Last week we did an App Sec track at the software developer conference QCon. One of the highlights was jOHN Steven's Threat Modeling talk. I am always amazed that many security architects don't do threat models. How in the world do you get a security requirement then? Anyhow, jOHN had a great quote which was we need to change the mindset of security people away from the traditional (and traditionally ineffective) auditor role and towards that of a shepherd.
This week is OWASP AppSec, and I have a deep affection for this conference, because useful stuff is produced everytime and it is noticeably absent of the its perfect or its broken crowd. Anyhoo, some highlights.
Mark O'Neill gave two stellar talks on Web services security. The first was real world case studies including Rest, SOAP, and a number indutry specific web services security integration scenarios. Then Mark gave a presentation on Covert Data Channels. Brad Hill closed the day with his excellent examination of the bloated attack surface we have in XML security today, and some concrete remediations.
Additionally, it was great to meet Andy Steingruebl in person (Andy wrote an interesting two part analysis of an OWASP Security metrics paper I wrote with Betsy Nichols). And maybe we can use some of this conversation to kickstart some progress on OWASP Security metrics project
Finally, 5 different people talked to me directly about struggling to implement XACML. This was music to my ears. It is lonely to be banging the XACML drum, but this a very important issue, once you improve the identity subject side, you still have this flaming bag of uncorrelated resources and policy domains. Some smart folks are on to this now.
So the two projects that look to be spawned out of this conference are an OWASP Top Ten for Web Services and XACML working group to define resource protection and policy patterns. Drop a note if you are interested in participating.