February 25, 2005
The MnSCU IT Conference takes place in a couple months, and I'm gearing up for my presentation. This is a conference for IT staff on our colleges and universities throughout the state, and in recent years has been the one time when we can get most of the campus web folk in one place. It's also one of the few chances I get to make public presentations, so I jump at it: I'm arrogant enough to think that I have something worth saying. Still, every year when the call for proposals is announced, I wrestle with ideas for what talk about. In the past I've covered web accessibility, XML, regular expressions, and web application security. This year I considered doing what I did last year (two sessions, one on regex and one on web app security), but decided it was best if I just stick to one presentation and take the time to make it top-notch. Still, in case the opportunity arises, here are topics I considered proposing:
- Regular expressions. Probably two sessions: an introductory overview and an advanced session covering optimization, debugging, that sort of thing. Evangelizing regular expressions is a sort of mission of mine. I don't understand why more people don't know about them.
- Introduction to web standards. Some of our college webmasters are on top of recent developments, but take a look at the conference site and you'll see why I still think we need to cover this at a very basic level.
- Overview of the OWASP Top Ten Most Critical Web Application Vulnerabilities.
- An hour on any one of the OWASP Top Ten. Each of them deserves at least that.
- Web application security testing. Not just penetration testing, but also working security into the software development process: design and code reviews, threat modeling, and so on. To my mind, that's all part of the testing process.
- Introduction to version control.
- HTTP. I am regularly surprised by how long you can work as a web developer without understanding even the basics of HTTP. Boggles the mind.
- Unit testing & test-driven development. It'll change your life.
- mod_rewrite.
- Ajax web applications. Using XMLHttpRequest.
- Unicode and character encoding.
- Unobtrusive JavaScript (all part of the standards evangelism).
- Threat modeling
- Cleaning up your (X)HTML. Using Tidy, regular expressions, that sort of thing. More standards propaganda.
In the end I went with web application security testing, because I really think we need to pay more attention to security and I want people to walk away with concrete skills. Testing seemed appropriate. We shall see.