Lann Martin and I made our first trip to the Big Apple this September to attend OWASP’s yearly Application Security conference. We heard experience distilled and theories expounded. We learned about new hush-hush security vulnerabilities. We surveyed vendors’ latest offerings in Web Application Firewalls and Source Code Analysis. And, oh yeah, we won the Capture-the-Flag web application hacking competition!

But I’ll get to all these things in their proper sequence. Lann and I entered the Park Central Hotel during the registration period on the conference’s first day and we had no trouble getting registered and into the conference area quickly. The event seemed altogether well organized. One of the things that I thought was a novel and very appropriate idea, given the audience of a conference like this, was that each attendee received a foam ball in his or her conference bag, and was encouraged to throw this ball at any speakers who were long-winded, talking beyond their credibility, or making disallowed plugs for vendors. While this is an idea I loved and would like to see again, it’s worth noting that at the talks that we saw, most balls flew only in jest, and the speakers did very good jobs overall.

Vendors were situated apart from where the speakers gave their talks, and they mostly behaved well. Their offerings, naturally specific to application security varied, but Web Application Firewalls and similar vulnerability protection appliances dominated. Some vendors were keen to offer their products in the form of software-as-a-service, bringing the direct use of human intellect to bear on customers’ individual problems in concert with the software (I personally believe this model tends to be the most effective). Other vendors stood by the strength of their products alone, and did not stress managed services.

Lann and I listened to several talks, some more technical, some less. Many of these talks focused on how to build proper models for application security in an enterprise. The speakers’ models for application security practices showed the same range that the vendors did in their visions of how their products should be used. Some speakers called for high levels of direct human contribution with clear policies and practices. Other speakers stressed the importance of people and software being deployed in tandem. Still other speakers suggested that fallible humans should have a much smaller role in security practices and hardened automated systems should take their place.

The Capture-the-Flag competition, however, was the highlight of the conference for us. Developed by Dan Guido from Polytechnic University, the competition consisted of web-based challenges of varying difficulty that called for the use of cross-site scripting, SQL injection, request spoofing, and all the usual fundamental techniques for exploiting insecure web applications. Lann and I worked together to take the lead in this contest and to hold onto it until the end. At the end of the conference, the organizers recognized us with prize money and an invitation to attend OWASP’s EU conference in Portugal on November 3rd-7th. Sadly, Lann and I won’t be able to take advantage of this particular opportunity, but we thank the conference organizers for their generosity and their excellent work.

OWASP NYC 2008 was definitely one of the better conferences I’ve attended, and being able to get some of the world’s best hot dogs and pretzels right outside the hotel sure didn’t hurt. The 2009 conference, wherever it may be hosted, is definitely on my radar.