Montreal is known for its daring and creative attitude, which routinely leads to fantastic innovations. Its artistic scene, multicultural character, and excellent universities make the biggest cities in the world envious – and are so evident that Facebook and Google have established centres in Montreal. And there is a rich pool of talent: École de Technologie Supérieure (ETS), Concordia University, McGill University, Polytechnique, the Université de Montréal, and the Université du Québec à Montréal (UQAM) are among the educational resources of our beloved 500 km2 bilingual island.
Montreal provides the perfect setting for a dynamic, diversified, and extremely talented application security community. However, technical knowledge in application security is not acquired only on school benches. Hence the importance of OWASP, an open community and software security resource. OWASP is dedicated to helping organizations develop, acquire, operate, and maintain applications that can be trusted. All OWASP tools, documents, and forums are free and chapters are open to anyone interested in improving and learning application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.
The history of the OWASP Montreal chapter
In November 2008, Benoit Guerette was looking for a way to ask the local community an appsec question. He found an OWASP Montreal mailing list and gave it a shot. And people started replying, “Hey, we’re here! :)” Laurent Desaulniers, a well-known appsec guru in Montreal, proposed a meeting, asking the obvious question, suggested by the creator of the list, Carl Simard, “Who wants to lead the launch of a new OWASP chapter?” Benoit, a security manager with lots of experience in logistics and finance, took on the work – the OWASP Montreal chapter was born. Multiple events were organized.
During the years 2012 and 2013, the chapter got involved with the ConFoo conference, which provided a great opportunity to reach Web technology developers in the area. The Montreal chapter leader at the time, Philippe Gamache, was on the speaker selection committee. OWASP Montreal got a sponsorship booth and promoted the chapter as well as projects. The outreach was effective and we interacted with 600+ individuals and gave away numerous swag items (everybody loved the rockets!).
That’s when upcoming chapter leader Jonathan Marcil joined.
Meetings continued at ETS and Jonathan expanded them to other universities – UQAM and Polytechnique sometimes had two chapter meetings a month. At the same time, the chapter team expanded by reaching out to people outside ETS. Eventually it was time to step out of school and tackle the industry.
This wasn’t an easy task since most of the community were students. Benoit Guerette, through arrangements with his employer, Desjardins, managed to get access to one of the most beautiful venues the chapter has ever had. He was helped by his co-worker Olivier Arteau, who was already running the meetings at ETS.
After this, everything went quickly. In around one year, the chapter went from 10-20 people per meeting to 50-60. One of the key aspects of this growth was the addition of Michel Bourque to the team. With him came new, industry-related, attendees.
Jonathan was also running the OWASP Media Project, which launched the next generation of OWASP video content recording and publications. The chapter also introduced innovations such as live online streaming of meetings. It even had a few remote guests, which made it possible to expand the content of meetings while working around air transportation quirks. Hugo Genesse came from the Polytechnique team to help Jonathan with the technical challenges.
Once everything was up and running well, Jonathan moved away from Montreal. He found a new chapter to attend in Orange County, California, and went back to the basics: enjoying the free food and listening to talks.
The chapter was looking for the next leader. It needed somebody strong with a great sense of how to communicate and Anne Gauthier was picked. The plan was to make the chapter even better than before. And she did, with attendance going past the 100 mark after she took over in 2015.
Between 2016 and 2017, lunchtime conferences and workshops were attended by more than 500 participants and outreach continued through major events such as GoSec, NorthSec, Hackfest, VB2018, DebConf and OWASP AppSecUSA and AppSecEU. Julien Touche, Simon Lacasse, and Jean-François Gill joined the team to help advance the mission of OWASP and the work of the chapter in Montreal.
#Women in AppSec
Application security is traditionally a male-dominated sector – and it’s sometimes a difficult sector for women to work in. Entry is rigorously protected; hence the infamous statement women hear regularly, « you’re not technical enough ». Men can sometimes lack tact and have a different sense of humor than women. What women forget is that they have (at least) two important things in common with men: a voice and a brain. The glaring difference is in self-confidence. One of many ways to survive: use a strong, direct voice accompanied by a poker face. Focus on the mission, bring new ideas and help the team get “stuff” done.
But why, in the end, should women make that effort? Why should they leave their comfort zone to work in application security? We should do it because we need to be at the front lines with our male colleagues to help protect data and other sensitive assets against attackers of all kinds. And because there are so many interesting jobs in the field: integrating security activities into the software development lifecycle, performing intrusion testing to find security flaws before attackers do, becoming a researcher and finding new methods of protection while gaining a better understanding of attackers’ objectives, developing tools for increased automation, using artificial intelligence to improve our defense techniques, etc. We live in a digital world and there are many kinds of jobs that need the viewpoints of both women and men. As more and more people recognize this, our extraordinary professional sector will become even more powerful.
Our plan for the future? Keep sharing the knowledge in application security with the community.
Other activities in security in Montreal and Quebec City:
- NorthSec: Canada’s largest applied security event
- MontréHack: Practical workshops on computer security
- Hackfest: Annual event – Conferences and CTF in Québec city