Well the OWASP conference in Milan was really great. There was a large number of good presentations and lots of interesting chat. Also got to meet quite a few people I only know from their blogs.
First day was the SOA and Web services Security training from Gunnar Peterson. Whilst there was a lot of information to absorb in one day, it was very good and left me with some key things to take away like the importance of using XML Security gateways in enterprise web services, some risks which apply to webservices that are different to those faced by usual web apps. like XDOS and that MQ only provides authorization not authentication !
On the first evening we got free food and drink courtesy of the nice people at Breach Security and I had some interesting chats with Alex Lucas on cool home computing setups amongst others.
The second day was the first of the conference proper ( agenda) . Hopefully all the slide decks will be up and linked from that page fairly soon... There was lots of interesting stuff, probably the most interesting (or perhaps scary) of the day for me was PDP Architects presentation on advanced web hacking (slides from this one are here) . It was a really interesting look at what some of the new services that are available on the 'net like Yahoo Pipes and tinyURL can be used for by malicious parties. Unfortunately the dark angel of demos was around and Yahoo Pipes was down during the presentation but I imagine it'll be up again soon....
Dinner on the second day was the conference one at Ristorante Why Not and again loads of interesting chat was had. I was sat next to Simon Roses Femerling, lead on the Pantera Project and had some interesting chats about what's next for that project. It actually cleared up for me what the goals of the project are. Pantera (at the moment) seems primarily geared at gathering information on the site under analysis rather than automatically handling XSS testing or the like.
Unfortunately I was pretty tired by the end of the meal (they have quite leisurely dining in Italy) and missed the first appearance by the OWASP band! However there's pictures here
Day Three had some more great talks and more stuff that I really should look at when I get the task. There was information on the newly revamped OWASP testing guide which sounds like a really good basis for web testing methodologies now.
There was also a madcap spin through the expanded OWASP project list from Dinis Cruz where we got a flavour for the variety of projects now undertaken by OWASP. One thing that sprang to mind while I was listening to this was that perhaps OWASP need to enforce some kind of naming convention on their projects as at the moment some of the names aren't really very descriptive of what the project does which can lead to some confusion
Day Three ended up with the panel discussing "What is needed to fix web app sec vulnerabilities once and for all?" . The main suggestions surrounded re-vamping the underlying protocols and technologies (eg, HTTP 2.0) to embed security and also encouraging development framework usage so that individual developers find it easier to write secure applications. Ultimately though it seems that the conclusion was that the current crop of web application vulnerabilities will be with us for some time and there are no easy fixes...
All in all a great conference, I'll definitely hope to get back next year. The talks were all pretty good and also there were loads of interesting people to meet and put faces to blogs...
