OWASP AppSec 2008 in New York City, day 2 is officially under way. Day 1 was tremendous simply because of all the great people I got to get back in contact with, and many I've never met in person before. There were also a bunch of wonderful presentations, for example the w3af talk by Andres Riancho was not only very informative - but made me realize that commercial black-box web app sec tool vendors have some things to learn from w3af and the supporting group. The Cross-Site Scripting Filter Evasion talk by Alexios Fakos was also very good - filled the room and got a thunderous applause when that was over... great job. I think Alexios made lots of the folks in that room realize that their black-lists are not only very inadequate but that you can do so much more than most people even think to evade filters. Ivan Ristic's talk on mode_security was pretty good too. I think that if the commercial WAF vendors didn't have someone in the room paying attention, it will be their loss. No matter how you feel about the topic of WAF, Ivan's talk set the record straight in a lot of ways and clearly outlined the benefits and downfalls of the WAF community while highlighting mod_security.
I think I have to echo the folks I was standing around with and their sentiment when it comes to the ISC^2 tactic for party-scheduling. First off, a room-full of security nerds and an open bar is never a good idea for that much time... but when you first don't feed us and give us endless glasses of liquor before your talk on... whatever it was you talked about - I don't think anyone remembers what that talk was about. All I can recall was that someone won a 42" TV, and that my drink (Goose & cranberry) ended up being a Fruit Punch and grapefruit. I guess that's what I get for ordering from a guy that well...
As a final note - thanks to Trey and Darren for hanging out and drinking beers and eating some late-night dinner food... great times guys.
Now I'm off to the next day of presentations and lunacy.