What a ridiculously fun but busy time for me. I’ve had the honor of beating up important applications at work, going to Blackhat, going on vacation in the beautiful OBX, and all the while pursuing lots of side projects during down time. Let’s catch up chronologically:

1. I taught an Advanced Web Application Penetration Testing course at Blackhat. Mostly great reviews from 40 students, but I did have 1-2 people who should not have been there say it “wasn’t advanced enough.” My response (and I don’t mean to poo-poo) is: webappsec, more advanced?! hahahaha. If you’ve been doing webappsec professionally as a consultant 24×7 for 3-4 years, you’re not going to take a class where you’re going to learn a whole lot – I don’t care who’s teaching. If you have a foundation in security principles and look at lots of code and lots of sites, your knowledge intake will start to level off and sooner rather than later you’re going to start to only pick up new or old corner case scenarios. Don’t get me wrong – those corner cases are numerous and valuable and lots of them are covered in the class, but the point of the class was to show you how to get good coverage and perform a professional audit, not a crimeware authoring tutorial. I mean, who would pay for that? I don’t think the RBN isn’t interested in XSS yet.

So, everyone, I have a request: adjust your expectations on the upper bound of general knowledge in webappsec.

For those of you that missed Blackhat: Billy Hoffman wins the best talk award for my money. The most original and useful research condensed into 50 minutes. The big picture I got out of it is: it’s just not possible to analyze JavaScript malware outside of the browser. I don’t think that was his message, but hey, you did too good of a job, what can I say? He might have also come up with a way of reading random browser memory using faux images in JavaScript (with nods to pdp on the method).

Jeremiah Grossman’s talk was extremely entertaining with great delivery (even though there was a bizarre anti-whitebox bullet at the end). Dan Kaminsky was very entertaining, and incidentally broke the entire Internet. RSnake and Tom Stracener were also entertaining (way better than your talk in San Jose, Tom), even if I’m not totally convinced of Google’s already-convicted-in-the-court-of-public-opinion-stance on the redirect issue. Arian Evans did a good job evangelizing on a subject I know very well, but the truth is I know people aren’t ready for it yet.

2. I started the OWASP Intrinsic Security Working Group. We’ve got some modest goals, including fixing the Internet,  increasing saline levels in the Atlantic Ocean, getting Arian a girlfriend, and other monumental but culturally important goals. We’ve already got some early successes which I’ll be talking about here in a while; sometime before the OWASP Minneapolis Mini Conference on October 21st or the OWASP EU Summit in November, both of which I’ll be attending and speaking. Our main problems are momentum and press, if you can help with either, please let us know!

3. Jerry Hoff is releasing version .5 of OWASP AntiSamy .NET, which you can test here. I was really only a collaborator – he did all the work and gets all the credit (and, unfortunately for me, all of the grant money). If you find something (not just an XSS, but a presentation layer attack or even a usability issue), per usual with AntiSamy, you’ll get some props on the test page and a beer/energy drink at the next OWASP/Blackhat event.

4. I’ve also got a few more projects, including a tool that we’re probably going to release at OWASP NYC 2008 and an XSS “easy button” attack generator that is slightly less lame than it sounds. It’ll be a boon for us whitebox testers who don’t want to spend 5 minutes to think of how to bypass yet-another-annoying-but-always-beatable blacklist. This is how I think about it: XSS fuzzing is like having a huge NOP sled or playing pool with slop: it will probably work, but it won’t be very elegant.