comments (not for humans)
Last week I attended and spoke at the OWASP AppSec09 conference in Krakow. It was a four day conference with two days of training and two days of presentations.

The presentations
Most of the presentations I attended were high quality. The big keynotes were held by Ross Anderson and Bruce Schneier. I guess the gist of these talks were that a lot of vendors pratice the "first to market, fix security later" and "make vendors liable" ideologies respectively.

I enjoyed John Steven's talk on threat modeling and how to view a system from an architectural perspective. I regret not attending his threat modeling training, but hopefully there will be a new chance for that later.

Luca Carettoni and Stefano Di Paola's talk on HTTP Parameter polution was also very interesting. The way different web and application servers work in this context is surprising and interesting from a security perspective.

I would say that the OWASP conference is a must for anybody developing web software, mainly because it does not focus on obscure windows kernel hacks, but on what you are building, assessing or managing on a day-to-day basis.

I actually held my first presentation in a conference outside of Norway. I talked about security in agile projects, and how I think we need to introduce security in a way that is compliance with the ideas behind agile. A video and a podcast interview will be published later.

The people
I met a lot of interesting and friendly people during the conference. I found it a lot easier to get in touch with people on this conference than on some of the other security conferences. A big thank you to you all for a great conference. The conversations during breaks, over dinner or at the pub, really made this conference different from other conferences. A big thumbs up to Seba, Kate and the rest for organizing such a great event.

Welcome to OWASP AppSec Europe in Stockholm next year
The OWASP AppSec Europe 2010 conference will be held in Stockholm in June. John Wilander is the organizer, so contact him (or me) if you have an interesting talk up your sleave, and make sure you attend if you want to learn more about web application security. I'm confident you will new things or new free tools you can use in your daily work.
Comments closed for this post