Tuesday, September 14, 2010

AppSecUSA - Day 2 - You Missed A Good One

[Check out the recap of Day 1 here]

My talk started off the presentation portion of day 2. "Real Time Application Defenses - The Reality of AppSensor & ESAP" went very well. There was a great turnout and lots of good questions.  The slides are online here.  If you have not heard of AppSensor then just consider this idea - What if your application could detect an attacker probing your site for weaknesses and then eliminate this threat before the attacker found and exploited a flaw in your application.  That's what AppSensor allows you to do and I argue that this is the next step in application security.

The 2pm panel discussion on Vulnerability Lifecycle for Software Vendors was informative.  The panel had an interesting distribution of representatives. It was nice to hear from Katie Moussouris (Microsoft) and Kelly FitzGerald (Symantec) and a somewhat different angle from Daniel Holden (Tipping Point). I was pleased that John Steven of Cigital was on the panel. He presented a distinctly different perspective on the issues and was able to represent a another demographic of companies when providing thoughts on the vulnerability lifecycle discussion

Jeremiah Grossman rounded out the day with his talk on Breaking Web Browsers. Jeremiah had interesting flaws to point out in all of the major browsers.  I think most people would agree that Safari took a bit of a beating during his demos.  The talk drew a good sized crowd and I also liked that our Mozilla crew was in the room to provide instant feedback on any questions related to Firefox.

To wrap up the conference there were several raffle prizes sponsored by the conference and also the attending vendors. You had to be present to win and there are likely 4-6 very sad people that wished they would have been there to claim their iPads.  Oh yea, the capture the flag competition winner was announced. Samy won - go figure :)

Great conference, great to see everyone. You should have been there!

Next US conference is OWASP DC - Nov 8-11

-Michael Coates