In Application Security Assessment we had sessions on – web security industry, attacks & trends, few security incidents/breaks, change in the attack trend, next generation attacks (sql injection, parameter tempering ..etc), security cycle, root cause of vulnerabilities (programming errors 64% and misconfiguration & other problems 36%), various entry points, tracing, url misinterpretation, handler mismatch, directory browsing, information leakage from errors, mysql errors, source code disclosure, malicious code injection, server side code injections, sql injection/poisoning, XSS, CSFR, session hijacking, injecting fault.

In Web 2.0 Security session included – web 2.0 overview, web 2.0 attack surface, CSFR, XSS, security critical areas, error handling and logging. Discussion mostly revolved around AJAX which could be next popular attacking platform.

All discussions were general and didn’t target any specific projects (like flaws in open source projects ..etc) but very certain that atleast 4 out of 10 would apply to your project. We really liked the examples/tricks that were shown, of course a few looked outdated/old. No doubt soon security assessment will be a major part of development cycle. Attending this session atleast has improved/changed my way of looking at web applications .