John and I finished up the OWASP AppSec 2007 San Jose conference yesterday. Now we’re meeting up with a couple of clients and partners and then headed back to Texas. There were a bunch of great sessions on Day 2 of the conference including:
- Jim Routh – the CISO for the Depository Trust and Clearing Corporation (DTCC) – gave a great outline of how they put together a world-class application security team. They set their sights on creating developers who could create secure software rather than focusing on the software itself. This allowed them to build a sustainable process. By creating secure software “mavens” they spread the word throughout their development team. Jim repeatedly made what I feel is a very important point: don’t pick a tool and make that your solution. Instead fix the process, train the people, and then liberally use tools to support and accelerate the steps in your process. From an organizational-value standpoint this is probably the best talk I saw at the entire conference.
- Dinis Cruz made a great point during his “OWASP State of the Union” talk. The goal of OWASP (or any security group) is to make security visible. If people want to make bad decisions once they know the risk then that is their choice – but the responsibility of security groups is to make sure these risks are out in the open so that people and organizations can make informed choices.
- Stefano Di Paola’s talk about finding vulnerabilities in Flash was very interesting. At Denim Group we’ve started to do a lot of work with Flash and interacting with Flash software in our applications so there were some real gems for us in this talk.
- David Chandler’s talk on securing Java Server Faces from the OWASP Top 10 did a great job of outlining the basics of JSF and the security features available. The bulk of the presentation was spent stepping through the validation capabilities of JSF. Since bad input validation tends to be the root of evil for most application security issues these are the JSF platform features that any dev team should really understand and use.
- Samy Kamkar’s talk about how he created the MySpace worm was by far the most entertaining presentation at the entire conference. He walked step by step through the creation (and aftermath) of the MySpace worm for a standing-room-only audience. This was great stuff.
We had to run off to meet with a client so I missed the last session and the final panel, but we did make it by the final cocktail party to grab a drink and catch up with some folks before heading out.
In all this was a great conference – as is always the case with the OWASP conferences. Many thanks to Jeff Williams and Dinis Cruz for all they do for OWASP and to Dave Wichers for organizing the conference and to all the folks who organized and participated. I’m not sure if I will make it to any of the overseas conferences soon but I will certainly see you all in New York next year.
dan _at_ denimgroup.com