OWASP AppSec at U.C. Irvine a success!

I worked as a volunteer at the OWASP AppSec conference at the University of California at Irvine, held Sept 7 through the 10th.

Unfortunately I did not get to sit in on any of the training sessions - they all looked first rate. I *was* invited to the VIP reception. It had a nice selection of appetizers and good drinks from the bar, with opportunities to chat with other conference volunteers, organizers and speakers.

The sessions I was able to attend were all very good, some excellent. My best take-away from the CxO panel was that "buy a tool" inevitably fails as an approach. I already knew this, but it is refreshing to hear this truism so bluntly stated.

The session on Threat Modeling covered the Microsoft-supported STRIDE/DREAD model for assessing application security. I've used this tool before so it was interesting to hear the speaker's perspective. Threat modeling belongs as part of the application's architecture review, and should be embedded in the development life cycle. The threat model should be maintained and updated for as long as the application is in use.

Bill Cheswick gave the end-all of password security talks. I've seen his video online, and this was similar. He gave a lot of very useful ideas about password vulnerabilities, user psychology, and how to realistically manage passwords better given human and technical limitation.

Other sessions I attended included ones on secure coding practices, OWASP projects, "Reducing Web application Vulnerabilities: Moving from a Test-Dependent to Design-Driven development", and HD Moore's talk.

HD's talk was given in a rapid-fire style that took some careful listening to follow and dwelt exclusively with the Metasploit product and plans to incorporate more Web application testing in future versions. And a Linux Meterpreter module may be out by version 3.5