- Culture
- Design
- General
- Marketing
- Networking/Systems
- Open Source
- phpSprockets
- Productivity
- Security
- Software
- February 2010
- December 2009
- September 2009
- July 2009
- June 2009
- April 2009
- March 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- Coding Horror
- Innova @ Flickr
- Joel on Software
- Lifehacker
- phpSprockets on Google Code
- Smashing Magazine
Security OWASP AppSec 2008: Last Day
The last day of the 2008 OWASP AppSec conference in New York City has passed!
Chris and I saw some excellent talks, including one that introduced a tool that actually scared Chris with its effectiveness – but I’ll let him tell that story. One of my favorites was “Agile Development and Security” which predictably talked about how to develop securely while using the Agile methodology. Innova isn’t specifically an “Agile” shop, the talk was still extremely helpful.
Overall, the whole conference was a smashing success! Aside from NYC, which is just plain awesome, the training and various speakers got Chris and I in a security-conscious mindset. The training, for me at least, reinforced a lot I already knew and taught me plenty that I didn’t. The speakers I saw outlined how attackers think, and how to implement the various things we’ve learned in real production environments where everything isn’t milk and honey. We’re identifying places where we can implement these things, and trying to come up with a good presentation to give to the Innova crew and the local OWASP chapter that covers everything.
Tomorrow we’re just going to tour the parts of Manhattan that we haven’t walked around yet, and I’ll be back in town late Friday night! NYC is awesome, and I’ll damn well miss it, but I’m looking forward to the comforts of home!
General OWASP AppSec 2008: Day 3
Today brought us the real meat of the week, conference day one. This is my first industry engagement and I found it quite easy to get registered, figure out where things are happening and understand the lay of the land. Quite a bit happening all at once; three different presentation tracks, a bustling vendor area, many coffee-and-tea stops (which I used frequently!), people moving all around, and just a lot of good energy around the building. To keep this on the lighter side, I’ll bullet out what presentations I chose with a quick comment.
- DHS Software Assurance Initiatives: A thorough discussion on integrating security into the SDLC with government best practices. Keyed me into a lot of materials I’d like to read!
- HTTP Bot Research: This was a great talk on botnets, past present and future by shadowserver. A lot of time was spent on the Georgia conflict and looking at the first botnet attack from the U.S. and the second from Russia. I really enjoyed it!
- Get Rich or Die Trying – Making Money on The Web, The Black Hat Way: This was my (and Jon’s) favorite talk. It was a veiled comic presentation that hammers home business logic flaws.
- Using Layer 8 and OWASP to Secure Web Applications: Two of the City of New York’s security guys lead this presentation on how they’ve developed their software development policies and practices.
- Industry Outlook Panel: Several big names in corporate security discussed their thoughts on a variety of topics. I really wish it was a double session, 50 minutes wasn’t nearly enough time.
- OWASP Testing Guide – Offensive Assessing Financial Applications: This was presented by a jet-lagged no-BS Brit who laid out some good testing primer. cough we skipped the next hour and half (nothing we really wanted to hear) to run back to the hotel and grab some great Thai food in the East Village.
- OWASP Live CD: This turned out to be a lot less on the live CD and a lot more about a beta email phishing project loaded into a VM image. It scared the devil out of me, very powerful software. Apparently scared a few other folks too as it may not ever get released because it works so well.
Finished the night up with the (ISC)2 cocktail hour (free booze!) and they announced a new certification, the CSSLP.Then we took a walk to Times Square again which is infinitely cooler at night (duh).
Back in and getting rested for tomorrow. Can’t believe it’s nearly Thursday already!
Goodnight from Grand (street)!
Security OWASP AppSec 2008 Day 2
Final day of training for me! While the first day focussed pretty heavily on the effects of not sanitizing input and not properly encoding output (80% of attacks can be stopped with intelligent application of both), day two focussed on other things:
- audit logging: what to log and when to log it
- unintentionally leaking information
- programmatic checks (think
assert()) - authentication and authorization
- session/state management
- cross-site request forgery detection and mitigation
- cryptography
- keeping sensitive information in software (specifically: not doing that)
- operational security
- configuration of applications and environments
- code signing (yeah, nobody does it)
So, much more extensive than day one. There’s a lot to go over in our presentation once we get back to the office, but even without that this conference is pretty awesome for just getting Chris and I in a security-conscious mindset.
Speaking of, Chris’ management course was only a one-day affair so he spent the day wandering around Manhattan: I think his total trip odometer for the day was around 12 miles, not counting the touristy stuff we did after I finished my course up. How he isn’t dead I’ll never know. He’s barely tired! After that we wandered around Little Italy and had a great meal at another Chinese restaurant: New Green Bo! Scallion pancakes are delicious!
And with that, we close on a second fabulous day in NYC! Tomorrow the conference proper starts, and we’re both pretty jazzed to see how that’s going to turn out!
Security OWASP AppSec 2008: Day 1
Jon and I had a great day at OWASP AppSec. For a couple of NYC newbs, we’re getting around really well! Starting at 7:30a, we hopped on the subway for the trip to the Park Central Hotel. OWASP is taking very good care of its attendees and we got in and settled easily.
The management training was very informative and challenged how I think about security. Coming from a small SaaS firm, I was in the minority as the training was geared heavily to large organizations. This was excellent because I learned from hardened policies established by industry leading companies. I took a lot away from the group discussions because many large firms had representatives, but I also felt I was able to provide some insightful “grassroots” knowledge and approaches that working with a small organization affords. The training also provided a nice primer on attack styles, best practices to secure them, statistics on vulnerability and business effects, and how to “sell” security. Looking very forward to putting together lessons I learned to enhance how we approach current and future security opportunities.
Jon seems to really dig his defensive training, we’ve been chatting and trading ideas back and forth all night. It will be interesting to see what the second day of his course brings.
Personally, we’ve been having a great time experiencing NYC in our off-time. Had lunch at the Carnegie Deli then took a stroll to Times Square. Got our real NYC pizza fix at Arturo’s for dinner tonight, then strolled around for a couple hours just seeing what there is to see. NYC easily makes you feel very, very small!
Cheers from Chinatown.
Security OWASP AppSec 2008: Day 0
So if you didn’t read over at the imebase blog, Chris and I have left the hallowed Innova Offices for a week to attend the OWASP AppSec ‘08 Conference in New York City!
I’m attending the two-day Defensive Programming course, which focusses on developing and maintaing secure web applications. The description sounds pretty interesting, and I’m excited to rock this one out.
Chris is hitting the one-day Leading the Development of Secure Applications course – lengthy title but it sounds like something that’ll help us all-around. He’s pretty jazzed about that.
Our hotel is pretty close to Chinatown, as the above picture proves. We had a fantastic meal at Joe’s Shanghai; the soup dumplings are just as good as advertised! I’ll be putting more pictures from around NYC and from the OWASP conference on the Innova Flickr Pool shortly.