When we are younger, we are taught many ideal things — good people look and act a certain way, bad people look and act a different way. If you do certain things, good things will happen. If you do other things, bad things will happen. The world is black and white and clear delineations . . . until the first time that it isn’t. And then the next time . . . and it keeps getting worse every time after that, until we figure out that in most cases, absolutes and certainties are a sham, and it’s all about percentages and chances, and that is really what making choices is about, and that you actually have choices to make.

Locks are part of the sham you are taught as a kid.

Sure, Locks exist. And, a lot of times, they serve a purpose. People who do security for a living realize that they are a control – an dby that they are only one part of a system of security and/or safety. However, most people view them as a symbol, and wrongly place a lot more value in them than they should.

The common person (let alone child) has the understanding that if something is locked, it can keep something in or out. However, they often wrongly extrapolate that this keeps all things in or out, or keeps things in or out in all cases. We often only learn that to our dismay after some time that some component we trusted fails, and the harsh world of reality prove us dramatically wrong.

When I was a kid, I locked my door against my parents (or grandparents) wishes more than once. And, more than once, I also refused to unlock it when ordered. Once, my grandfather, after much swearing, took the door and lock mechanism apart with a screwdriver. Another time, my dad broke part of my door down. I won’t say an episode as simple as this made me end up in the career I am in, but it definitely helped shape a personality that might be suited to it. It was a great realization to become aware that locks don’t mean anything once someone is willing to attack the system at a different level than the on that the lock (control) sits at.

If you have a person even marginally trained with lockpicks, most residential doors will only stand a minute or so. All it takes is the time for the person to sit and work on the lock. Add some passion or emotion and motivation into the picture, a determined individual of some fitness and mass can get through most common doors in a matter of seconds (I know from personal experience, plus having seen emergency/first responders in action and the aftermath of such actions). And those are exterior doors. Most interior doors have locks that are only token at best.

So why then, even have locks? Why lock your doors at all? Because they are a control, and again, a symbol. The control has a function (albeit limited), but the symbol makes people feel better. But do they really symbolize “security?” Popular culture and website icons would have us believe so. However, they really symbolize a control on a boundary to an environment. Being in that enviornment, your safety is really based on that environment, and the environment that surrounds or interacts with the first one.

What can come into those environments, go through them, hang out in them, live, work, play, and fight in them, and how much you trust all the different systems and controls that are interacting in that environment — how all those interact, that is what determines safety, along with a healthy dose of chance sometimes. . . NOT the lock.

The lock is just one tiny piece of a puzzle — it is a slight friction to entry, one that makes someone interested in subverting it realize that they will have to exert more effort, and all that entails — a chance of making noise, being seen, getting caught . . . but some attackers of systems may just not care. They are the ones that are truly dangerous — but in most of our (fortunate) lives in safer countries and environments, those people are few and far between, and most of those on the levels of gray between a true psychopath and a law-abiding person will be slowed or stopped by the idea of having to expend that extra effort and their own possibly risk of being caught and punished. Or they have another set of motivations that are at cross purposes of coming through your door. Because, if they really wanted to badly enough, they probably can make it past that lock . . .

After being active in it OWASP for years, I’ve been “done” with OWASP for a while now. I’ve had to keep explaining this to people over and over in public settings, so I’m just putting the statement here. I’ll try to keep it short, and I will likely not respond to many comments on this. This is more of a news bulletin than a point for debate.

I’ve put a lot of time and effort into OWASP over the years (at least the local DC instantiation of it), but both OWASP and I have changed. I now have other things to do that are far more important to me and return much more value from my point of view.

For me, OWASP has not returned enough value to inspire me to continue to put effort into it in quite a while. The organization has become increasingly frustrating to deal with, and I have a lot of other demands on my time. There are parts of me that always want to try to give feedback, or critiques, or try to diagram out what is wrong and why with any organization that I am involved in. However, I would rather put that effort towards other projects that I am working on for other organizations. I haven’t worked in the field of (specifically) application security for several years now, and I have other interests. This is my view, and may not be representative of others, but it is going to govern how I conduct myself.

An associated issue with this is that decision this leaves the future of AppSec DC in serious doubt right now. Both Mark and I had condensed our OWASP involvement down to the few areas we thought we could still make a difference, and this was the last one for me. However, after three years of great shows, I had to make the evaluation that I am not capable of properly supporting another OWASP AppSec event in a lead role. Mark is not either. We have too many other obligations in our personal and professional lives to do such an event justice.

It saddens me to see the response I get from past attendees, (and especially our awesome volunteers) when I discuss this in person, and I’m sure it’s not going to make those who read about it online any happier. This is the one part of this that really bums me out — I’m not the only person who has put a lot of work into this. A bunch of people have. We’ve had a lot of people show up and really enjoy our conference each year, and a lot of people work their asses off to make those shows a reality. So, I won’t say that AppSec DC is forever dead. But I will say that someone else will have to pick up the torch and run with it, and from having seen the amount of work involved and responses that Mark and I have gotten in the past, I’m not super hopeful. We’ve also contemplated options such as merging with GovSec (another local event, backed by much deeper pockets with professional event planners), but even that would require an expenditure of effort that I don’t know that I am ready to give.

Mark and I are both willing to provide advice and assistance within our means if someone else IS willing to try to mount AppSec DC again . . . but if not, there are other events in the works — the ever-present ShmooCon, a new B-Sides DC slated for 2013, and there is always AppSec USA to turn to.

So, it was a good run for part of it, but I’m done now. If you need me, I’ll be over in the Threat Intel space for at least a little while, I feel that I can actually make a difference over there . . .

<edit — I removed some of my personal vitriol, since I fear it will be misinterpreted. I would also like to clarify that while he is no longer going to run AppSecDC, and has resigned as GCC Chair, Mark is still active in OWASP>

Her videos from this album have been pretty amazing so far — each one seems to really take her existing art an elevate into the extra dimension of another medium, rather than just being moving pictures that are synched to music. The latest is no exception, and probably my favorite thing she has done to date. Conversely, it’s also gut-wrenching. It’s a theme that many have riffed on in the past, the dilemma of the performer who seems to have it all contrasted with the humdrum needs of everyday human life — but when those needs include personal interaction and the ability to think and feel on the smaller things that make you happy as a person and allow you to cope, being locked in a world where you have to put them away on a regular basis due to the demands of driving towards your goal (performing, touring, creating) can be lonely indeed.

Do It With a Rockstar (NSFW Full Version)

Over the weekend, I’ve gone on a tiny bit of a personal journey. Nothing major, but in a way, I realized that something I have held for a while as a core tenet of my faith in how things were was challenged, and it made me pretty grumpy. I also realized that with a nap and some escapism amongst friends, perspective lets you realize that regardless, you will carry on. In many ways, it’s actually dangerous to be come complacent in basing your world on only one thing – everything changes throughout life, and if you put yourself in a situation where wrenching one thing away does too much damage, you can become paralyzed by just even contemplating that loss. This can even happen with just challenging, or questioning a belief at times, as well, if you don’t have enough things to believe in. You can work with this risk, or you can diversify — and life has so many things to offer, it’s silly to sit in this state for too long. But so many do.

(this is a good excuse for hobbies )

In going through this exercise, I realize I need to find some other things that matter, and/or prioritize some of the things that I have de-prioritized for a while. And I have plenty of things that matter around me. I just made a brief sojourn into the recurring trap that because I am too busy, I feel I can use the excuse of not having to deal with other things around me (or being able to ignore them). I’m actually angry about that as well (making that mistake, versus the challenge of beliefs). I see this all the time — people dive into something that consumes them – not necessarily because it is what they are that passionate about, but because by completely overwhelming themselves with one set of responsibilities, they remove the burden of other responsibilities from the table. It’s easier to just be too busy all the time than to have to contemplate the underlying issues of something that is fundamentally uncomfortable to consider. It’s also far too easy to fall into a tunnel vision when you define yourself too much by one thing.

So, on to the next day of life, wherein the view from the day before has been left behind with its barriers and discomforts, and a new one awaits. New days won’t always be rosy, but they will always have the capacity to be different, unless you fall into the trap of forgetting that fact and you limit yourself. You can ALWAYS change them – it’s just not always comfy to do so.

One of the important missions that the OWASP board charged us with for the first AppSec DC was to reach out to the federal government, to try to establish channels for dialog, and put forth all that OWASP has to offer. Even though it is based in the DC locale, the US Government has national and global implications in everything it does, so that’s not an insignificant mission. In working with our team putting the conference together, I realized two things: That although reaching out to the government would be a long term project, it was absolutely imperative in the emerging threat environment -– but also that there are a lot of people in DC outside of the federal government who also are having an amazing impact on technology, with much further reaches than just the surrounding area, and that we should include them as well.

AppSec DC is now in its third iteration, and over the past three years, we have tried to make inroads to many parties in DC and beyond who should be involved in this dialog. We’ve solidified reaching out to the government, but we’ve also worked on reaching out to the startup and web community in DC. The Washington DC Metropolitan area has been a tech leader since the first dotcom boom, and even with hard economic times, the area is generating startups, new companies, and talent at an astonishing rate. To reflect that in our content, Dan Geer, CTO of In-Q-Tel, a government incubator for innovative research and development will be keynoting our conference this year. Ken Johnson and Matt Ahrens from Living Social will be discussing how they implemented an Application Security in an environment with 1500% growth in less than two years, and Neil Matatall from Twitter talking about an OWASP project he leads that helps developers write more secure code. Mobile applications are driving a lot of the next generation of the Internet. We will also have Jeff Six, O’Reilly author of “Application Security for the Android Platform,” as well as an entire track on Mobile Application Security, and training on a variety of topics that assist developer in all environments, be it how to develop secure mobile app, assess apps, or just how to code securely in general.

This year, we are also trying to recognize a change that is happening inside of OWASP. In the past year, a need for an ampersand between the “Web” and “Application” has been made blatantly obvious. OWASP has long been generating content where 95% of it applies to all fields of application security, but some have dismissed it because of the word “Web” in the title. In an effort to support getting our message out to all application security practitioners, this year AppSec DC has expanded our offerings to include the world of Critical Infrastructure & Control Systems.  We’ll be featuring presentations on how Application Security affects Smart Grid/AMI, ICS, and other pieces of Critical Infrastructure.

While the scope of the conversation and its impact is increasing, we can’t really grow that dialog without more participants. We would like you to bring your voice to the table. As a non-profit, OWASP provides the training and conference at a fraction of comparable industry events, with ease of access at a state of the art facility in downtown DC. We hope that you will be able to join us this year, and for many years to come.

Website: http://appsecdc.org

I caught myself the other day giving a profound, eloquent, two hour synopsis of the state of internet consumers with regards to information security to someone’s aunt when we were sitting at the dining room table in their house. It came naturally, almost as a gut reflex — but at the same time, it required precious time and energy. I regarded it (and still regard it) as important to have done, but I wish I had recorded myself. I’ve always been a believer in thinking globally and acting localy — having a blog has always seemed an act of supreme ego — who really cares what you have to say — but if I’m going to put out that level of effort, why not try to communicate more broadly? Hell, if so many people who have useless things to say will do it, why not join back in as at least a voice of mediocre quality?

Words are my tool, but so few people really read for real anymore — that too bears consideration. It takes effort to create real words (even bad ones), and it takes effort to really read them as well. It’s easier to create and consume bite-style media in all forms, and be a living router in the meme-flow than to stop and voice or parse a true opinion. Or you’re doing it in a reflexive, responsive, spur of the moment forum in a media that forces the rules of ad-hoc conversation without preparation, but is asynchronous, and communicates non of the signals and nuances that come with in person conversation. People misinterpret, mischaracterize, act like asshats with impunity via the shield of distance and anonymity, Godwin’s law is revoked, and you move on to the next think to “like” or dislike.

WordPress seems the tool (for my words — get it?) to stick with for now — it’s amazing where this phenomenal framework has gotten to in terms of being a poor man’s content management system — empowering the internet masses who will spend the effort to learn a bit more than the average facebook user to make truly amazing things in a time frame that is actually practical to undertake in the modern world if you are not a full time developer. But really, I’m still attracted to the name — blogs are where real words go (in addition to a lot of crappy ones, yes) in the modern era — that or more archaic forms. But the power of new media can’t be ignored, so I probably need to jazz this thing up a little bit. We’ll see what comes. We have many conferences, projects, and trips ahead this year at our little household, hopefully there is room for some more words amidst it all.

The mention of Synetic often brings up superlatives amongst those who love them in the DC theatre community — and sometimes antipathy in those who don’t, who decry their theatre without words as being dance, not theatre (though I really argue that dance can tell stories just fine — as Synetic always proves. You see my side in the argument). Well, toss that argument aside, because theatre parents extraordinaire Paata & Irina have allowed Ben Cunis, his brother Peter Cunis, and other co-conspirators (such as Clint Herring from Hamilton Carver fame, among many other things), to do something that no one can argue is brilliant, original, theatre. And it even has words.

It was unsettling, after three seasons of going to see shows there, hearing actual dialog coming from that stage. It almost seemed a taboo being broken — you could almost feel the audience shifting with discomfort — that this was not right, that this was not what they came here for. But as it unfolded, and the discomfort of dialogue faded away, what came to life was amazing. Ben (who authored the script with his brother as well as directing the show) and his actors and designers took the power of the tradition of Synetic (there was no way, outside of the dialog, of ever thinking this was NOT one of their shows, from the staging, to the lighting, music, costumes, and of course the breathtaking ability of those actors to speak in the language of movement), and built something mighty on top of it with their words.

And it was not a small project – just re-imagining the creation myth of one of the worlds largest religions, that’s all — and doing so in a manner that portrayed that initial death of innocence in a manner many times more gut-wrenching than any church scripture could ever be. You leave the theater holding back tears, feeling punched in the gut, and yet grateful for having seen such a great creative transformation and journey. And, obviously, you want more.

This play is part of an experimental series by Synetic Theater. As such, it is only running for a VERY short time. I urge you to stop what you are doing right now, look at your calendar, and buy tickets immediately. Due to other bookings, I don’t think there is any way that they can hold it over, and after the crowd reaction last night, I’m hoping that it will be sold out for most of the run of the show. Do not miss this.

Show description here: http://www.synetictheater.org/mainstage/genesisreboot.html

Tickets here: https://www.boxofficetickets.com/go/event?id=142635

People are registering, hotel rooms are being booked, classes are being enrolled in, and we’re just over a month out!

First off, if you haven’t registered or approached us about volunteering yet, today is the LAST day for early bird registration.

The link for registration is here

Secondly, if you are interested in volunteering, and haven’t contacted us about it yet, please contact Jon Rose, who is handling the volunteer coordination these days. He will be sending out a volunteer information packet in the next few days that should have answers to some of your questions, and he should be able to hook you up with getting “signed up” for specific positions.

Also, got Web 2.0? If so, we’re out there, and need your help. Follow, join, repost, talk about, and all those other good things. Every bit of extra visibility gives people who don’t know about the conference a chance to join in and participate!

Follow @AppSecDC09 on Twitter!

Join the event on Facebook, Linked In, or Upcoming !!

If you can, publish the event to your profile about it on whatever service, and tell your friends!

Look for more announcement soon. Next week, we’ll be highlighting some of the training options, and talking about what’s going on with our panels and some of our other events.

Amrit Williams interviewed me for his “Beyond the Perimeter” podcast, where in several parts I discuss AppSecDC, OWASP, and web application security. The first of these is up today, the others will follow next Tuesday and Thursday. BTP is also on iTunes.

Jim Manico, host of the wildly successful OWASP podcast, was nice enough to have a bunch of us over for some friendly banter about security inside the beltway a while back. You can hear that as of today, or if you subscribe through iTunes, you can get it there as well. This features myself, Matt Fisher of Piscis Security, Jack Whitsitt, Dan Philpott of Fismapedia and Guerilla-CISO. Mike Smith of Guerilla-CISO just missed us, and will be on another episode coming out soon!

I recently was interviewed by Erin Paquette of NovaInfosecPortal about the upcoming AppSec DC conference. The italics are me.

The original article is here. NovaInfosecPortal has been nice enough to let me reproduce the interview on this blog as well.

What can people expect from this year’s AppSec compared to previous years?

AppSec, like a lot of OWASP and Web App Sec in general, is still growing into full maturity. This year’s AppSec will be the biggest conference that OWASP has done to date, and probably the biggest Web Application Security conference in the world. Bigger is not always better, but I think that the size and scope this year have allowed us to get a real wealth of speakers and talent to take part in this event. The conference itself hasn’t been influenced by events in Washington, so much as current events influenced the choice by OWASP to have the event IN Washington itself. The OWASP board charged us with creating a quality conference, which they would have done regardless of location, but they especially targeted the DC Metropolitan area because of the many things that OWASP has to offer to the federal government, combined with the rapidly emerging importance of Web AppSec to the federal space at the same time.

Cyber Security is a big concern across the boards inside the beltway, but let’s face it — network security is a more mature field. There are more solutions and people ready to provide those solutions on that front, whereas the Web App Sec field is still somewhat immature in the federal space. Thus an organization such as OWASP that is developing practical tools and guides that can be used to build solutions for little or no cost in that space is invaluable to the government . . . if the government is aware that it is there, and how it can be utilized. We really hope that a lot of federal decision makers, at high and low levels, take advantage of the opportunity of having OWASP’s national gathering right in the middle of DC, so they can become acquainted with what we have to offer.

Is AppSec still looking for volunteers? If so, what do you need the most help with, and how should people go about getting involved?

AppSec is always looking for volunteers. OWASP is a non-profit, and aside from specific vendors hired to come in and fulfill some contracts (such as catering), almost none of the people working the conference from the OWASP side will be paid. We are doing it because we are passionate about what OWASP stands for, and because we want to pull off an excellent conference. We’ll need help to do that, and are looking for equally passionate people to help out.

What we mainly need is people to staff the days of the show: Obviously, this is a trade off, because if you are working the show, you will miss out on part or all of the content that attendees get to appreciate, but you will be helping the event happen, and without that, no one would get to see the content. All of the organizers and our “Arch Minions” as we have taken to calling them (lead volunteers) are willing to make that sacrifice. However, we will have many positions that need filling that can be staffed for part of the conference, and we invite people who want to help out, or who want to see only part of the conference on the cheap to sign up and help make this event happen. You’ll get the opportunity to see some of the talks, and work the rest of the event. We’ll need folks for registration, badge checking, speaker and trainer assistance, facilities liaisons, and much more. If you are interested, you can contact myself or one of the other organizers via our OWASP emails (fairly easy to dig up), or by emailing infoATappsecdcDOTorg.

Another thing we will always need more of are sponsors. Sponsorships are important to the depth of our conference. Without sponsors, we can still provide the fundamental conference, but sponsorship dollars help OWASP and help us put on a better conference, with more perks and benefits for the attendees, which make for a more enjoyable overall experience. So every additional sponsor we sign up will add to the quality of the experience for everyone attending. If you are interested in sponsoring, or know an organization that would be a good fit, please contact us.

While AppSec places a heavy focus on people who are already in the field, you also make AppSec open to students. What do you hope college students in particular will get out of AppSec, and how do you think it will influence them when they graduate and enter the field?

The biggest thing I think that anyone wants to get out of a conference like AppSec is to learn new things, and interact with other people who are knowledgeable in their field. I think that that is also a lot of what drives students in any discipline, and AppSec will provide an excellent learning environment to properly motivated individuals. My hope is that we will attract people who are developers and are curious about security, or people who are studying a standard IS/IT/IA track and want to learn more about application security. One of the most powerful people for making effective change in application security in any organization is a security conscious developer. Right now, that’s a rare animal, but someone who has development skills and security knowledge has the best of both worlds, and is in a very good position to look for great career opportunities, even in a “down market.” My hope is that we can take people who are aware of the concept of security, but haven’t really prioritized it, and make them re-evaluate how important it is, and eventually just include it in how they go about creating applications in the future. That’s the ultimate goal of Web App Sec, really — having a world where all developers are security conscious, and security is considered from the first inkling of putting a project together.

Recently, Mark Bristow (another organizer) and I gave a talk at the DC PHP Users Group on Web Application Security 101, and how the OWASP Top Ten applied to it. We got a fairly warm reception, and I felt good about it. But a week or so later, I was at a store near the University of Maryland College Park campus, and someone stopped me coming out the door. It was a person who had seen the talk at the DC PHP group — but was also a CS student at Maryland. He was really excited about the talk, and really wanted to know more, and to attend the conference. That made me feel much better than just “good” — that one bit of outreach had possibly taken someone who was going into the field of application development, and made them aware of something that could reshape their entire career for the better. We had made them start to prioritize security in what they did, and having them be excited about it on top of it. That’s awesome! I think that’s why we want to encourage students, and that’s what they can get out of it above and beyond what they learn at the training or talks.

In the press release for this year’s AppSec, you say “AppSec DC is a unique opportunity for federal decision makers and key technologists to become familiar with OWASP and the resources it has to offer.” AppSec has a heavy mix of both private and public sector speakers this year. Why do you feel it is especially timely for the private and public sectors to learn where each other is coming from?

One of the things about Web Application Security is that it’s a really big problem to try and solve. It affects everyone who uses the internet, and potentially even those who don’t. At a time where the government is trying to tackle the gigantic issues of protecting National Critical Infrastructure and securing IT resources across the government, the main access method to both control of infrastructure and information (i.e. the “Web”) is the most important thing to focus on. Only by working together and collaborating will we be able to make inroads on this massive problem, and both sides have resources that the other do not.

If we wait for the government to figure out all the expertise that has been developed in the private sector, or if we wait for the private sector to have the reach and impact of the government, we’re doomed. However, if the government reaches out to  the public and private companies and groups (such as OWASP) who are already focused in this area, it can be a winning situation all round. The government (and the citizens!) of many countries, not just the United States, can have more confidence in the stability of their infrastructure and their government resources, while the governments provide growth opportunities for companies and organizations that provide the expertise. I think that every day we do NOT have this sort of collaboration in place is one where we get further and further away from the constantly moving target of creating more secure web applications for all walks of life.

You also go on to say that, “OWASP’s mission and community align closely with the goals set forth by the US Chief Information Officer: transparency, engagement of staff, reduction of cost, and innovation in technology. OWASP can enable the government to attain these goals in the pursuit of securing critical technologies that depend on the web.” Which tracks at this year’s AppSec would you recommend for government employees who want to reach the goals you outlined?

It really depends on the employees role within the government. I like to feel that we have something for everyone. For those who are new to OWASP, and/or those who focus on high level decision making, we have several tracks that talk about some of our core ideas, as well as steps to apply security at a process or management level. Tracks such as the OWASP and the SDLC track on the first day, and the Process, Metrics, and Compliance track on the second day all have a wide variety of talks that will provide value to decision makers, managers, and development team leaders, or anyone who wants to get an overview of how you can apply good web application security practices to your organization’s current efforts. Conversely, we’re not letting our technical specialists down. The Tools track, the Web 2.0 track, the OWASP track, The Attack and Defend track, and pieces of all the other tracks will appeal to engineers who are developing or attacking applications and want to know what’s new and on the cutting edge. A large number of our speakers are experienced presenters, with previous talks at AppSec, Black Hat, Defcon, Shmoocon, and others under their belts.

Do you feel that some of the training courses offered on the 10th and 11th would be good for government employees who want to learn about application security more deeply, but might not have a technical background?

Again, it will depend on their role. We have good courses for technical and non-technical people who are interested in Web App Sec. For leaders and managers, we have the Threat Modeling Express course from Security Compass, and Leading the Development of Secure Applications from Aspect Security. Both of those courses are designed for non-technical decision makers, and both are being taught by experts from top companies in the field. If an attendee is interested in learning a bit more about the technical process, we have a variety of courses deal with “how to learn to test” in various arenas, such as the Samurai Web Testing Framework class from Inguardians, and the Applying the OWASP Testing Guide with the OWASP Live CD course taught by Matt Tesauro (creator and project lead on the Live CD). These courses will probably require a little more technical knowledge, but will teach some of the fundamentals of how to test a web application and walk users through some of the steps involved in the process.

And lastly, what would you say to those who are still sitting on the fence about attending AppSec?

I’d say that this is a great opportunity for everyone interested or affected by Web Application Security, but especially those located near Washington DC. DC has a huge population of people who are interested in security, and an even bigger population who should be and are affected daily by decisions that are made (or not made) regarding security. AppSecDC offers a very inexpensive, extremely valuable learning and networking opportunity which is unlike anything else ever offered in the District. If you are not from DC, it’s a chance to come and see the infosec climate in the Nation’s Capital, and interact with government employees and those who work with them, at the same time listening to and learning from some of the top minds in Web Application Security from around the world. This is the biggest OWASP event, and likely the biggest Web Application Security Event ever held. Considering the price tag (especially with OWASP membership discount and early bird registration discounts), it should be a very simple decision when you see the value that you will get for your investment.

As an additional incentive to out of towners, our location is right in the middle of downtown at the Walter E. Washington Convention Center, and our host hotel, the Grand Hyatt Washington has been nice enough to extend our convention rate through the weekend, so if you are coming in from out of town, you can stay the weekend and see the sites of the nation’s capital as well.

Please go check out the AppSecDC Website at http://appsecdc.org , and let me know if you have any questions.

CapSec DC
Wednesday July 29th 5:00 PM

Stetson’s
1610 U St NW
Washington DC 20009

Next Wednesday, OWASP DC will be having  chapter meeting at GWU. Dan Cornell of the Denim Group will be speaking on Vulnerability Management in an Application Security World, and Mike Smith of Deloitte will be speaking on SCAP and integration with Web Application Security. I’ll also be giving an update on the upcoming AppSec DC 2009, which is only a few months away now!

OWASP DC August Meeting
Wednesday August 5, 2009 at 6:30pm
George Washington University, Duques Hall Rm 553D
2201 G St.
Washington, District of Columbia 20037