Cigital

AppSec DC ’09

Posted On November 9, 2009 by jOHN

After what must have been an incredible amount of leg-work a cabal of folk from the DC OWASP chapter are putting on the AppSec DC conference. The conference will also play host to the ’09 OWASP Global Summit. I hope to see you there. Especially those of you practitioners from within organizations’ security groups–I feel like you provide essential perspective from the trenches of our security war.

Elections
Elections will be held to add another board member to OWASP and I’m anxious to see how the process plays out. Knowing all four announced candidates, I imagine different outcomes based on who receives the nod. In an odd turn of events, I actually like all the candidates; I think they’re great guys. In particular, I’ve known Pravir for many years, I’ve worked with him off-and-on, and respect him deeply.

I’d like to point out Eoin Keary’s bid in particular, because I like his focus on quality and governance. I perceive OWASP be at an inflection point in its development and growing pains are already evident. Selecting particular projects on which to focus, placing them under more rigorous quality control, and working towards maturity criteria others have begun to define can really increase the reach and impact of OWASP. This idea is essential to Mr. Keary’s platform.

Tesauro and Chandra, contributors to project assessment criteria, appear to place importance on this as well. Consider the draft criteria their committee is working on.

Again, I think quality is an ever-more-important imperative as the OWASP community grows and I’d like to see the assessment criteria expand to contain some more explicit and rigorous technical quality gates for a project. As I look at popular existing projects, I am beginning to feel a pressing need for outside review/revision.

Talks
As the Java EE persona of the ESAPI project nears release, I’m anxious to see a more hands-on, more technical, and more developer-focused presentation on the project at AppSec DC. Recent presentations/commentary has felt a bit more like cheerleading to me.

Of course, I’ll be dying to know what Dinis has added to O2 recently and it appears he’ll be presenting on this topic.

Threat Modeling
I’ll be presenting on Threat modeling on Wednesday but I’m also very interested in discussing the topic with the guys from SecurityCompass, who will be giving all-day training on the topic. Rohit in particular, has made what I consider to be top-notch start on his Java EE Security Patterns document and I’m anxious to see the methodology that back-ended their work.