- Culture
- Design
- General
- Marketing
- Networking/Systems
- Open Source
- phpSprockets
- Productivity
- Security
- Software
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- Coding Horror
- Innova @ Flickr
- Joel on Software
- Lifehacker
- phpSprockets on Google Code
- Smashing Magazine
Security OWASP AppSec 2008: Last Day
The last day of the 2008 OWASP AppSec conference in New York City has passed!
Chris and I saw some excellent talks, including one that introduced a tool that actually scared Chris with its effectiveness – but I’ll let him tell that story. One of my favorites was “Agile Development and Security” which predictably talked about how to develop securely while using the Agile methodology. Innova isn’t specifically an “Agile” shop, the talk was still extremely helpful.
Overall, the whole conference was a smashing success! Aside from NYC, which is just plain awesome, the training and various speakers got Chris and I in a security-conscious mindset. The training, for me at least, reinforced a lot I already knew and taught me plenty that I didn’t. The speakers I saw outlined how attackers think, and how to implement the various things we’ve learned in real production environments where everything isn’t milk and honey. We’re identifying places where we can implement these things, and trying to come up with a good presentation to give to the Innova crew and the local OWASP chapter that covers everything.
Tomorrow we’re just going to tour the parts of Manhattan that we haven’t walked around yet, and I’ll be back in town late Friday night! NYC is awesome, and I’ll damn well miss it, but I’m looking forward to the comforts of home!
Security OWASP AppSec 2008 Day 2
Final day of training for me! While the first day focussed pretty heavily on the effects of not sanitizing input and not properly encoding output (80% of attacks can be stopped with intelligent application of both), day two focussed on other things:
- audit logging: what to log and when to log it
- unintentionally leaking information
- programmatic checks (think
assert()) - authentication and authorization
- session/state management
- cross-site request forgery detection and mitigation
- cryptography
- keeping sensitive information in software (specifically: not doing that)
- operational security
- configuration of applications and environments
- code signing (yeah, nobody does it)
So, much more extensive than day one. There’s a lot to go over in our presentation once we get back to the office, but even without that this conference is pretty awesome for just getting Chris and I in a security-conscious mindset.
Speaking of, Chris’ management course was only a one-day affair so he spent the day wandering around Manhattan: I think his total trip odometer for the day was around 12 miles, not counting the touristy stuff we did after I finished my course up. How he isn’t dead I’ll never know. He’s barely tired! After that we wandered around Little Italy and had a great meal at another Chinese restaurant: New Green Bo! Scallion pancakes are delicious!
And with that, we close on a second fabulous day in NYC! Tomorrow the conference proper starts, and we’re both pretty jazzed to see how that’s going to turn out!
Security OWASP AppSec 2008: Day 1
Jon and I had a great day at OWASP AppSec. For a couple of NYC newbs, we’re getting around really well! Starting at 7:30a, we hopped on the subway for the trip to the Park Central Hotel. OWASP is taking very good care of its attendees and we got in and settled easily.
The management training was very informative and challenged how I think about security. Coming from a small SaaS firm, I was in the minority as the training was geared heavily to large organizations. This was excellent because I learned from hardened policies established by industry leading companies. I took a lot away from the group discussions because many large firms had representatives, but I also felt I was able to provide some insightful “grassroots” knowledge and approaches that working with a small organization affords. The training also provided a nice primer on attack styles, best practices to secure them, statistics on vulnerability and business effects, and how to “sell” security. Looking very forward to putting together lessons I learned to enhance how we approach current and future security opportunities.
Jon seems to really dig his defensive training, we’ve been chatting and trading ideas back and forth all night. It will be interesting to see what the second day of his course brings.
Personally, we’ve been having a great time experiencing NYC in our off-time. Had lunch at the Carnegie Deli then took a stroll to Times Square. Got our real NYC pizza fix at Arturo’s for dinner tonight, then strolled around for a couple hours just seeing what there is to see. NYC easily makes you feel very, very small!
Cheers from Chinatown.
Security OWASP AppSec 2008: Day 0
So if you didn’t read over at the imebase blog, Chris and I have left the hallowed Innova Offices for a week to attend the OWASP AppSec ‘08 Conference in New York City!
I’m attending the two-day Defensive Programming course, which focusses on developing and maintaing secure web applications. The description sounds pretty interesting, and I’m excited to rock this one out.
Chris is hitting the one-day Leading the Development of Secure Applications course – lengthy title but it sounds like something that’ll help us all-around. He’s pretty jazzed about that.
Our hotel is pretty close to Chinatown, as the above picture proves. We had a fantastic meal at Joe’s Shanghai; the soup dumplings are just as good as advertised! I’ll be putting more pictures from around NYC and from the OWASP conference on the Innova Flickr Pool shortly.