AppSec Europe 2005 Slides Available Online
The slides from the OWASP AppSec Europe 2005 conference are now available online. All the sessions are excellent, but I'd like to bring a couple to your attention.
Jeff Williams, the OWASP Chair, gave a talk called OWASP Status / Reorganization, but he spent more time discussing the fundamental application security problems we are facing today. Very effectively, comparing application security to the past of the automobile market, he explained where we are, and gave some ideas where we might want to go. The star of the presentation is the idea to force vendors to explicitly declare the level of security of their applications. (The label to the right is from the presentation. It provoked a healthy laugh and an applause from the audience when it appeared on the screen.) I must say, this is a *very* interesting idea. Provided a nice list of guidelines exists (OWASP is certainly capable of drafting such a list), this approach could force the vendors to come out in the open. I also like the idea of third-party certification for this kind of thing.
Arian Evans gave two talks: Application Security Assessment Tools: An Overview of Available Testing Tools and Advanced Defense Techniques against Web Application State and Session Management Threats. His talks are interesting because he is a fun guy to listen to, but also because he presents the listeners with a *lot* of raw facts, and then leaves them to draw their own conclusions.