Saturday 27 September 2008

OWASP NYC Conference 2008

Just returned to London from the OWASP NYC Conference and as always it was a great experience (this was the biggest OWASP conference so far)

In addition to participating on the keynote speech, I delivered two presentations: OWASP Summit 2008 and 'Building a tool for Security consultants: A story of a customized source code'.

This last presentation was a variation of my previous two posts (OunceLabs releases my research tools under an Open Source License... , So what can I do with O2) and the questions I had after the presentation plus the multiple positive comments/conversations, tell me that the message that I wanted to pass was well understood and received (here is a blog post with a outline of the presentation and here is blog post that provide a good description of what wanted to say: OWASP NYC AppSec 2008 and NYSec Recap )

While in NYC, I helped to put the final touches on
the structure for the OWASP Summit and helped to setup the OunceLabs stand.

The OWASP Summit stand was perfectly run by Leonardo from Brazil) and Juan (from Mexico) , where in the OunceLabs stand (where I spent most of my time showing O2) we had Ron, Michael and Yiannis.

I have to say that I was very happy with the way we were able to setup the Ounce stand. We had 4 computers loaded with Ounce and O2 and were able to do tons of one-on-one sessions (specially after my presentation on Day 2).

What I liked the most about this stand was the vibe of it. There is something special that happens when one is showing Open Source materials, and I am always amazed by the power of Open Source in breaking down barriers and relaxing people into engaging into meaningful discussions.

Before (for example at BlackHat in Vegas) people would come to our stand with a poker face and with an "I'm not really telling you anything about our project since you don't trust me enough to give me your product and want me to sign an NDA asap!!" attitude , where now (in NYC), after my presentation of the Open Source modules of O2 and disclosing that I was authorized to personally distribute a couple evaluation copies of the (not free) Ounce 's product (which includes the Ounce CORE (i.e. the scanning engine)), we had tons of traffic with people genuinely interested in Ounce's Technology and how O2 could be used to get the most out of Ounce's engine.

These are interesting times, since up to now the Source Code scanners could always be 'shut down' by the argument "Ok, you can scan the whole code and find some good stuff, but you can find A,B,C,D,E,F,G .....". With O2 the question is now moving to the usability of O2's (and other toolkits) to discover those security issues (or as I was asked about, to use O2 to discover positive (i.e.) good source-code security pratterns).

I do hope that in the medium term our industry changes its marketing BS message. At the moment we still have in one side the tool vendors saying "Buy my tool and you don't have to pay a consultant" and the security consultants still say "Buy my services since the tools will not find what we find" . The reality is that we need everybody to work with everybody!

And in the middle of this 'mine-is-bigger-than-yours' contest, is the poor client thinking "Who do I use to reduce my risk and secure my digital assets? Why can't these guys just work together and give me a best-in-class solution customized to my needs?"