My favorite Keynote speaker was far and away Johnny Long.  His talk was on "No Tech Hacking" and he is as entertaining as he is talented.  If you ever get a chance to see him speak, definitely do so.  Also, be sure to check out his website at IHackCharities.org.

My least favorite Keynote speaker was Ken Watson.  He spoke all monotone and the presentation on these centers around the country that the government is using to team up with industry to prevent attacks on critical infrastructure was pretty lame.  I guess I just expected more and from talking with others it seems like I'm not alone.

My favorite presentation was Robert Hansen and Rob MacDougal's talk on "Assessing Your Web App Manually Without Hacking It".  It was a simple concept that everyone from managers to developers to IT guys can follow to get an idea as to how many vulnerabilities their application might contain.  RSnake!

My least favorite presentation was "The Importance of Log Management in Today's Insecure World" by Ricky Allen and Randy Holloway from ArcSite.  Too vendory, not technical enough, and kinda a lame presentation in general.  Maybe I'm just bitter because I heard that the other presentations that took place while I was in this session were really good.

This was the first year that TRISC had a Casino Night and it was awesome.  I played Texas Hold 'Em most of the night and took Nathan Sportsman's money and a bunch of Rob MacDougal's as well.  They had Roulette, Blackjack, and Craps tables there as well and the goal was to start with $10,000 in chips and for every $5,000 you had at the end of the night you got a raffle ticket.  I ended up with over $40,000 and 9 raffle tickets and won three different items.  Score.

Overall, TRISC 2009 was not the best conference that I've ever attended, but was certainly the best TRISC to date.  I was very impressed and am looking forward to next year.  FYI, all presentations from the conference are online and available for viewing here.

1) Prioritize

• You can't "hack" code secure.
• Use risk metrics.

2) Set a useful research agenda

• Don't spend time searching for obscure vulnerabilities
• Create tools that verify that software does the RIGHT thing instead of just looking for problems.

3) Turn application security from a black art to a science

• OWASP in School program
• Translating OWASP Top 10 and various books and projects into other languages.
• Printing guides, books, and manuals for cost of printing.  Free downloads online.

4) We can enable secure coding

• Breaking things is easy, try creating something secure and tell people how you did it.
• Check out the OWASP Enterprise Security API Project
• Increased visibility (software should provide info on who built it, what libraries they used, etc)

5) Make application security into a movement

• Evangelize application security
• Show people what an application security program looks like

Next up was Dave Wichers.  He talked about the OWASP goals of improving quality and support.  OWASP is publishing a "desk reference" guide on application security.  Community outreach is a huge focus of OWASP.  Over 100 chapters around the world.  Dave is the Conference Chair and helps to organize these conferences.  Let him know if you're interested in putting one on.

Tom Brennan, head of NY/NJ chapter and OWASP Board Member starts talking about over 10,000 members on the mailing list and over 120 chapters involved in OWASP effort.  Says you should get involved in OWASP!

Next up is Dinis Cruz, another board member, who says he comes up with all sorts of crazy ideas for OWASP.  Helped come up with the OWASP Grants ideas when the Belgium chapter had extra money in the bank.  OWASP Spring of Code 2007 sponsored 26 projects at $125,000.  Summor of Code 2008 has 31 grants and they are focusing on quality with reviewers, project managers, etc.  OWASP has given out over $250,000 in grants since the Seasons of Code project started.  Then he started talking about the OWASP EU Summit happening in Portugal in 2008 in November.  Nice hotel by the seafront.  Go to meet all of the guys who are influential in OWASP.  Coming up with a bunch of training courses that are completely OWASP related and mostly done by our leaders.  Lots of working sessions to start discussing projects and set the AppSec agenda for 2009.  Five nights at a 5 star hotel for 300 Euros if you share a room or 600 euros if you want a single.  It's a deal!  If you're at the conference, they're giving out free books.

Last up is Sebastian Deleersnyder who compares OWASP to Second Life.  A lot of people doing this as a second job, but it's also a virtual community.  Asks chapter leaders to stand up and everyone gives them a hand.  *pats self on the back*  End of keynote.