally dedicated, but that will have further costs)
- Local moderators
- Streaming technology (in both video, audio and text)
- Sharing tools (virtual docs, whiteboards,etc..)
- Registration system for remote participates
- Schedule for remote participants
Back to the Projects_Summit_2013 page
Additional Links
Summit Organisation Pages and Additional Links
These are pages with organizational details about the 2013 OWASP Summit.
- Projects Summit 2013 Attendees
- Mailing list (at Google Groups: owasp-project-summit-2013
- Projects Summit page at main AppSec USA website
- Venue
- Remote_Participation
- Budget
- AppSec USA 2013 Summit Page
- Projects Summit 2013
Contact Us
If you need help with anything summit related, or if you simply need some more information, please do not hesitate to contact either Samantha Groves or Kait Disney-Leugers.