Tuesday, September 14, 2010

AppSecUSA - Day 1 - You Missed A Good One

AppSecUSA took place last week in Irvine, CA.  The conference was packed full of great talks, featured multiple keynotes and also had several good panel discussions. On top of the "official" conference agenda the "hallwaycon" was also fantastic.  As Jim Manico aptly said it on twitter:

#appsecusa was the best InfoSec conference I have ever attended. Meeting all of the amazing people around the OWASP ecosystems was a gift.

Here is a quick run down on some of the conference highlights:

Day 1 
The first two keynotes were by Jeff Williams (OWASP Chair, CEO Aspect Security) and Chenxi Wang (Principal Analyst with Forrester Research).  Both talks were good and caused the audience to question their thoughts on application security and the future of the field. Perhaps the most entertaining aspect of the two talks was that they presented countering views on what we should do moving forward.  Jeff's talk focused on a security ecosystem that placed a strong emphasize on spreading security knowledge and capabilities to the developers and throughout the entire lifecycle.

Chenxi's talk advocated a more automated approach that allowed intelligent systems to build security into the application itself. She admitted this is more of a research area and not currenlty feasible, but that it was the direction to success. She countered Jeff's point on developer training and argued that placing a any responsibility of security into the hands of developers was a failed approach. 

It was entertaining to see both perspectives and it allowed the audience to absorb both sides of the discussion and ultimately arrive at their own conclusions. If nothing else, it provided great material for people to debate in the hallways.  From Jeremiah:

Between the comments by @chenxiwang & @planetlevel the hallway track is going to be really fun. #AppSecUSA

A Sampling of the Great Talks on Day 1
How I met your Girlfriend, Samy Kamkar
Solving Real-World Problems with an Enterprise Security API (ESAPI), Chris Schmidt,
State of SSL on the Internet - 2010 Survey, Results and Conclusions, Ivan Ristic,
Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications, Dan Cornell,
Panel Discussion: Security Trends: Jeremiah Grossman, Robert Hansen
(and more, I couldn't make them all)

Security Browser Lunch
Mozilla, OWASP leaders and key web security players all gathered at lunch to determine how Mozilla and the OWASP community could further work together.  A lot of great things are going to be coming down the pipeline as a result.  I'm looking forward to seeing how the two organizations can work together for the mutual goal of creating a safer web.  We also hope to get all the browsers at the table too - this was a last minute meeting, so no worries that others couldn't make it with such short notice.

Mozilla Content Security Policy
At the end of the day Brandon Sterne from Mozilla gave a quick presentation on the upcoming security enhancement to Firefox 4. Content Security Policy (CSP) will allow websites to effectively eliminate XSS issues through the use of policy files and a whitelist approach to only allowing externalized JavaScript (e.g. from .js files instead of inline script tags). An additional benefit of CSP is the report back capability that enables the browser to report script violations back to the site.  This reporting can enable a web site to become aware of a potential xss attacks from the CSP reports from Firefox 4 users. 

-Michael Coates