The first App Security track is in full swing at QCon. I have to hand it to the folks at InfoQ and JAOO, they might be the first big development conference to take a real shot at doing a full blown app security track. Right now, Jeff Williams is presenting an Enterprise Security API (sorely needed for consistency and integration), which is slated to be released next week at OWASP's conference. The slides for the App Security track are all being added to the QCon site.
Kent Beck did a keynote and two of the main points he stressed were developer accountability and transparency. This was a perfect lead in to Brian Chess' presentation on static analysis, which remains one of the cost effective and scalable app security tools we have.
Next, John Steven presented some advanced threat modeling techniques, because this is a developer conference in 2007 most people haven't done threat modeling so it was a learning experience with a lot of real world q&a. The responses from developers who heretofore have not focused too much on security has been really positive which is nice to see.
There have been some great sidebar conversations. There are a lot of agile disciples here (of course), and they are somewhat concerned about how (and how much) security to add in to their process. This gave me a chance to reference one of my favorite papers of the year - Johan Peeters and Paul Dyson's paper on Cost Effective Security, which sorts out app security concerns in an agile way.