20061020

SPICON: Clearing Confusion

Link

In reference to the discussion on ha.ckers.org, regarding my earlier posts:

To clarify - I liveblogged many of the sessions I attended at SPICON. I think RSnake's original post ("it’s a fairly embarrassing read") was mostly in reference to the "advanced" web hacking class. The advanced web hacking class was not advanced at all (IMO, anyhow), but I didn't ask people individually if they learned anything new. But the "advanced" hacking class was only one of two sessions on the first (and optional) day of the conference.

Most of the other sessions I attended had some value. Allen Paller's session was exceedingly interesting, and I failed to do it justice in the blog. Billy's information was probably helpful to some, but not new information for me - but he's quite passionate about what he's finding. When I spoke to Billy afterwards, he confirmed my original thoughts - AJAX doesn't make new vulnerabilities, it just exposes more of the existing ones. And the roundtable with others in the industry was very valuable - although SPI just facilitated the discussion.

And the information I can't discuss - I saw the roadmap and a beta of an upcoming product. The roadmap just showed SPI was moving in mostly the same direction as the rest of the industry, and has some really cool ideas for some of their products - I can't go into details. And I saw a demo of a product going into beta that looks very promising, but again, I can't go into detail.

All that said, I'm sorry I got myself into the middle of this - I'm a fan of the excellence RSnake applies to his work and writing - in my job I use a lot of his references. I admire SPICON for having excellent researchers, and I admire their leadership in the industry to the degree that they were able to secure some of the speakers they did. But if the conference solidified anything for me, my job is secure (unless I stink at it) - there are so many real issues that are engineering flaws that a semantic analysis will never find - regardless of how early in the lifecycle the tool is applied.

0 comments: