OWASP has announced the CFP for this year’s AppSecDC infosec conference event to be held at the Washington DC Convention Center from November 8th through the 11th. The AppSecDC conference plans to be a premier gathering of information security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by information security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

This year they are seeking presentations on the following topics:

• OWASP Tools and Projects
• Cloud Application Security
• Government Approaches to Application Security
• Application Security Case Studies
• Application Security and Business Risks
• Metrics for Application Security
• Web Services Security
• Source Code Review
• Web Application Security Testing
• Secure Coding Practices
• Privacy Concerns
• Vulnerabilities/Exploits in the Web App World
• Defense & Countermeasures in the Web App World
• Other web application security topics

For more information on AppSecDC, see its description in our Infosec Conferences section as well as OWASP’s AppSecDC conference and CFP pages. And don’t forget to check out our Calendar for a list of similar infosec events in and around the NoVA area.

With AppSec DC right around the corner, we were lucky enough to secure an interview with OWASP co-chair Doug Wilson. In addition to co-chairing OWASP (a formidable feat in itself) Dough is also an integral part of this year’s AppSec DC.

In this interview, Doug sheds light on what AppSec DC is all about, and why you should attend if you aren’t planning to already. Also be sure to check out the official AppSec DC wiki page to find out more about how you can attend or get involved in this year’s AppSec DC.

What can people expect from this year’s AppSec compared to previous years?

AppSec, like a lot of OWASP and Web App Sec in general, is still growing into full maturity. This year’s AppSec will be the biggest conference that OWASP has done to date, and probably the biggest Web Application Security conference in the world. Bigger is not always better, but I think that the size and scope this year have allowed us to get a real wealth of speakers and talent to take part in this event. The conference itself hasn’t been influenced by events in Washington, so much as current events influenced the choice by OWASP to have the event IN Washington itself. The OWASP board charged us with creating a quality conference, which they would have done regardless of location, but they especially targeted the DC Metropolitan area because of the many things that OWASP has to offer to the federal government, combined with the rapidly emerging importance of Web AppSec to the federal space at the same time.

Cyber Security is a big concern across the boards inside the beltway, but let’s face it — network security is a more mature field. There are more solutions and people ready to provide those solutions on that front, whereas the Web App Sec field is still somewhat immature in the federal space. Thus an organization such as OWASP that is developing practical tools and guides that can be used to build solutions for little or no cost in that space is invaluable to the government . . . if the government is aware that it is there, and how it can be utilized. We really hope that a lot of federal decision makers, at high and low levels, take advantage of the opportunity of having OWASP’s national gathering right in the middle of DC, so they can become acquainted with what we have to offer.

Is AppSec still looking for volunteers? If so, what do you need the most help with, and how should people go about getting involved?

AppSec is always looking for volunteers. OWASP is a non-profit, and aside from specific vendors hired to come in and fulfill some contracts (such as catering), almost none of the people working the conference from the OWASP side will be paid. We are doing it because we are passionate about what OWASP stands for, and because we want to pull off an excellent conference. We’ll need help to do that, and are looking for equally passionate people to help out.

What we mainly need is people to staff the days of the show: Obviously, this is a trade off, because if you are working the show, you will miss out on part or all of the content that attendees get to appreciate, but you will be helping the event happen, and without that, no one would get to see the content. All of the organizers and our “Arch Minions” as we have taken to calling them (lead volunteers) are willing to make that sacrifice. However, we will have many positions that need filling that can be staffed for part of the conference, and we invite people who want to help out, or who want to see only part of the conference on the cheap to sign up and help make this event happen. You’ll get the opportunity to see some of the talks, and work the rest of the event. We’ll need folks for registration, badge checking, speaker and trainer assistance, facilities liaisons, and much more. If you are interested, you can contact myself or one of the other organizers via our OWASP emails (fairly easy to dig up), or by emailing infoATappsecdcDOTorg.

Another thing we will always need more of are sponsors. Sponsorships are important to the depth of our conference. Without sponsors, we can still provide the fundamental conference, but sponsorship dollars help OWASP and help us put on a better conference, with more perks and benefits for the attendees, which make for a more enjoyable overall experience. So every additional sponsor we sign up will add to the quality of the experience for everyone attending. If you are interested in sponsoring, or know an organization that would be a good fit, please contact us.

While AppSec places a heavy focus on people who are already in the field, you also make AppSec open to students. What do you hope college students in particular will get out of AppSec, and how do you think it will influence them when they graduate and enter the field?

The biggest thing I think that anyone wants to get out of a conference like AppSec is to learn new things, and interact with other people who are knowledgeable in their field. I think that that is also a lot of what drives students in any discipline, and AppSec will provide an excellent learning environment to properly motivated individuals. My hope is that we will attract people who are developers and are curious about security, or people who are studying a standard IS/IT/IA track and want to learn more about application security. One of the most powerful people for making effective change in application security in any organization is a security conscious developer. Right now, that’s a rare animal, but someone who has development skills and security knowledge has the best of both worlds, and is in a very good position to look for great career opportunities, even in a “down market.” My hope is that we can take people who are aware of the concept of security, but haven’t really prioritized it, and make them re-evaluate how important it is, and eventually just include it in how they go about creating applications in the future. That’s the ultimate goal of Web App Sec, really — having a world where all developers are security conscious, and security is considered from the first inkling of putting a project together.

Recently, Mark Bristow (another organizer) and I gave a talk at the DC PHP Users Group on Web Application Security 101, and how the OWASP Top Ten applied to it. We got a fairly warm reception, and I felt good about it. But a week or so later, I was at a store near the University of Maryland College Park campus, and someone stopped me coming out the door. It was a person who had seen the talk at the DC PHP group — but was also a CS student at Maryland. He was really excited about the talk, and really wanted to know more, and to attend the conference. That made me feel much better than just “good” — that one bit of outreach had possibly taken someone who was going into the field of application development, and made them aware of something that could reshape their entire career for the better. We had made them start to prioritize security in what they did, and having them be excited about it on top of it. That’s awesome! I think that’s why we want to encourage students, and that’s what they can get out of it above and beyond what they learn at the training or talks.

In the press release for this year’s AppSec, you say “AppSec DC is a unique opportunity for federal decision makers and key technologists to become familiar with OWASP and the resources it has to offer.” AppSec has a heavy mix of both private and public sector speakers this year. Why do you feel it is especially timely for the private and public sectors to learn where each other is coming from?

One of the things about Web Application Security is that it’s a really big problem to try and solve. It affects everyone who uses the internet, and potentially even those who don’t. At a time where the government is trying to tackle the gigantic issues of protecting National Critical Infrastructure and securing IT resources across the government, the main access method to both control of infrastructure and information (i.e. the “Web”) is the most important thing to focus on. Only by working together and collaborating will we be able to make inroads on this massive problem, and both sides have resources that the other do not.

If we wait for the government to figure out all the expertise that has been developed in the private sector, or if we wait for the private sector to have the reach and impact of the government, we’re doomed. However, if the government reaches out to  the public and private companies and groups (such as OWASP) who are already focused in this area, it can be a winning situation all round. The government (and the citizens!) of many countries, not just the United States, can have more confidence in the stability of their infrastructure and their government resources, while the governments provide growth opportunities for companies and organizations that provide the expertise. I think that every day we do NOT have this sort of collaboration in place is one where we get further and further away from the constantly moving target of creating more secure web applications for all walks of life.

You also go on to say that, “OWASP’s mission and community align closely with the goals set forth by the US Chief Information Officer: transparency, engagement of staff, reduction of cost, and innovation in technology. OWASP can enable the government to attain these goals in the pursuit of securing critical technologies that depend on the web.” Which tracks at this year’s AppSec would you recommend for government employees who want to reach the goals you outlined?

It really depends on the employees role within the government. I like to feel that we have something for everyone. For those who are new to OWASP, and/or those who focus on high level decision making, we have several tracks that talk about some of our core ideas, as well as steps to apply security at a process or management level. Tracks such as the OWASP and the SDLC track on the first day, and the Process, Metrics, and Compliance track on the second day all have a wide variety of talks that will provide value to decision makers, managers, and development team leaders, or anyone who wants to get an overview of how you can apply good web application security practices to your organization’s current efforts. Conversely, we’re not letting our technical specialists down. The Tools track, the Web 2.0 track, the OWASP track, The Attack and Defend track, and pieces of all the other tracks will appeal to engineers who are developing or attacking applications and want to know what’s new and on the cutting edge. A large number of our speakers are experienced presenters, with previous talks at AppSec, Black Hat, Defcon, Shmoocon, and others under their belts.

Do you feel that some of the training courses offered on the 10th and 11th would be good for government employees who want to learn about application security more deeply, but might not have a technical background?

Again, it will depend on their role. We have good courses for technical and non-technical people who are interested in Web App Sec. For leaders and managers, we have the Threat Modeling Express course from Security Compass, and Leading the Development of Secure Applications from Aspect Security. Both of those courses are designed for non-technical decision makers, and both are being taught by experts from top companies in the field. If an attendee is interested in learning a bit more about the technical process, we have a variety of courses deal with “how to learn to test” in various arenas, such as the Samurai Web Testing Framework class from Inguardians, and the Applying the OWASP Testing Guide with the OWASP Live CD course taught by Matt Tesauro (creator and project lead on the Live CD). These courses will probably require a little more technical knowledge, but will teach some of the fundamentals of how to test a web application and walk users through some of the steps involved in the process.

And lastly, what would you say to those who are still sitting on the fence about attending AppSec?

I’d say that this is a great opportunity for everyone interested or affected by Web Application Security, but especially those located near Washington DC. DC has a huge population of people who are interested in security, and an even bigger population who should be and are affected daily by decisions that are made (or not made) regarding security. AppSecDC offers a very inexpensive, extremely valuable learning and networking opportunity which is unlike anything else ever offered in the District. If you are not from DC, it’s a chance to come and see the infosec climate in the Nation’s Capital, and interact with government employees and those who work with them, at the same time listening to and learning from some of the top minds in Web Application Security from around the world. This is the biggest OWASP event, and likely the biggest Web Application Security Event ever held. Considering the price tag (especially with OWASP membership discount and early bird registration discounts), it should be a very simple decision when you see the value that you will get for your investment.

As an additional incentive to out of towners, our location is right in the middle of downtown at the Walter E. Washington Convention Center, and our host hotel, the Grand Hyatt Washington has been nice enough to extend our convention rate through the weekend, so if you are coming in from out of town, you can stay the weekend and see the sites of the nation’s capital as well.

Doug’s Bio: Doug Wilson is a Senior Application Engineer with SAIC, where he supports government and private sector customers. He specializes in Information Security and Highly Available Web Architectures. Doug has been working in a variety of IT positions for the past ten years, and has always been “the security guy” regardless of what he’s been doing. Prior to joining SAIC, Doug worked as a contractor at the National Institutes of Health for almost six years. While at NIH, his main duties were developing progressive security and application hosting programs for a group that supports infrastructure at NIH for over 40,000 users. Prior to NIH, Doug had worked for several local web hosting companies.

When Doug is not working feverishly trying to get everything in order for AppSecDC, he is also a co-chair of the Washington DC Open Web Application Security Project (OWASP) chapter, and founder/organizer of the monthly CapSec DC happy hour. He also participates in the DC web design and development community, having presented on Web Application Security at Refresh DC, Barcamp DC, the DC PHP Users Group, George Washington University, and other events in the DC metro area.

o o o o o

A special thanks to Doug, Rex Booth, and Mark Bristow for agreeing to interview with us. Mark and Rex’s interviews will be published in the upcoming weeks, so keep an eye out for them!

It seems that @rybolov is slowly turning into NovaInfosecPortal. When I read his post about the upcoming OWASP AppSec DC conference, I considered copying it since he did such a good job. (Kidding, of course.)

Besides breaking down the basic information of AppSec DC in his post, @rybolov also mentioned the need for sponsors. As much as we all love conferences like AppSec DC, the reality is that they can’t happen without financial backing. If you, or someone you know, would be interested in sponsoring the AppSec DC conference, please email me or send me a tweet @grecs and I will forward your information to the people who can make it happen.

If you’d like a little more information about why you should attend, sponsor, or volunteer at this conference, check out the information below.

• Who: OWASP
• What: AppSec DC 2009
• When: 11-10 – 11-13-2009
• Where: Washington Convention Center (801 Mount Vernon Place NW Washington, DC 20001)

For more information on AppSec DC, see its description in our Infosec Conferences section. View our Calendar for a list of similar infosec events in and around the NoVA area. See the OWASP wiki for more information.

o o o o o

Don’t forget, if you’re interested in sponsoring this conference, email me or send me a tweet @grecs.

So, what was on everyone’s minds this week? Spam… and the Swine Flu, apparently. Leave it to the spammers to take advantage of a horrible situation.

• Spammers will def b doing. RT @mckeay srt planning 4 the impact of the swine flu, as well as the spam that will inevitably srt circulating #
• Here comes the spam. RT @mckeay Just found the first swine flu spam in my own mailbox. What a surprise. Not. #
• Here’s the official US CERT warning. RT: @uscert_gov: Swine Flu Phishing Attacks and Email Scams http://tinyurl.com/cnjgne #
• SWINE FLU SPAM: @mckeay called it first about the forthcoming barrage of spam. http://tinyurl.com/d2cknl #
• MORE SWINE FLU: Then it started happening. Others tweeted it & several articles were written about it. Here’s one. http://tinyurl.com/dj6l88 #
• SWINE … FINAL: Ok, just one more comment. Spammers are very smart for doing this but it’s wrong! #commentary #
• SWINE SPAM: Not to much news today except a few articles on an increase in swine-related spam as expected. http://tinyurl.com/cw5kao #
• LOL RT @BrickandClick Want To Avoid Swine Flu? There’s An App For That Too -> http://bit.ly/t4Q9n #

As if the Swine Flu spam wasn’t bad enough, it turns out that the vulnerabilities in Adobe Reader are bigger than we thought.

• ADOBE VULN (CONT): Another article from The Register going into JavaScript issues in their products. http://tinyurl.com/cb4rhw #commentary #
• ADOBE VULN (CONT): As I noted earlier, scripting needs 2 b off by default! Or u can just use FoxIt as suggested by @jack_daniel. #commentary #
• ADOBE VULN: Another vulnerability caused by scripting. Geez, this needs to be off by default! http://tinyurl.com/ca44ys #commentary #
• New comment on “Another Adobe Reader security hole emerges” http://bit.ly/WmLrR #

When you pair both problems with the biggest security vulnerability of all time, it’s not pretty.

• CORE INFOSEC PROBLEM: Once again here is another story that shows people are the primary problem. http://tinyurl.com/d4p7uc #
• PEOPLE PROBLEMS: It all comes back 2 awareness training – and making it exciting and interesting. I know … this is hard to do. #commentary

But, on a more positive note, SANS held its AppSec Summit this week…

• RT: @IBMFedCyber: Anyone else going to the SANS AppSec Summit on Wednesday? I will be there.. would love to tweetup. #SANS #infosec #

And OWASP has officially announced AppSecDc 2009!

• RT @mubix RT @securitycfp: RT @AppSecDC09: AppSecDC 2009 Call 4 Papers & Call 4 Trainers now Open! Details hre: http://bit.ly/ZVgpO #CFP #
• RT @AppSecDC09 AppSecDC 2009 is looking 4 Volunteers. If interested join R mailing list! http://bit.ly/16CPc Or reply or DM yr interest hre #

But depending on what happens with some of the major cybersecurity acts in the next few months, AppSecDc might offer some different topics than normal.

• RT: @danphilpott: RT @ITCompliance: BREAKING: ICE Act would restructure #cybersecurity rule, create WH post http://bit.ly/JzYmC … #
• RT @danphilpott Washington Post has a link to a draft copy of the ICE Act: http://is.gd/v5UU (with a hat tip to @ITCompliance) #
• RT @danphilpott First article I’ve seen for yesterday’s ISC2 report on Fed CISO Cybersecurity perspective: http://is.gd/vQAP #
• OMG, work tgthr. RT @danphilpott Whole new cybersec bill: Critical Electric Infrastructure Protection Act was introd 2day: http://is.gd/vqLU #
• LOL. RT @danphilpott The first rule of Cloud club is, you have to make ObMatrix references. #totw #
• RT @danphilpott Unfortunately, no one can be told what The Cloud is. You have to verify it for yourself. #totw #
• RT @rybolov @danphilpott Carper’s supposed to (re)introduce his new(old) FISMA (2008|9) bill. #

It will be an interesting time for people who are just getting into security. (Or, security internships.)

• RT: @CSOonline: 10 Dos and Don’ts for Security Job Interviews: http://www.csoonline.com/article/490926 #job #

But if we all follow some of Marcus’s excellent advice, things should be just fine.

• RT @marcusjcarey New Vlog Post – Sexism in Information Security? > http://twurl.nl/44h0rv #novablogger #
• RT @marcusjcarey New Vlog Post – Toot Your Own Horn! – http://twurl.nl/xoqotf #novablogger #
• RT @marcusjcarey New Vlog Entry – Own Your Technical Interview – http://twurl.nl/omq8u1 #novablogger #
• RT @marcusjcarey New Vlog Post – What Tool Should Everyone Know? – http://twurl.nl/286tg4 #novablogger #
• RT: @marcusjcarey: New Vlog – Hack Your Degree – http://twurl.nl/ia1xzh – How I got 4 yrs of credit in 12 months #novablogger #

Plus, we always have CharmSec…

• RT @mubix RT @charmsec: CharmSec 12 is this Wednesday at Slainte. #
• RT @mubix RT @charmsec: CharmSec Challenge: http://is.gd/u522 bring yr solution 4/29 & get free round (or something). Don’t leak yr answer! #

And, new Twitter tools to cheer us up.

• Cool new tool. Kind of like Twitpic but with voicemail. RT: @RodBeckstrom: Voice_Message_Tuesday_28_Apr_09_59PM http://tinyurl.com/db7gqz #

###

Have something to say? Then why not write about it for NovaInfosecPortal? We’re currently looking for some great guest bloggers to feature on the site. If you’re interested, drop us a line, or send us a tweet @grecs.