My thoughts on AppSecDC 2009 and why you should “OWASP”

 Even though there have already been some great posts (Rafal Los, Gunter Ollmann, RSnake, John Steven…and again John Steven) I felt like I wanted to offer my commentary and hopefully convince some of you to attend the next OWASP event close to you. Quick disclaimer: I helped Doug, Rex, Mark, Kate and the rest of the volunteers at the conference, so I might be a little bias.

First – if you’re going to host a conference in DC, there’s really no better venue than the DC Convention Center. This is really a top notch venue in the center of DC that is built for conferences. It’s metro accessible and the conference services (food, beverages, A/V, wireless, etc) are top notch. I’m not saying the venue makes or breaks the con, but it helps.

The speakers, technical content of the presentations, and variety of topics exceeded that of much more expensive conferences I’ve attended. Joe Jarzombek kicked things off with the keynote, David Byrne and Charles Henderson can’t filter the stupid, Jon Rose and Tom Leavey brought the drinking game with a chance of 0-day, Jeff Williams tackled the insider threat, Kevin Johnson and Tom Eston think our friends want to eat our brains, Josh Abraham brought synergy to our pen-testing tools, RSnake gave security experts happy hour chatter for the next year with the 10 least-likely and most dangerous people on the web, John Steven condensed 6 hrs of Threat Modeling training into a 45 minute talk (good thing we had him scheduled at the end of the day), and Chris Weber dazzled with unicode. Not to be outdone, the OWASP projects were equally represented with Pravir Chandra on OpenSAMM, Jeff Williams on ESAPI followed by Arshan Dabirsiaghi on the ESAPI WAF, Sebastien Deleersnyder and Fabio Cerullo brought the OWASP tools together to deploy web applications, Matt Tesauro did his thing with the Live CD, Dr. Boaz Gelbord touched on security spending, and of course, who could forget Dave Wichers at the OWASP Top 10 2010 RC1! The conference also features 2 panels, the Federal CISO panel with Ray Letteer (USMC), Timothy Ruland (US Census), Richard Smith (TSA), and lead by Matt Fisher. The SDLC Panel features Michael Craigue (Dell), Dan Cornell (Denim), Dennis Hurst (HP), Joey Peloquin (FishNet), David Rook (Realex), Keith Turpin (Boeing), and lead by Pravir Chandra. The conference also featured a CTF running the new OWASP CTF project and hosted by Martin Knobloch.

For those of us who have been in the security industry for a few years, these conferences are a great chance to catch up with old friends and make new acquaintances. It was great to see familiar faces like Tom Brennan, @grecs, Ken Van Wyk, Matt Fisher, Dinis Cruz, Jon Rose, John Steven, Lee Anne Hart, Gracie Daniel, Jon McCarty, Jeremy Long, Rob Fuller, Jack Mannino, Rex Booth, Mark Bristow, Doug Wilson and others. At the same time, it was great to make new contacts like Josh Feinblum, Pravir Chandra, Robert Hansen, Matt Tesauro, Arshan Dabirsiaghi, Rafal Los, Jeff Williams, and hell, even the great Dan Kaminski made an appearance!

Just like any good conference, the awards and closing remarks held on the last day were full of thanks, toys, flying vendor squishy balls, foam rockets (courtesy of Tom Brennan), cheers, and clapping. It was truely a great way to wrap up a top notch con!

Finally, and although it’s been done many times already, I want to take a second to recognize all those OWASPers and DCers that came together to make this event what it was. I’m really copying this list verbatim from the last page of the conference booklet:

• Rex Booth, Mark Bristow, Doug Wilson, and Kate Hartmann who provided the leadership without which this conference wouldn’t have come together.
• The OWASP Board – Jeff Williams, Dinis Cruz, Dave Wichers, Tom Brennan, and Sebastien Deleersnyder who gave us “carte blanche” and trusted us to get this conference done.
• The lead volunteers Barry Austin, Angel Contreras, Josh Feinblum, Lee Anne Hart, Martin Knobloch, Jeremy Long, Jon Rose, David Sachdev, Mike Smith, and myself.
• The red shirt people of which there are way too many to name…THANK YOU!
• And all those who spoke at or attended the conference!

So if you get the chance to attend a future OWASP event, or if you haven’t checked out your local chapter, hopefully this blog post and the others I mentioned in the first paragraph will shed the spotlight on the OWASP organization and how WE work to improve application security worldwide.