Skip to content

History and Analysis of OWASP In-Person Summits

by Dinis Cruz, 2025/06/07

Download LinkedIn Post Back to Cyber Security

The OWASP in-person summits are intensive, collaborative gatherings of the Open Web Application Security Project’s community. These summits (distinct from regular OWASP conferences) bring together OWASP leaders, project contributors, and application security experts from around the world to work on the organization’s projects, set agendas, and tackle key security challenges in a face-to-face setting. Unlike typical conferences with one-way presentations, OWASP summits emphasize working sessions, planning meetings, and hands-on collaboration. Below is a comprehensive chronological overview of all fully in-person OWASP summits since the concept’s inception, followed by detailed analysis of each event’s logistics, organization, and outcomes.

Chronological List of OWASP In-Person Summits

  • 2008 – OWASP European Summit (Algarve, Portugal): The first OWASP Summit, held November 4–7, 2008 in southern Portugal. ~80 OWASP leaders and contributors attended. Theme: “Setting the Web Application Security Agenda for 2009.”
  • 2009 – OWASP Summit (Washington, D.C., USA): A one-day leadership summit on November 11, 2009 in Washington, D.C., coinciding with OWASP’s AppSec DC conference. Attended by OWASP board members, global committee members, chapter leaders, and other project leaders.
  • 2011 – OWASP Global Summit (Lisbon, Portugal): A major four-day global summit, February 8–11, 2011 in Lisbon. Around 175–180 participants from 20+ countries took part.
  • 2017 – OWASP Summit (Woburn Forest, UK): A five-day OWASP Summit held June 12–16, 2017, near London (at Center Parcs Woburn Forest). “Hundreds” of OWASP community members and AppSec professionals participated.

Each of these summits had specific goals, formats, and organizational approaches, as detailed in the sections below. (Note: We exclude virtual or hybrid “summits” and focus only on fully in-person events.)

OWASP European Summit 2008 (Algarve, Portugal)

Overview: The inaugural OWASP Summit in 2008 was a groundbreaking event for the OWASP community. It took place in the Algarve region of Portugal from November 4–7, 2008. With the theme “Setting the Web Application Security Agenda for 2009,” this summit was conceived as a “worldwide gathering of OWASP leaders and key industry players” to plan the next year’s priorities. Unlike a typical conference, the summit combined training sessions, presentations, and open working meetings in a retreat-like setting.

Planning and Venue: The idea for an OWASP Summit was new in 2008 – OWASP’s leadership decided to invest in an event focused on collaboration rather than only presentations. The venue in Algarve was a resort location, enabling attendees to lodge and work closely together on-site. Notably, the OWASP Foundation covered travel and accommodation costs for all participants (~80 people) using OWASP funds, ensuring that active contributors worldwide could attend regardless of personal cost. This financial support was crucial to maximize global participation and was made possible by OWASP’s conference revenues and membership funding at the time. Planning involved OWASP’s board and volunteers (with strong support from the OWASP Portugal chapter leaders) to coordinate logistics like booking the resort, arranging travel stipends, and organizing the agenda.

Summit Format: The 2008 summit spanned four days and was structured into both conference-style sessions and working meetings. The first two days functioned similarly to a conference/training event: the venue hosted “a diverse selection of training courses along with technical and business tracks”, allowing attendees to learn about the latest OWASP tools, projects, and web security trends. Over 40 OWASP project presentations and workshops were held during these first two days (covering topics like the OWASP Testing Guide, code review techniques, new OWASP tools, etc.). The latter two days were devoted to open working sessions and discussion groups, where OWASP leaders and participants sat together to set priorities and roadmap for the coming year (2009). This format – half conference, half working summit – provided both knowledge sharing and collaborative planning opportunities.

Key Topics and Sessions: On the working session days, attendees broke into groups to discuss major OWASP initiatives and general AppSec challenges. According to OWASP’s post-event reporting, the summit focused on planning OWASP projects and outreach for 2009. Discussions likely covered updates to OWASP’s flagship projects (like the OWASP Top 10, Guides, tools), ideas for new projects, and how to address emerging threats. The overall goal, as the theme suggested, was to collectively “set the AppSec agenda for 2009.”

Outcomes and Deliverables: The 2008 summit produced several important organizational outcomes. It is credited with defining OWASP’s core principles and a formal code of ethics, which were codified as foundational guidelines for the community. The summit also resulted in the creation of six new global committees of volunteers. These committees (which included representation from various regions) were established to help the OWASP Board manage key areas like Education, Conferences, Projects, Chapters, Industry Outreach, etc. – a significant step in OWASP’s organizational maturation. Additionally, concrete plans for 2009 were formulated, including new outreach programs and a roadmap of OWASP projects (for example, updating major guides and launching the OWASP Spring of Code 2009). In summary, the first summit set a collaborative tone, produced governance improvements (committees, ethics, principles), and united the community around common goals for the year ahead.

Participation and Support: Because OWASP centrally funded the event, many notable OWASP contributors were able to attend. Attendees included OWASP’s global chapter leaders, project leaders, Board members, and industry supporters. This summit’s attendee list was essentially a “who’s who” of the OWASP community in 2008. The investment paid off in stronger community bonds: participants forged personal relationships and shared a sense of mission. Sponsorship-wise, the 2008 summit did not rely on corporate sponsors (aside from OWASP’s own budget); OWASP’s decision to underwrite travel costs was unique and underscored its commitment to an inclusive, vendor-neutral gathering.

Logistical Notes: Scheduling was intensive – full-day sessions ran over four days, with informal collaboration in the evenings. Coordination of 80 people’s travel to Portugal, lodging, and meals was handled by OWASP organizers. The format encouraged everyone to not just attend talks but actively contribute in roundtables and editing sessions. By all accounts, this first-of-its-kind OWASP Summit was a “great” success, creating a template and enthusiasm for future summits.

OWASP Summit 2009 (Washington, D.C., USA)

Overview: In 2009, OWASP held a second in-person summit, though on a smaller scale than 2008. The OWASP Summit 2009 took place on November 11, 2009 in Washington, D.C., timed alongside the AppSec DC 2009 conference. This gathering was essentially a one-day meeting of OWASP’s leadership rather than a multi-day conference. As one summary put it, the 2009 summit was a meeting of the OWASP Board, global committee members, chapter leaders, and other active members, aimed to “review 2009 & decide directions for 2010”.

Purpose and Format: The 2009 summit served as a strategic planning and coordination meeting. OWASP had grown significantly by this time, and the global committees formed in 2008 were in operation. Thus, bringing leadership together in late 2009 was an opportunity to assess progress on initiatives (such as projects started after the 2008 summit) and chart the course for the coming year. The format was a roundtable and workshop style meeting rather than public talks. With representatives from various committees and chapters present, the agenda included status updates on 2009 activities, discussions of OWASP’s budget and resources, and setting objectives for 2010. For example, topics likely included how to sustain the many OWASP projects, plans for upcoming conferences, and improving global chapter coordination.

Organizational and Logistical Aspects: Logistically, this summit was simpler: it was held as a single-day event during the AppSec USA/DC conference week, leveraging the presence of many OWASP leaders who were already attending the conference. Venue space was provided in Washington’s conference facility for that day. Attendee count was limited to OWASP’s key personnel (dozens of people). No elaborate funding was needed beyond perhaps a meeting room and catering; attendees’ travel was generally covered by their own employers or by the fact they were attending AppSec. The 2009 summit did not feature sponsorships or a public call for participation – it was an internal meeting.

Key Topics and Outcomes: According to OWASP records, this was considered the “2nd OWASP Summit” (with 2008 being the first). Major discussion points included reviewing the outcomes of the prior summit’s initiatives and adjusting OWASP’s organizational structure as needed. One notable development around that time was OWASP’s move toward a more formal governance model – for instance, membership votes for Board seats were introduced around 2009–2010 (previously, the Board had been self-appointed). The summit likely touched on this evolution of governance. Additionally, plans for 2010 such as the OWASP Season of Code events, upcoming OWASP Top Ten release (2010 edition), and global conferences (like AppSec conferences in new regions) would have been formulated or approved. In summary, the 2009 summit’s deliverables were strategic directions for 2010 and a reaffirmation of OWASP’s mission in the face of rapid growth.

Notable Participants: This leadership summit included OWASP’s prominent figures of the time: Board members (e.g. Jeff Williams, who was Chair), committee chairs, and chapter leaders from major chapters. It provided a rare chance for these volunteers – normally collaborating via mailing lists – to meet in person. The face-to-face aspect helped in resolving issues and building consensus for organizational changes (such as moving toward a CEO role for OWASP, a subject of community discussion around 2010).

Legacy: While smaller in scale, the 2009 summit kept momentum going after 2008 and paved the way for the much larger 2011 summit. It demonstrated that OWASP could hold focused in-person strategy meetings cost-effectively by aligning with an AppSec conference. The decisions (e.g., to hold board elections and hire a full-time executive director/CEO in subsequent years) helped professionalize the OWASP Foundation. This summit also highlighted a pattern: alternating big stand-alone summits with interim leadership meetings as needed.

OWASP Global Summit 2011 (Lisbon, Portugal)

Overview: The OWASP Global Summit 2011 was one of the most significant events in OWASP’s history. Held February 8–11, 2011 in Lisbon, Portugal, this four-day summit gathered a broad swath of the application security community. Over 150–180 attendees from more than 20 countries and 120 companies participated, making it a truly global gathering. The summit’s stated purpose was to bring together top experts to “discuss the future of application security” and advance OWASP’s projects and governance. In many ways, the 2011 summit was a culmination of OWASP’s first decade and a planning session for the next phase of the organization.

Planning and Organization: Planning for the 2011 summit was extensive. A dedicated organizing team (led by OWASP volunteers including Dinis Cruz and others) spent months preparing working session topics, inviting participants, and securing funding. The summit was branded a “Global Summit”, reflecting OWASP’s worldwide reach at its 10-year mark. It was hosted in Lisbon, and OWASP coordinated with a local event organizer (the press release lists a contact from a Portuguese event firm). Unlike 2008, where OWASP itself paid for all travel, the 2011 summit used a mix of sponsorships and participant funding. OWASP offered corporate sponsorship packages to support the summit’s costs – for example, companies could sponsor on-site amenities like villas (lodging), meeting rooms, or meals. This creative sponsorship model (e.g. “Sponsored Villa” for $10K, “Lunch Sponsorship” for $2K, etc.) helped offset expenses while keeping the event accessible. Some OWASP Foundation funds were still used to subsidize certain attendees (such as key project leaders who lacked corporate backing), but many participants’ employers covered their travel as an investment in OWASP’s mission.

The venue in Lisbon allowed for intensive collaboration. In fact, attendees were lodged together in a set of rented villas, reinforcing the retreat atmosphere. Scheduling spanned four full days (Tuesday through Friday), with long working hours (and often ad-hoc sessions running at night).

Summit Format and Session Structure: The 2011 summit was explicitly “designed in a working session style format”, not a typical conference. This meant there were no vendor booths, no purely lecture-style talks to a passive audience. Instead, the agenda was organized into parallel working tracks each day. Each track focused on a specific application security domain or OWASP initiative and was led by one or more chairs/facilitators. According to reports, the lineup of tracks was “spectacular,” featuring sessions on: Secure Coding, Browser Security (an entire day devoted to browser-related security topics), Cross-Site Scripting (XSS) eradication, metrics and measurements in AppSec, OWASP Project roadmaps, and even internal improvements to OWASP’s structure and governance. Every session was meant to produce actionable outcomes (such as a draft standard, a plan for a new tool version, or a set of recommendations). Attendees were active contributors, not just listeners – they broke into discussion groups, edited documents live, and voted on proposals.

For example, one track focused on secure coding guidelines and produced recommendations for frameworks and projects like OWASP ESAPI. Another track on browser security brought together experts from browser vendors and security researchers to hash out proposals for browser-hardening and new OWASP cheat sheets. A notable working session aimed at “cross-site scripting eradication”, wherein participants from companies like Google and Mozilla joined OWASP leaders to strategize reducing XSS vulnerabilities industry-wide. Additionally, a portion of the summit was dedicated to OWASP’s internal future – discussions on how the foundation could grow, how to improve project lifecycle, and how to handle its rapid expansion.

Participants and Notable Attendees: The 2011 summit attracted an impressive roster of attendees from both the OWASP community and the broader tech industry. The press release highlighted “top OWASP leaders and security gurus” in attendance, naming organizations such as Google, Mozilla, Microsoft, PayPal, Facebook, Apache, Verizon, Dell, and leading security consultancies (e.g. Aspect Security, Cigital, Denim Group). Many OWASP project leaders (for projects like ZAP, WebGoat, OpenSAMM, etc.) were present to collaborate on their projects’ next steps. OWASP chapter representatives from around the world also joined, ensuring regional perspectives were included. The mix of participants – industry practitioners, independent researchers, OWASP volunteers, and even government/military AppSec specialists – created a rich environment for cross-pollination of ideas. This summit was truly a meeting of minds: with so many experts in one place, informal networking was as valuable as the formal sessions.

Key Topics and Working Sessions: Some of the prominent topics and sessions at the summit included:

  • Metrics & Benchmarks: Developing metrics for application security risks and OWASP’s projects (likely influencing things like OWASP’s risk rating methodologies).
  • Browser Security: A deep dive into browser-side security controls and standards (e.g. Content Security Policy, sandboxing, secure cookies) – a full day track on this, indicating high priority.
  • XSS Mitigation & Eradication: Strategies to finally reduce cross-site scripting, including frameworks and developer education.
  • Secure Coding Practices: Sharing and unifying secure coding guidelines across organizations; possibly work on the OWASP Secure Coding Handbook.
  • OWASP Projects Roadmap: Working meetings for flagship OWASP projects (Top 10 2010 release, OWASP ASVS standard, Zed Attack Proxy, etc.) to plan next versions.
  • Global Industry Initiatives: Sessions where OWASP and industry reps discussed initiatives like software security maturity models (BSIMM vs. OpenSAMM – indeed OpenSAMM v1.1 discussions happened), and application security education programs.
  • OWASP Governance & Structure: Discussions that led to concrete changes in OWASP’s organizational model – e.g., establishing plans for Board member elections by OWASP membership, and exploring the idea of hiring a full-time Executive Director/CEO to handle day-to-day operations (which OWASP did a couple years later).

Outcomes and Deliverables: The outcomes of the 2011 Global Summit were extensive. A post-summit report compiled the results of many working sessions and was made available to the community. According to OWASP leaders, an “amazing amount of work” was achieved in just a few days. Dozens of tangible artifacts emerged from the summit. These included things like: draft documents (e.g., a new OWASP Code of Conduct, updated OWASP mission statement), new project proposals, and improvements to OWASP tools. For instance, the OpenSAMM project used the summit to decide on changes for version 1.1 of the software assurance model. Another outcome was the creation of an OWASP Browser Security Report 2011, aggregating the summit’s findings on browser-related issues (as hinted by plans to release a “Browser Security Report 2011” book afterward).

On the organizational side, a critical outcome was a plan to hold elections for the OWASP Board (introducing more community governance). Indeed, following the summit, OWASP announced that half of the Board seats would be up for member election, increasing transparency and member influence. The summit also galvanized OWASP to hire operational staff – shortly after, OWASP brought on its first full-time Executive Director (in late 2011) to implement many ideas discussed.

In addition to formal outputs, the summit fostered a surge of community energy and new initiatives. For example, participants launched the idea of an OWASP Mobile Security Project, which later became OWASP Mobile Top Ten and Mobile Security Testing Guide. The summit’s intensive networking led to new collaborations and regional events (some attendees left with plans to start new OWASP chapters or local trainings). Many attendees commented that the summit forged lasting friendships and working relationships across organizations.

Logistics and Collaboration: The summit exemplified OWASP’s open, collaborative spirit. Sessions were often collaborative to the point of writing code or documentation on the spot. Notably, OWASP enabled remote participation for those who couldn’t travel – reportedly “thousands” joined some sessions remotely via live streams or IRC, a forward-thinking move in 2011. This hybrid element, however, was supplementary; the core activity was in-person.

From a scheduling perspective, the summit days were long (often 12+ hours of scheduled and ad-hoc discussions). Social activities were also organized (networking dinners, a happy hour, etc.) to build community. The presence of sponsors was relatively low-key; sponsoring companies contributed to the event budget but the summit itself remained vendor-neutral (no expo floor or product pitches), true to OWASP’s ethos.

In summary, the 2011 OWASP Global Summit was a milestone that set the stage for OWASP’s next decade. It demonstrated the value of bringing the community together: real progress on hard security problems (like XSS, browser security) was made, and OWASP’s organizational framework was refined for the better. Participants left with concrete action items and a renewed sense of mission, having collectively decided “what’s next” for application security.

OWASP Summit 2017 (Woburn Forest, UK)

Participants at the OWASP Summit 2017 collaborated in a retreat setting (Center Parcs Woburn Forest in the UK) over five days.

Overview and Setting: After a six-year hiatus, the OWASP Summit concept was revived in 2017. The OWASP Summit 2017 was a five-day, in-person event held June 12–16, 2017 in the UK. Although often advertised as being in “London,” the summit actually took place at Woburn Forest Center Parcs, a conference-friendly resort village outside London. This choice of venue followed the tradition of prior summits: attendees stayed on-site in shared lodges or villas, creating a focused, round-the-clock collaborative environment. The 2017 summit was described as a “participant-driven event, dedicated to collaboration” between developers and security professionals. Its format and spirit closely mirrored the Portugal summits of 2008 and 2011, but it also brought new energy and focus areas reflecting the state of AppSec in 2017 (notably a strong emphasis on DevSecOps).

Organization and Sponsorship: The summit was organized by OWASP community leaders (with Dinis Cruz, a long-time OWASP contributor, acting as a primary organizer and evangelist). Planning started months in advance, using an open model where proposed working sessions were gathered on a public wiki and interested participants could sign up. The phrase “using the same model as the past two OWASP Summits in Portugal” was used in promotional materials – meaning the event would be highly interactive, with long days of group work and tangible outputs. Funding for the 2017 summit was a combination of participant fees and sponsorship. Many attendees’ companies paid for their travel and lodging. OWASP Foundation provided support, and some corporate sponsors likely contributed (for example, there were mentions of sponsored meals or tracks, though specific sponsor names are not listed in sources). The participant-driven nature also extended to logistics: OWASP volunteers coordinated travel sharing, villa assignments, and even shared meals (e.g., communal barbecues were arranged on-site for informal socializing).

Summit Format: The 2017 summit ran for five full days, with a schedule packed from morning into late night. It was explicitly not a conference of talks, but a convergence of working sessions. Each day, multiple parallel sessions took place – essentially 173 sessions in total across the week, an astounding number. Sessions were typically 1 to 2 hours each, and they covered a wide array of topics. The event was organized into thematic “tracks” to group related sessions. Major tracks included:

  • Threat Modeling: Bringing together many experts to advance threat modeling practices and produce improved methods and templates.
  • OWASP SAMM (Software Assurance Maturity Model): A track for users and contributors of OWASP’s SAMM project to collaborate (this resulted in progress toward SAMM v2).
  • DevSecOps: A very popular track in 2017, focusing on integrating security into DevOps workflows; participants shared pain points and solutions for CI/CD pipeline security.
  • Education & Training: Discussing how to educate the next generation of AppSec professionals, and university collaborations.
  • Mobile Security: Sessions around OWASP mobile projects (Mobile Security Testing Guide, etc.) with key project leaders present.
  • CISO Track: A set of discussions tailored for Chief Information Security Officers to exchange ideas on managing AppSec programs.
  • Research: A track for cutting-edge or experimental security topics that didn’t fit elsewhere (this could include things like AI in security, or new vulnerability classes).

Each working session at the summit had a designated facilitator and a specific goal – for example, to draft a particular guidance document, brainstorm a new OWASP project, or solve a defined problem. Participants signed up for sessions of their choice (and could float between as needed). The atmosphere was informal but intense: “high-energy… attendees work and collaborate intensively”. Many sessions had pre-created agendas or materials to ensure time was used effectively, and notes were taken to capture outcomes.

Key Topics and Projects: Because of the breadth of sessions, virtually every current issue in application security got some attention. Some notable focus areas and outcomes included:

  • OWASP Project Boosts: Many OWASP flagship projects used the summit to accelerate – for example, the OWASP Security Champions initiative (guidance for building security champions programs) was refined in a summit session. The OWASP Mobile Security Testing Guide team held book sprint sessions to close outstanding issues.
  • DevSecOps Practices: Participants shared open-source tools and approaches to embedding security into DevOps. This track’s findings were later shared in blogs and influenced conference talks, given its high relevance to industry problems.
  • GDPR and Privacy: With the EU GDPR on the horizon (enforcement starting 2018), sessions discussed the AppSec implications of privacy laws and how OWASP can help organizations comply (e.g., a working session on “GDPR and DPO AppSec implications” analyzed the role of security in privacy regulation).
  • OWASP Top Ten & New Risks: Discussions on emerging threats (like APIs security, IoT security) helped inform updates to OWASP’s Top Ten (the 2017 edition was being finalized around that time).
  • Concrete Deliverables: Some sessions produced immediate tangible outputs. For example, a team at the summit created a draft for an OWASP CISO Guide – a document to help CISOs manage AppSec programs – which was made available for download as a result of summit work. Another example: a “Docker Security” cheat sheet or guide may have been drafted in a DevSecOps session, given the container security buzz at the time.

By the summit’s end, each of the 173 sessions had documented outcomes – typically a list of action items, a working draft, or a plan for next steps. These were later shared on the summit website or relevant OWASP project pages so the wider community could benefit.

Participants and Community: The 2017 summit brought together a diverse mix of attendees: long-time OWASP “old guard” as well as new participants (including students and young professionals eager to get involved). The attendance numbered in the low hundreds, comparable to the 2011 summit in size. People traveled from around the world – many from Europe (since it was in the UK), but also North America, Asia, etc. Notably, the summit was open to anyone willing to contribute (with registration); as a result, it wasn’t just OWASP leaders but also developers from companies, independent consultants, and even some first-timers to OWASP who wanted to immerse themselves. This fostered mentorship on the fly: newcomers could sit next to veteran OWASP contributors and immediately start collaborating.

The participant coordination was an interesting aspect: Attendees were grouped into shared accommodations (villas) which encouraged networking. A central scheduling board (and an online portal) allowed people to propose ad-hoc sessions during the week if new ideas arose – truly an unconference flavor. The organizers emphasized a “no spectators, only participants” ethos, meaning everyone was expected to actively join discussions or contribute to writing and coding.

Sponsorship and Support: While not heavily publicized, support came from some organizations that recognized the summit’s value. For example, some companies sent multiple team members as a training/team-building exercise. OWASP chapters (like OWASP London) also supported the event by providing volunteers and local outreach. It’s worth noting that after 2017, this style of event continued in an open community format (branded as the Open Security Summit in 2018 and beyond), indicating that the 2017 summit had strong community backing to sustain the model. (The Open Security Summit series explicitly built on the OWASP Summit 2017 model, using the same 5-day intensive format for broader security topics.)

Outcomes: The 2017 summit succeeded in kickstarting or reinvigorating numerous OWASP efforts. For instance, the summit gave renewed momentum to projects like OWASP SAMM (which released v1.5 the next year, incorporating ideas from the summit) and the OWASP Cloud Security project (which got volunteer contributions during the summit). The DevSecOps track outcomes fed into OWASP’s guidance and training materials. Perhaps more importantly, the summit brought fresh contributors into the fold – several attendees went on to become OWASP project leaders or chapter leaders after being inspired at the summit. The event demonstrated that even in an era of constant virtual communication, face-to-face collaboration can significantly accelerate progress on complex security problems. Participants left with not only artifacts like documents and code, but also with new connections and a shared understanding of AppSec challenges across different organizations.

In summary, OWASP Summit 2017 was a high-energy reboot of the summit concept, adapted to contemporary topics (DevOps, etc.) and expanding the community. It reinforced the value of OWASP’s open, collaborative approach: by the end, there were “several discussions, a list of actions and, in some cases, a new draft for a new project” produced for the wider community. Many regarded it as a transformative week, proving that concentrated, volunteer-driven summits can yield outcomes that benefit the entire application security ecosystem.

Evolution of Summit Format and Organizational Model

Over the years, OWASP’s in-person summits have evolved in format, scale, and role within the organization:

  • Frequency and Scale: Unlike annual OWASP AppSec conferences, the summits have been ad-hoc events held when there was sufficient community drive and resources. After the inaugural 2008 summit, OWASP experimented with a smaller annual leadership meeting in 2009, then organized a large global summit in 2011. There was a long gap until the next big summit in 2017. This irregular cadence reflects both the resource-intensive nature of summits and shifting priorities. Each summit grew in participant count compared to the last of similar kind (e.g. ~80 in 2008 → ~180 in 2011 → 200+ in 2017), indicating increasing interest in such collaborative events.

  • Format Shifts: The format became more purely collaborative over time. The 2008 summit incorporated some traditional conference elements (training courses, presentation tracks) alongside working sessions. By 2011 and 2017, the model had shifted to all-working-sessions, no traditional talks. Participants in later summits were often pre-assigned to working groups and came prepared to produce outputs. This evolution was intentional – OWASP learned that maximal value came from letting experts “roll up their sleeves” together rather than having people passively watch slide decks. The use of tracks and session chairs in 2011 and 2017 gave structure to the chaos of an unconference, blending preparation with the flexibility to tackle issues in depth. Sessions were also more outcome-driven in later summits, each with defined goals and deliverables.

  • Organizational Impact: Summits have served as catalysts for organizational change within OWASP. The 2008 summit introduced global committees and a formal ethics code. The 2011 summit led to governance reforms (member-inclusive board elections) and plans for staff roles, effectively professionalizing the foundation as it grew. By 2017, OWASP was more mature, and the summit’s impact was seen in project outputs and community growth rather than structural overhaul. In 2017, the summit model itself started to transcend OWASP – the concept of an open, working-session-based security summit was embraced outside the strict OWASP umbrella. In 2018 and subsequent years, the “Open Security Summit” was organized by community members (including OWASP leaders) to continue the tradition, broadening it to security at large. This can be seen as an evolution: OWASP summits influenced the wider security community’s approach to collaboration.

  • Sponsorship and Funding: Early on, OWASP itself funded most of the summit costs (especially 2008) as part of its mission to invest in community efforts. Over time, the funding model shifted towards shared responsibility: OWASP still provided support, but corporate sponsorships and participant fees became crucial. The 2011 summit’s creative sponsor packages and the 2017 summit’s reliance on companies sending employees (and covering their costs) show how OWASP adapted to make summits financially feasible without exhausting the foundation’s budget. Importantly, OWASP maintained its stance that sponsor involvement should not compromise the neutrality of the content – sponsors contributed to logistical costs but did not get speaking slots or marketing displays at summits, preserving the collaborative, vendor-neutral atmosphere.

  • Participant Coordination and Inclusivity: The summits have generally been invite-based or registration-based events targeting active contributors, but inclusivity increased over time. In 2008, the invite list was heavily curated (active project/chapter leaders), since OWASP paid for travel and had limited slots. By 2017, the event was more open: anyone passionate about AppSec could register (space permitting) and find a way to contribute. This shift democratized the summit concept, allowing fresh blood into the discussions. All summits emphasized global participation – even the term “World Summit” was used in 2011. Remote participation options started to appear (2011 had remote attendees listen in; 2017 had some sessions open on Slack or live stream), but the focus remained on in-person engagement, which is why purely virtual events are considered separate.

  • Session Formats and Outcomes: Across all summits, there has been a common thread of working toward concrete outcomes. The nature of those outcomes evolved:

  • In 2008/2009, outcomes were organizational (committees, plans, principles).

  • In 2011, outcomes were both organizational and technical (draft standards, cheat sheets, project plans).

  • In 2017, the outcomes skewed more toward technical and project-focused deliverables (guide documents, new project launches, actionable checklists for practitioners). This reflects OWASP’s growth: earlier summits needed to build the framework for the community; later summits leveraged that framework to produce content for the wider world. Additionally, the summits began to directly produce published materials. For example, the “OWASP Summit 2011” report book was a polished compilation of session outcomes available after the event, and in 2017, some results were immediately shared on OWASP project sites or Github as drafts. The expectation of tangible deliverables became more pronounced.

  • Community and Culture: The culture of OWASP summits has consistently been collaborative, but over time it also became more fun and community-driven. The use of resort settings (Algarve, Lisbon retreat, Center Parcs) led to an environment where hacking on a problem could continue over dinner or during a midnight session. Photos from summits show attendees in casual settings, brainstorming on whiteboards in living rooms, and even social activities like group barbecues. This informal, collegial culture strengthened the OWASP community’s identity. People who meet at summits often continue working together long after. By 2017, the summit had an element of a community reunion as well, mixing seasoned OWASPers with newcomers and reinforcing mentorship.

In conclusion, OWASP’s in-person summits have played a vital role in shaping the direction of the organization and the wider application security community. They started as a bold experiment in 2008 to set the agenda for a nascent field, and over time they proved to be a powerful model for knowledge exchange, consensus-building, and rapid content development. Each summit built upon the lessons of the previous – improving logistics (e.g. better track management, funding approaches), expanding participation, and honing the focus on outcomes. While not annual events, when they do occur, OWASP summits leave a lasting legacy: new ideas, published guidance, stronger networks among experts, and a clear roadmap for the future of application security. This legacy continues to inspire collaborative events (such as the Open Security Summit series) using the OWASP summit blueprint. The OWASP community’s experience with in-person summits underscores that bringing people together in the same room – with the right structure and goals – can significantly advance the state of software security in ways that teleconferences or scattered efforts cannot.

Sources: Primary sources include official OWASP Summit pages, press releases, and post-summit reports, as well as contemporary accounts from participants and OWASP leaders. Notable references are the OWASP Summit 2011 Press Release, Michael Coates’ 2011 summit preview, Dinis Cruz’s 2017 summit announcements, and participant write-ups like the Minded Security blog recap of 2017. These, along with OWASP’s own blog posts and documentation, provide the detailed insights into planning, execution, and outcomes of each in-person summit. The above report has drawn on those sources to ensure accuracy and completeness in chronicling the OWASP summits’ rich history.