OWASP AppSec 2007 San Jose: Day 2

Owasp_wasc

John and I finished up the OWASP AppSec 2007 San Jose conference yesterday.  Now we’re meeting up with a couple of clients and partners and then headed back to Texas.  There were a bunch of great sessions on Day 2 of the conference including:

  • Jim Routh – the CISO for the Depository Trust and Clearing Corporation (DTCC) – gave a great outline of how they put together a world-class application security team.  They set their sights on creating developers who could create secure software rather than focusing on the software itself.  This allowed them to build a sustainable process.  By creating secure software “mavens” they spread the word throughout their development team. Jim repeatedly made what I feel is a very important point: don’t pick a tool and make that your solution.  Instead fix the process, train the people, and then liberally use tools to support and accelerate the steps in your process.  From an organizational-value standpoint this is probably the best talk I saw at the entire conference.
  • Dinis Cruz made a great point during his “OWASP State of the Union” talk.  The goal of OWASP (or any security group) is to make security visible.  If people want to make bad decisions once they know the risk then that is their choice – but the responsibility of security groups is to make sure these risks are out in the open so that people and organizations can make informed choices.
  • Stefano Di Paola’s talk about finding vulnerabilities in Flash was very interesting.  At Denim Group we’ve started to do a lot of work with Flash and interacting with Flash software in our applications so there were some real gems for us in this talk.
  • David Chandler’s talk on securing Java Server Faces from the OWASP Top 10 did a great job of outlining the basics of JSF and the security features available.  The bulk of the presentation was spent stepping through the validation capabilities of JSF.  Since bad input validation tends to be the root of evil for most application security issues these are the JSF platform features that any dev team should really understand and use.
  • Samy Kamkar’s talk about how he created the MySpace worm was by far the most entertaining presentation at the entire conference.  He walked step by step through the creation (and aftermath) of the MySpace worm for a standing-room-only audience.  This was great stuff.
  • Following up Samy’s talk was Arshan Dabirsiaghi’s presentation on his new Anti Samy toolkit.  This toolkit takes raw and potentially malicious HTML and JavaScript and strip out potentially dangerous content leaving only allowed formatting behind.  It can be configured to allow or deny different tags, attributes and expressions so that different sites can allow different levels of HTML content.  The approach he has taken with this tool is very cool in that when it finds content it doesn’t like it strips it out gracefully and adds to a list of explanations of why content was remove that can potentially be returned to the user.  This is a lot friendlier than most validation/cleansing routines and should make the tool usable in an expanded list of scenarios.

We had to run off to meet with a client so I missed the last session and the final panel, but we did make it by the final cocktail party to grab a drink and catch up with some folks before heading out.

In all this was a great conference – as is always the case with the OWASP conferences. Many thanks to Jeff Williams and Dinis Cruz for all they do for OWASP and to Dave Wichers for organizing the conference and to all the folks who organized and participated. I’m not sure if I will make it to any of the overseas conferences soon but I will certainly see you all in New York next year.

–Dan

dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

2 Responses to “OWASP AppSec 2007 San Jose: Day 2”

  1. Bo

    I look forward to hearing about the gems for the Flash security.

    Do you have any resources you can share?

  2. Dan Cornell

    The slide deck should be online shortly and a video of the presentation should also go online soon.

    –Dan

Leave a Reply

Your email address will not be published. Required fields are marked *