I’ve probably been to over 50 IT Security events/conferences in the last 18 months, precious few being completely dedicated to web application security -- the last being AppSec 2007. While AppSec was awesome, what many asked for next was an environment set-up to discuss battlefield tested strategies and tactics that REALLY work. For example, “what are the best ways to identify vulnerabilities, remediate them, and prevent them from occurring (SDL)”? “What about PCI compliance”? “Products vs. Services”? That’s where SANS "WhatWorks in Web Application Security Summit 2008" (June 1-2, 2008 - Las Vegas, NV) comes in and why WASC has been helping organize the event. I went to the first in Washington D.C. and really enjoyed myself.
The event will NOT be dominated by vendor speakers subtly driving people towards self-serving solutions. In fact, there are only four "expert briefings" and two "vendor panels" during the entire two-day single track session. The bulk of the agenda is "user panels" involving real people sharing their experiences on how they defend their websites and ensure secure code. These are people who've been there and done it, who've looked at and tried everything and have experience to know what works and what doesn't. Attendees are from financial services, retail, healthcare, insurance and other industries filling a broad range IT Security roles. People are encouraged, if not expected, to ask questions and get the information they need.
Of course no conference would be complete without including some top names in the industry. So we have Robert “RSnake” Hansen (SecTheory), Caleb Sima (Chief Technologist - Security at HP Software), Gary McGraw (CTO of Cigital), and yours truly will on docket. After all the vendor stuff is cleared post RSA, I’ll be looking forward to this event. Plus, I’ve never stayed at the Paris hotel so that should be cool. Viva Las Vegas!