With the holidays upon us, Christmas music wherever you turn, and packed shopping center parking lots, it feels like the end of the year is upon us! We all have a million and one things going on, but one in particular stands out for me this year – I’ve decided to end my (almost) 4 year tenure at Aol. It’s certainly not a decision I made lightly, after all, I have invested a lot in the company and consider the AppSec program there to be my baby and I will miss it and my co-workers most of all.
I’m starting the next step in my career on 1/4/2010 with one of the local security consulting firms and am very much looking forward to the challenges and opportunities which the new job presents.
Happy holidays to all and may the new year bring you all the love, good health, and happiness you deserve!
Even though there have already been some great posts (Rafal Los, Gunter Ollmann, RSnake, John Steven…and again John Steven) I felt like I wanted to offer my commentary and hopefully convince some of you to attend the next OWASP event close to you. Quick disclaimer: I helped Doug, Rex, Mark, Kate and the rest of the volunteers at the conference, so I might be a little bias.
First – if you’re going to host a conference in DC, there’s really no better venue than the DC Convention Center. This is really a top notch venue in the center of DC that is built for conferences. It’s metro accessible and the conference services (food, beverages, A/V, wireless, etc) are top notch. I’m not saying the venue makes or breaks the con, but it helps.
The speakers, technical content of the presentations, and variety of topics exceeded that of much more expensive conferences I’ve attended. Joe Jarzombek kicked things off with the keynote, David Byrne and Charles Henderson can’t filter the stupid, Jon Rose and Tom Leavey brought the drinking game with a chance of 0-day, Jeff Williams tackled the insider threat, Kevin Johnson and Tom Eston think our friends want to eat our brains, Josh Abraham brought synergy to our pen-testing tools, RSnake gave security experts happy hour chatter for the next year with the 10 least-likely and most dangerous people on the web, John Steven condensed 6 hrs of Threat Modeling training into a 45 minute talk (good thing we had him scheduled at the end of the day), and Chris Weber dazzled with unicode. Not to be outdone, the OWASP projects were equally represented with Pravir Chandra on OpenSAMM, Jeff Williams on ESAPI followed by Arshan Dabirsiaghi on the ESAPI WAF, Sebastien Deleersnyder and Fabio Cerullo brought the OWASP tools together to deploy web applications, Matt Tesauro did his thing with the Live CD, Dr. Boaz Gelbord touched on security spending, and of course, who could forget Dave Wichers at the OWASP Top 10 2010 RC1! The conference also features 2 panels, the Federal CISO panel with Ray Letteer (USMC), Timothy Ruland (US Census), Richard Smith (TSA), and lead by Matt Fisher. The SDLC Panel features Michael Craigue (Dell), Dan Cornell (Denim), Dennis Hurst (HP), Joey Peloquin (FishNet), David Rook (Realex), Keith Turpin (Boeing), and lead by Pravir Chandra. The conference also featured a CTF running the new OWASP CTF project and hosted by Martin Knobloch.
For those of us who have been in the security industry for a few years, these conferences are a great chance to catch up with old friends and make new acquaintances. It was great to see familiar faces like Tom Brennan, @grecs, Ken Van Wyk, Matt Fisher, Dinis Cruz, Jon Rose, John Steven, Lee Anne Hart, Gracie Daniel, Jon McCarty, Jeremy Long, Rob Fuller, Jack Mannino, Rex Booth, Mark Bristow, Doug Wilson and others. At the same time, it was great to make new contacts like Josh Feinblum, Pravir Chandra, Robert Hansen, Matt Tesauro, Arshan Dabirsiaghi, Rafal Los, Jeff Williams, and hell, even the great Dan Kaminski made an appearance!
Just like any good conference, the awards and closing remarks held on the last day were full of thanks, toys, flying vendor squishy balls, foam rockets (courtesy of Tom Brennan), cheers, and clapping. It was truely a great way to wrap up a top notch con!
Finally, and although it’s been done many times already, I want to take a second to recognize all those OWASPers and DCers that came together to make this event what it was. I’m really copying this list verbatim from the last page of the conference booklet:
Rex Booth, Mark Bristow, Doug Wilson, and Kate Hartmann who provided the leadership without which this conference wouldn’t have come together.
The OWASP Board – Jeff Williams, Dinis Cruz, Dave Wichers, Tom Brennan, and Sebastien Deleersnyder who gave us “carte blanche” and trusted us to get this conference done.
The lead volunteers Barry Austin, Angel Contreras, Josh Feinblum, Lee Anne Hart, Martin Knobloch, Jeremy Long, Jon Rose, David Sachdev, Mike Smith, and myself.
The red shirt people of which there are way too many to name…THANK YOU!
And all those who spoke at or attended the conference!
So if you get the chance to attend a future OWASP event, or if you haven’t checked out your local chapter, hopefully this blog post and the others I mentioned in the first paragraph will shed the spotlight on the OWASP organization and how WE work to improve application security worldwide.
Hi, I’m Wade, your new neighbor. I just moved in next door at WadeWoolwine.com.
That’s right, I’m a new blogger on Web Application Security Road. I’ve been toying with starting up a blog for quite some time now, but was really at a loss for picking a topic. See, I’m a Senior Security Engineer on the IT Security Assurance Team at AOL in Dulles, VA, so I wasn’t sure if I wanted to spend my “free time” (you all know how loosely I’m using that term) blogging and researching what I blog and research about at work. For a while I was really getting into using established APIs to build new applications, event got pretty far along with a twitter / google maps powered app that allowed you to semi accurately report traffic, speed traps, and bad drivers. Don’t get me wrong, building apps is a blast, but what I failed to realize is that I love hacking stuff, and why look any further then what you love for you niche on the web.
My intentions for the neighborhood? I’ve been a leech on WebAppSec Road for a few years now. From the first OWASP guide, to the latest finds by Jeremiah Grossman and the brains over at GNUCITIZEN I’ve taken so much that I feel that it’s time to start giving some back.
So here’s what I’m hoping to give:
My view on existing web technologies and security topics
Documentation of my business and personal research
Fully vendor disclosed vulnerabilities I might encounter
A weekly round up of security articles and links I’ve enjoyed
Here is what I don’t want to become:
A venting post, there are enough out there
Stale. I’m blogging to help me stay ahead
A product pusher. If I like something, I’ll write about it, but I’m not here to sell stuff
So there you have it, hope you’ll hang out…and participate?
With the holidays upon us, Christmas music wherever you turn, and packed shopping center parking lots, it feels like the end of the year is upon us! We all have a million and one things going on, but one in particular stands out for me this year – I’ve decided to end my (almost) 4 year tenure at Aol. It’s certainly not a decision I made lightly, after all, I have invested a lot in the company and consider the AppSec program there to be my baby and I will miss it and my co-workers most of all.
Even though there have already been some great posts (
For those of you in the Northern Virginia and surrounding area and who are into web application security, mark you calendars for April 8th, 2009!
That’s right, I’m a new blogger on Web Application Security Road. I’ve been toying with starting up a blog for quite some time now, but was really at a loss for picking a topic. See, I’m a Senior Security Engineer on the IT Security Assurance Team at AOL in Dulles, VA, so I wasn’t sure if I wanted to spend my “free time” (you all know how loosely I’m using that term) blogging and researching what I blog and research about at work. For a while I was really getting into using established APIs to build new applications, event got pretty far along with a twitter / google maps powered app that allowed you to semi accurately report traffic, speed traps, and bad drivers. Don’t get me wrong, building apps is a blast, but what I failed to realize is that I love hacking stuff, and why look any further then what you love for you niche on the web.
DandyID
Friendfeed
claimID
Disqus
Facebook
Twitter
myOpenID
Google Profiles
Linkedin