Yesterday there was a last minute OWASP chapter meeting and 2 presentations by Joe McCray of learnsecurityonline.com. The intro was great: Joe loves hacking, swearing and drinking rum and coke (a.k.a Cuba Libre).
The first presentation was about SQL Injection. Most things Joe talked about where things I already knew but it is always interesting to hear somebody explain how he or she does it, and yes, I've learned new things. I have been to presentations where they had prepared a VM with a vulnerable webapp but not Joe. He did his demo on a live website and enumerated all databases on the webserver. He explained in great detail what kind of injections there are and the conclusion was "Fix your shit". He demonstrated how IDS can help you but is not a silver bullet.
The most important thing I took home from this presentation is that he experienced that not everybody terminates SSL connections, normalized the input and then feeds it to the IDS ... and of course "Fix your shit" :). At the end of the evening we discussed what is the easiest way to get the stuff fixed and his experience was to get vulnerabilities classified as bug by the Quality Assurance people. I think this is a trick I will apply in the future :)
The second presentation was about Web Application Firewalls. I have no experience with application firewalls. I saw some presentations in the past and Joe confirmed what I was thinking about it. It is something to give you some time to "fix your shit" but not the solution.