I arrived in Austin Sunday night to get ready for a factory tour on Monday, a kickoff dinner and then two days of briefings from Dell executives, including Michael Dell himself! Dell’s ISG business is growing at a very fast pace and continues to build momentum and focus within the broader organization.

We had a nice overview of the product roadmap, including some of the exciting enhancements Dell is making to their storage products such as the MD3000 and the new EqualLogic PS5000 series iSCSI solutions.

I really enjoyed the Council meeting and it reminds me all over again; what I admire about Dell is the way they and Michael Dell himself stay close to the customer. The entire purpose of this event is to “get it right” and determine meaningful ways to embrace change (including change in the manufacturing process) in order to make their customers more successful. Ah shucks, you may say that all companies behave this way… well I must tell you that is not true and at times, I find it difficult as we continue to grow to stay as close as I would like to all of our customers varying needs and directions.

This concept of gathering, internalizing and embracing customer feedback is a simple principle of Business Success stories. Always trying to improve the pace of change and build meaningful sticky relationships with customers. Dell’s very successful Ideastorm site where customers post product feedback and are active participants in the Dell community is a great example of how to do this right. No other hardware vendor that we have worked with or attempted to work with has ever gone to the extent of embracing change that Dell has during our 5-year relationship.

From the custom factory integration services to the attention to detail in the order and manufacturing, and logistics processes, Dell helps us execute for our customers and I must admit that we could not have built the business as quickly or efficiently without Dell!

So thank you Michael Dell for building a business that embraces change and is focused on helping your ISG customers succeed.

I also went by the speaker lounge to check in and meet up with my co-speaker for my Wednesday session and we were able to make some good progress on slides (yes, they were due weeks ago, but we'll be tweaking them up to the last minute, not doubt).  We also requested permission to film our session with my camera - this is apparently something that is possible, but you have to ask ahead of time - luckily, we got good guidance on this from the good Mandy Schu, our speaker manager.

At 6:00PM, we went down to the reception and, I must say, my first impression for this year was very good.  The show seems bigger and better than ever.  I saw lots of familiar brands and we meandered over by the Microsoft booth, where I ran into Kai Axford, Austin Wilson and a bunch of other Microsoft folks.  After a bit of smalltalk, I set out to accomplish my goals for the evening:

• enjoy the free food and drinks
• work on identifying the common "theme" for RSA this year

Shortly later, as I'm walking by a booth, my ear caught a familiar tune - " naaa   na na    na na... story of my life, story of my life..."  I look over, and yes, there are two security geeks rocking out on Guitar Hero.  Hmm, interesting idea, it definitely seemed to be drawing a crowd.  I wonder why nobody else thought of that.  Five minutes later, after passing 3 Guitar Hero sets, I realized that a lot of people had thought of it.  Play, get high score and win a game system!

So, there it is, the theme of RSA 2008:  Guitar Hero III.

Okay, so that may not be the security theme for the show, but it certainly seemed to be a hit with the attendees, judging by the many people stopping to show off their mad (or not so mad) Guitar Skillz.

I'll be checking back in with you midday tomorrow to give my feedback of how the morning keynote sessions go, but if I get some free time, you may see me on the show floor working my way through "Slow Ride" or "Barracuda."

I had an Austin Powers moment today when I opened an email from eSecurityPlanet.com and saw a link to an article called, Feel Vulnerable? Time for Vulnerability Management Tools.  I felt like I had been in suspended animation for years and just woke up. I have not seen an article on vulnerability management in forever and ever. There was nothing earth shattering in this article.  Meat and potatoes VM. That is vulnerability management, not virtual machines.  The fact that VM is more commonly associated with virtualization than vulnerability management in and of itself probably speaks volumes.

Just last week at the Infosec World conference I had remarked to some folks that walking the show floor I did not see one vendor using the term vulnerability management in their signage.  Even some companies that are plainly in the VM space such a nCircle and Qualys, are using risk management and similar terms to describe what they do. So why has vulnerabiity management fallen out of disfavor?  Is it any less important?  In the words of "The Shagadillic One", do they think it ain't sexy? That may be it.  It is not sexy or trendy anymore.  I remember going to RSA a few years ago and every vendor had some strategy around vulnerability management.  I will be looking at this years show and report how many times I see the VM word.

So what is it about the security world.  Do we collectivley have the attention span of a flea. Do security tools go from golden to rust that quickly?  Why are we constantly searching for the next great thing but seemingly at the expense of the last great thing.  Wouldn't it be nice to see something through and make it really work before we rush on to the next one.

I had an Austin Powers moment today when I opened an email from eSecurityPlanet.com and saw a link to an article called, Feel Vulnerable? Time for Vulnerability Management Tools.  I felt like I had been in suspended animation for years and just woke up. I have not seen an article on vulnerability management in forever and ever. There was nothing earth shattering in this article.  Meat and potatoes VM. That is vulnerability management, not virtual machines.  The fact that VM is more commonly associated with virtualization than vulnerability management in and of itself probably speaks volumes.

Just last week at the Infosec World conference I had remarked to some folks that walking the show floor I did not see one vendor using the term vulnerability management in their signage.  Even some companies that are plainly in the VM space such a nCircle and Qualys, are using risk management and similar terms to describe what they do. So why has vulnerabiity management fallen out of disfavor?  Is it any less important?  In the words of "The Shagadillic One", do they think it ain't sexy? That may be it.  It is not sexy or trendy anymore.  I remember going to RSA a few years ago and every vendor had some strategy around vulnerability management.  I will be looking at this years show and report how many times I see the VM word.

So what is it about the security world.  Do we collectivley have the attention span of a flea. Do security tools go from golden to rust that quickly?  Why are we constantly searching for the next great thing but seemingly at the expense of the last great thing.  Wouldn't it be nice to see something through and make it really work before we rush on to the next one.

A huge chunk of why I started this site was for my own testing. I wanted to learn on a site that I controlled completely. That works great if you’re a guy like me, who’s already been in the web space for well over a decade. But for people who are either new, or are shifting their interests from some other area of security, the web space is highly complex and deep. So herein lies the second reason I started this site. I wanted a place where I could teach people what I know. Call it altruism, call it wanting a sanity check on my own thoughts, but here we are, 2 years and 20,000 visitors a day later and things have changed.

I’m ultimately troubled by the fact that there are so many people out there who are in every way smart but are only in web application security because they have fallen into it, for whatever reason, and now are trying to play catch up with guys like us. I feel like there is a huge gap of knowledge out there, and I feel like there is a lot that I could share with people given enough time. A one hour speech isn’t enough time. It’s barely enough time to gloss over a topic, let alone go down to any level of detail that would allow someone to think they are proficient in a topic. I really feel like I could share a lot more of what I know to a willing participant if we made it a week long course. So that’s what I did.

I’m going to be offering a week long course that I am dubbing The Austin Project. The goal of the project is to get a group of likeminded people who are interested in talking about and learning more about web application security from yours truly. Honestly, I just feel like there’s a lot more I can talk about in a week’s time than I could ever cover in a series of blog posts, especially because in an intimate class it is far easier to communicate.

So I will be inviting five people to fly in and stay for five days. No cell phones, no computers, no distractions - just talking webappsec. I attended an invite only conference of this format before and it worked great, where the only open computer was the one operating the projector. Being off the grid really helps people focus. Everyone will sign non disclosure agreements so people can talk freely about problems they are concerned with without having to worry about it getting out. There will be eventual outputs from the classes, but they will be discussed only with people who attend. Days will be spent talking about webappsec, nights will be spent with me in downtown Austin, visiting the local nightlife and probably talking about webappsec some more. My goal is not to make myself the grand leader of a group of five people who are webappsec gods, but rather, build a collaborative group of people who change their way of thinking and come out of it with the knowledge on how to fix their little slice of the Internet.

I’m just not scalable, and while the blog has been a great conduit for sharing some of my ideas, it’s clear to me that people just aren’t getting the value out of it that they could in another format (I guess you get what you pay for, as this site is free!). It turns out I just have a lot more to say than I put on this site. That became apparent today when I started chatting with someone about a specific web application flow. It took me ten minutes to explain some of the esoteric nuances to watch out for and I suddenly realized I had never talked about it before on the site, and I probably never would have because I ultimately consider a lot of that stuff to be “the basics” (even though apparently not a lot of people know about it). I usually try to skirt around the basics as to avoid alienating the experts who frequent this site. How would anyone know about the esoteric gotchas if I didn’t talk about it? Well, now is your chance to come ask me. Not that I will just be covering basics - oh no, why come to me for the basics? But this will be your chance to get me to slow down and explain things to you in a virtually one on one environment.

My goal isn’t to get the best of the best and put them in a room together (although if I wind up with a bunch of people who are experts I will build a class specifically for them). The main goal of The Austin Project is to get people who want to learn but are otherwise starved for information. I want to help those people and bring them to the next level, so that they go off and eventually help others and so on. I firmly believe education at this level will help our industry, help us start developing better applications, better strategies, and ultimately will make all our lives better.

This isn’t like most training. There will be no CPE credits (although I’m sure you could convince someone it should count), no class of 40 people, no canned demonstrations. This is just a chance for you to sit with me for a week and talk about whatever it is you want to talk about in an collaborative environment. I don’t want five people from the same company showing up. That’s not the goal here. The goal is for you to meet other people with other problems and work through them together as much as it is to hear from me. Why? Because other people have interesting problems that relate to our industry that you should think about too! I want to facilitate the correct thought process, which is so much more important than me just solving your problems for you. I want to make people into the big thinkers (not just technologists) that this industry needs. I want the participants to build relationships that they can use to better themselves and their careers. Big goals for such a little class!

Anyway, if we wind up with way more than five people who are interested, we can separate the classes into groups, but I have no idea how many people will be interested. I don’t want to go over five people and I don’t want it smaller than that or it would defeat the goal of building a team, so I may actually turn people away if we don’t hit a critical mass. This is just as much an experiment for me as it is for anyone who would attend. I also may turn people away if I think they couldn’t benefit from this - which is why I’ll be asking for a resume from each of the people who are interested. If you have no experience, this isn’t the class for you. If you have been doing this longer than I have, this isn’t the class for you. If you just want to come to the class to heckle me, well, it’s an expensive prank, but it’s your money. So if you are at all interested, check out The Austin Project web-page for the specifics and send your contact information through the form.