Monday, November 05, 2007

Panel discussion on Website Vulnerability Disclosure during AppSec Conference on Nov 15

As most of you know that OWASP-WASC AppSec Conference is held in ebay between Nov12-Nov15 including the training sessions. There are very many exciting topics to look forward to in the conference and not to forget the vendor parties at the end of the day. One of the things i am excited about is the panel discussion on Website Vulnerability Disclosure (which i will be moderating). We have some really great people on the panel and i am expecting a great lively discussion as the topic is also a little bit touchy :)

The panelists are
1. Robert "RSnake" Hansen - CEO of SecTheory with his blog at "".
2. Bruce Lowenthal - Director of Oracle Security Alerts Group, Oracle
3. Zulfikar Ramzan - Advanced Threat Team, Symantec;
4. Katie Moussouris - Security Strategist, Microsoft
5. Christopher Ernst - US Secret Service, San Francisco Field Branch.

I am expecting this to be one of the best panel since it is not only a sensitive topic but also since we will have the corporate, hacker and govt/law point of view on the subject.

Since i have been working on the questions to ask during the panel discussion, i thought i will also take others opinion on what kind of questions they would like to be asked. So, if you have any suggestions, please feel free to send me an email or leave them as a comment on the blog.

Do plan to be there as it should be fun. The date/time of the panel discussion is
Nov 15, 16:30 - 17:30

Here is the entire conference agenda

Conference Registration page (if you havent registered already) including the details on the vendor parties


Security Retentive said...

I'd like to know why more companies don't have a vulnerability disclosure policy online. Per my previous posts on the subject a lot of sites don't have any policy, or the policy they have is especially unclear.

Wolf Halton said...

I get about a dozen xss attempts and other hacks performed on my site every month. This is pretty small, really and I am glad of it. I test my own site about every month for vulnerabilities as well. Is there an application that will aggregate logs so I can more easily find the bad ones to block?

I won't be at the conference, I will be speaking on penetration tools at the Dallas SecureWorld Expo next week.