The OWASP conference began with a social gathering in the “Barfüßer” brewery in the center of Nuremberg. Around 100 participants enjoyed the reunion of sorts, with cold beers drafted directly on the dining table, pretzels and an opulent Franconian meal.
Sebastian Klipper's keynote comprised of a convincing plea for more competency not in but for the OSI layer 8. In plain text, users are not the cause of IT security issues, but simply the general inability to understand and communicate IT security as a problem solving tool.
The second keynote provided by Tom Brennan presented the history and facts of the OWASP community. He also covered the current state of web application security.
The next session was offered in two parallel tracks. The first track was dedicated to the OWASP project itself, such as Dirk Wetter's speech on the development of the OWASP Top 10 as a tool for risk management. The second track was dedicated to hands-on web application security topics. Sascha Herzog demonstrated in his session how easy it is to use XML external entity attacks (XEE) to exploit a server-side XML parser, to deliver confidential data via file inclusion or to perform server-side port scans.
Side channel attacks are usually known only in cryptography context. Sebastian Schinzel showed us how to use side channel attacks to reveal private information on a web application by pure passive observation of the network traffic. This should be considered as a alternative attack vector in the case that the usual penetration tests fail to expose any other vulnerabilities.
Andreas Schmidt presented the Web Application Toolbox: WATABO. This application tries to bridge the gap between the easy to script commercial and the more transparent and traceable free penetration test tools.
Alexander Meisel's Session on the development of large distributed applications in the context of service oriented architectures made the conference perfect in my opinion. These applications cause an increased demand on distributed web application firewalls (dWAF) that are capable to defend against novel threats “out of the cloud”.
Overall the OWASP AppSec Germany 2010 Conference offered plenty opportunities to catch up on new trends of web application security and to socialize with the OWASP community. As a venue for the web application security industry, this year's conference was a raving success. The next OWASP AppSec Germany is expected to take place next year once again in Nuremberg.
You Can Learn More About the Astaro Internet Security Product Line By Going to www.FirewallShop.com/Astaro.
The original article/video can be found at Astaro sponsors OWASP AppSec Germany Conference 2010