OWASP 2013 Project Summit Lessons Learned

Lessons Learned
The Lessons Learned section below was put together based on the 1st person perspective of OWASP Projects Manager, Samantha Groves. Her insight comes from being the primary planner for the 2013 Project Summit.

Tacit Knowledge
It is imperative to acquire as much tacit knowledge as possible before planning and running a summit. Tacit knowledge is very difficult to transfer as it requires going through the actual experience. I recommend attending a summit and paying attention to all of the logistical details and processes designed for the event. Reading past reports and talking to those who have planned summits before is also very important, but nothing compares to actually having planned and executed a summit despite having it be a smaller version of the much larger summits. It is also extraordinarily helpful to have a previous summit planning lead mentoring you throughout the process of running the event.

Pre-Planning
The pre-planning is actually a lot more work than running the summit itself. There are quite a few materials that need to be taken into consideration and managed. Not only do you have to put together sessions, encourage engagement, and create content for the event, but you have to make sure that you create promotional campaigns that inspire participation and commitment from the community and beyond. I recommend having a team of 5, but this depends on whether you are running the summit on its own or with a conference. You will need a much larger team if you are running the summit on its own. If you are running the summit with a conference, you will need a primary summit planner, a planning assistant, a wiki page editor/administrator, a session coordinator, and an on-the-ground logistics coordinator.

Venue
The venue choice is a very key component. It is important to make sure that the attendees and summit leaders will not be disturbed or distracted; therefore be mindful if choosing a hotel or any other well trafficked venue. Another detail to note down is that many of the 2013 Summit participants found the Times Square location a bit distracting. Having these types of events in very popular areas with many attractions for tourists, has a potential to cause high risk for engagement decline. Be mindful of your choice of location due to this factor, as well.

Flor Plan and Room Type
I highly recommend having a communal session meeting area where an environment can be fostered to encourage a more dynamic type of working session. This is a similar type of space to what we had in the Sky Lounge at the 2013 Summit. I recommend having several round tables with a separate section with a projector. For fixed sessions, I recommend giving the session leaders their own room to work in, equipped with wifi and a projector. Additionally, if running a summit event attached to a conference, make sure your rooms are only used for summit activities only. We made the mistake of sharing the Sky Lounge with the conference bag stuffing team and it turned out to be a disaster. The bag stuffing team ended up staying in the room the entire day instead of the three hours they had originally planned, and they were a MASSIVE distraction to our sessions and Leaders. I received quite a few complaints about it. I cannot stress this enough. Make sure you sessions rooms are for summit activities ONLY.

Summits at Global AppSec
While holding the summit during the AppSec USA conference did have its benefits, it did cause quite a bit of engagement issues among attendees. Having the summit during the conference did save us money, and it allowed the summit and AppSec USA planners to consolidate their resources and save money in quite a few areas that would have otherwise cost double if they were held at separate times in separate venues. However, this savings in resources and funds had a drawback in that it caused summit and conference activities to compete with one another for attendee attention. People wanting to participate in both were forced to choose between the two, and attendees let us know they were not pleased about this. Based on this experience, I recommend either having the summit as its own event, or 2/3 days before or after a conference if it needs to be attached to an AppSec event to save on resources and funds.

Catering
It is imperative to have a good budget for catering as this is one of the most important details that can go very wrong very quickly if not managed correctly. It is important to offer breakfast, a coffee break, lunch, afternoon coffee break, and dinner. You will receive complaints if you do not offer nourishment to your guests and session leaders at very strategic times throughout the day. Do not skimp on afternoon coffee! There will be complaints. Make sure to order catering in advance, and make sure to have a variety of options for those with different dietary needs: Vegetarian, Vegan, Gluten Free, Kosher, No Shellfish, Diabetic, Dairy Free, No Pork, etc.

Budget Needs
We most definitely need some sort of budget to pull off a summit. It is incredibly unreasonable to have no funds available to the summit planner. Thankfully, we were able to adapt, and be creative with the little funds we had. Thankfully, the AppSec USA planning team generously loaned us the resources they used to put on the conference, and we were able to piggy back off their purchases such as the venue location/costs, AV, electrical, wifi, catering, and many more items. They were also able to give us $10K at different times throughout the conference which we were in great need of even for small expenses. I recommend having at least $50,000 of seed funding available before even entertaining the idea of putting together an OWASP Summit. A big thank you to Sarah, Tom, Pete and the rest of the AppSec USA 2013 team for helping us out with our budget needs.

Human Resource Needs
When running a summit, it is imperative that you have dedicated volunteers responsible for key roles throughout the event. The principal role is the Primary Planner role. This person will be responsible for everything, making sure that all of the tasks are done, everyone knows what they need to do, and that everything is running according to plan during the event. The second most important role is that of the Session Leaders. The Session Leaders run your summit working session, and they make sure that everyone stays on point. They are ultimately responsible for making sure the session runs smoothly, and that everyone understands what the aim of the session is. Next is the Scrum Master. You will need one Scrum Master for each session. This person is responsible for making sure everyone attending the session accomplishes what was originally intended, and that all participants stay on topic. Having a room proctor for every session is also important. The Room Proctor is responsible for making sure that everyone participating in the session has everything they need throughout the working session. This includes making sure that all equipment in the room is working, and that faulty equipment is managed if anything goes wrong. I highly recommend having a Summit Assistant that will serve as the summit admin throughout the event. There were many times during the 2013 Summit where we needed additional assistance with catering, supply procurement, placement arrangement, and a general second hand in case the Primary Planner is not present. I recommend having the assistant take care of managing the printed schedule during the event, as well.