Final day of training for me! While the first day focussed pretty heavily on the effects of not sanitizing input and not properly encoding output (80% of attacks can be stopped with intelligent application of both), day two focussed on other things:

• audit logging: what to log and when to log it
• unintentionally leaking information
• programmatic checks (think assert())
• authentication and authorization
• session/state management
• cross-site request forgery detection and mitigation
• cryptography
• keeping sensitive information in software (specifically: not doing that)
• operational security
• configuration of applications and environments
• code signing (yeah, nobody does it)

So, much more extensive than day one. There’s a lot to go over in our presentation once we get back to the office, but even without that this conference is pretty awesome for just getting Chris and I in a security-conscious mindset.

Speaking of, Chris’ management course was only a one-day affair so he spent the day wandering around Manhattan: I think his total trip odometer for the day was around 12 miles, not counting the touristy stuff we did after I finished my course up. How he isn’t dead I’ll never know. He’s barely tired! After that we wandered around Little Italy and had a great meal at another Chinese restaurant: New Green Bo! Scallion pancakes are delicious!

And with that, we close on a second fabulous day in NYC! Tomorrow the conference proper starts, and we’re both pretty jazzed to see how that’s going to turn out!