OWASP AppSec DC 2009 - Part 2

After yesterday's long day (Thursday) at Open Web Application Security Project (OWASP) AppSec DC 2009, the second day (Friday) began promptly again at the Washington Conference Centre.

The second day had four different streams:

• Process
• Attack and defend
• Metrics
• Compliance

My own programme comprised:

• The Big Picture: Web Risks and Assessments Beyond Scanning, Matt Fisher
  A description of why automated security scanner are not sufficient to cover an entire application or detect most vulnerabilities.
• SCAP: Automating Our Way Out Of the Vulnerability Wheel of Pain, Ed Bellis
  A description of how SCAP standards can be used to combine various vulnerability feed data into a single organisation-wide repository that can be used to normalise and correlate data.
• OWASP Top 10 2010, Dave Whichers
  First look at RC1 of the new OWASP Top 10, planned for release in early 2010.
• The 10 Leasr-Likely and Most Dangerous People on the Internet, Robert Hansen
  Key people/roles in named organisations who, if compromised, could have significant adverse effect on the secure operation of the internet.
• Deploying Secure Web Applications with OWASP Resources, Sebastien Deleersnyder and Fabio Cerullo
  Case studies in the education, financial and telecommunication sectors.
• Injectable Exploits: Two New Tools for Pwning Web Apps, Frank DiMaggio
  Two new utilities to assist with injection and fingerprinting and a brief introduction to the Samurai web testing framework.
• Techniques in Attacking and Defending XML/Web Services, Jason Macy and Mamoon Yunus
  A description of three types of attack and methods to defend against them.

The presentations will be available on the conference web site.

At the end of the day, prizes for the capture the flag event were given out, vendor draws undertaken and a selection of prizes given to OWASP members who were present, selected at random.

It was a well organised event and the conference team and helpers deserved the praise and thanks.