Tuesday, November 17, 2009

OWASP 2009 (AppSecDC) Thoughts

I'm finally home and have a minute to write about the past week's OWASP AppSec DC 2009 conference.  And what a conference it was - far and away the best conference on information security of the year.  This includes the organization, the venue, the audience/attendees and the presenters.

I think some of my favorite presentations were Josh Abraham's 20-minute "Synergy! A world where tools communicate", Tom & Kevin's "Social Zombies: Your friends want to eat your brains", Chris Weber's 2 outstanding talks "Finding Hotspots" and "Unicode Transformations", and of course RSnake's "The 10 least likely and most dangerous people on the Internet".  If you missed of those (or just want to re-visit them) the OWASP folks will be posting the videos and slides shortly if not already... check here.

I think it needs to be said that the OWASP crowds are some of the more passionate folks around ... while there are still some zombies like there were at CSI: Annual 2009, it's nowhere near as bad!  People actually participate, and I saw many hallway discussions that happened - and not just amongst the speakers either.  This was a great chance to combine ideas, pick people's brains and think about how to solve some of the problems plaguing application security.

Perhaps the most interesting presenter was Chris Weber with the "Unicode Transformations: finding elusive vulnerabilities" talk ... that was seriously fascinating.  I know I sat and stared as Chris demonstrated his mastery of the Unicode world and some of the ways of encoding, double-encoding and other tricks that even made my head spin.  I can't wait to dig into this topic more...

As always the OWASP projects were presented and updated, and I think the 3 that are on my personal watch-list (and should be on yours) are the ESAPI (Enterprise Security API) project, the OWASP O2 Platform, and the ESAPI Web App Firewall.  Some really big dents can be made in the general insecurity of web applications if these 3 are executed right, and deployed properly.

I'd like to thank everyone who attended my "When Web 2.0 Attacks!" talk, and if you have any questions, comments, discussions or other just want the slides you can always email me directly or leave a comment with your contact info!

See everyone at the next OWASP event!

No comments: