The Open Web Application Security Project held their AppSec USA conference last week, drawing over 600 from around the world to the Minneapolis Convention Center to discuss the security considerations of living “your life in the cloud”.
Envisioned and organized by MPLS chapter president Adam Baso and Lorna Alamri, the conference consisted of two days of training, followed by two days of talks by international information security experts, hackers, and academics. There were also a handful dozen vendors on display such as Minneapolis-based security analysis and penetration testing firm NetSPI.
From the Beginning
A keynote was delivered by Mark Curphey who founded OWASP ten years ago and is currently employed by Microsoft. He gave a brief history of OWASP and its “creation to counter fear, uncertainty, and doubt in the information security space.” He also recognized some of the many contributors who have built OWASP into the preeminent source for web application security knowledge over the past decade.
Curphey concluded his talk with his vision for the future of OWASP and stressed the importance of free and open source software as a model for trusted participation in the security space.
Diversity in AppSec
Tokuji Akamine and Takeshi Suzuki are two professional penetration testers from Tokyo who work for Rakuten, the parent company of buy.com. Christophe Veltsos is an associate professor at Mankato State who teaches information security and information warfare classes and was a presenter at RSA 2010. Keynoter Mark Curphey is originally from England.
These people, nearly all speakers, and a vast majority of conference attendees are male, and to address that situation the conference organizers introduced the ‘Women in AppSec‘ program this year to encourage women to pursue careers in information security.
Two female university students were awarded travel, hotel, and conference passes as part of the program. Additionally, women with letters of recommendation regarding their interest in information security were able to attend the conference for free. The program targets women working or pursuing education in IT, but not yet actively involved in security.
The Wells Fargo Foundation provided $4k seed funding for the Women in AppSec program.
One recipient of a free conference pass is Katie Stanton, employed at General Mills and currently working on the company’s roll out of SAP throughout Asia. She is encouraged by increasing numbers of people showing an increased interest in security which she credits to the fact that security is one of “the most interesting landscapes in IT”.
After watching Android and iPhone hacking demonstrations by the Spider Labs team she noted, “it’s amazing how much damage someone can cause in just 30 minutes.”
AppSec USA also held its first ‘University Challenge‘ this year. The competition consisted of both attack and defense scenarios. The defense portion of the competition was won by the team from Dakota State University.
The attack portion, which required exploiting cross site scripting (XSS) vulnerabilities, SQL Injection vulnerabilities, and finding system components still using default passwords was won by the team from Saint Cloud State University.
The Saint Cloud team, which was also the winner overall, was led by Professor Tirthankar Ghosh and consisted of seven students. Team member George Massawe said that what he got out of the competition, aside from the two security books he was awarded, was a conviction that, “everyone in IT should get more involved in security.”
Fellow team member Matthew Sitko enjoyed “the chance to apply knowledge outside of class”, as well as learning, “a few new tricks and lots of knowledge from the pros.”
The Saint Cloud State team had previously won the Collegiate Cyber Defense Competition; the University of Minnesota and University of Saint Thomas were conspicuously absent from the competition.
The AppSec events organized by OWASP continue to gain international popularity. For example an Israeli chapter recently held an event that drew over 350 attendees, and major conference is planned in Greece for 2012.
For developers who can’t make it to a conference the vast majority of security knowledge across many popular development technologies, as well as videos of talks from the conferences will be available on the OWASP website.
Mark Curphey estimates that one trillion lines of code have been written so far by about fifteen million developers since the dawn of the computer. With that much code in need of security in existence that continuously increases in its importance to human quality of life, let’s hopethat attendance continues to grow at AppSec events.