September 20, 2005
Microsoft have released a beta version of an Internet Explorer Developer Toolbar. A very nice complement to the ever-essential Mozilla DOM inspector and Chris Pederick's Web Developer extension. I've often wanted something like this when I'm working in IE, now it's here.
September 16, 2005
At Tuesday's OWASP Twin Cities meeting, I learned that DHS is about to launch a new software security portal, BuildSecurityIn. An article in a recent IEEE Security & Privacy magazine describes the portal. I don't subscribe so will be hitting the library this weekend to find what I can before this thing goes live.
September 16, 2005
Tuesday night I went to the first meeting of the Twin Cities chapter of the Open Web Application Security Project (OWASP). We'll be meeting the second Tuesday of every month. It's too early to tell how successful the group will be, but the people there seem dedicated, so I am hopeful.
In attendance was Gunnar Peterson, whose articles on a collaborative secure development process (PDF: parts one, two, three) introduced me to misuse cases and, eventually, threat modeling. Interestingly, of the 10-12 people there, I was the only developer. Everyone else was a security analyst, architect, or consultant. This defied my expectations but not theirs. The developer blogs I read deal with security and build an impression that developers are more concerned with security than is generally the case. Of course, I seek out those blogs in part because they have interesting things to say about security, so that misleading impression is only natural. The developers I work with give consideration to security, but probably not as much as I'd like to think and certainly not enough to drag them out to the Golden Valley library on a Tuesday night. I think, then, that I need to evangelize the new OWASP chapter to the developer communities in which I participate. This will likely mean having meetings on topics of interest to them.
Gunnar brought up a good point, that so often security teams (which have historically been network-focused) point at developers for security problems, but we musn't forget the architects, who obviously need to consider security as part of the software architecture. This underscores a point that many of us have been saying for years: security needs to be incorporated throughout the development cycle of an app. That's what Microsoft's Security Development Lifecycle is all about, and from everything I've heard they're really taking it to heart.
I'd like to find ways to get involvement in OWASP from all sorts of different groups involved in software development, not only to emphasize the importance of security in those areas, but to learn about these other fields and make connections outside my immediate arena. Software development fascinates me, and not just programming. That's why I distinguish between "developer" and "programmer": to focus exclusively in one area is a death knell for my passion, my career, and perhaps my sanity. This is part of why I've started to be more active in local industry groups like the OWASP chapter. I'm a security-focused web application developer with a penchant for open source and open processes, so it's no surprise that OWASP appeals to me.
I volunteered to give a presentation about the OWASP Top Ten at our next meeting. It's a good introduction to the issues in web application security, of interest to developers, architects, analysts, testers… anyone involved in web application development and deployment. I've given this talk a couple times before, but this time I have some new ideas for presenting the material. So come on out! Tell your friends! We'll be at the Golden Valley Library a to-be-determined location on Tuesday, October 11, 6 - 8 p.m. Hope you can make it.
Update: I've been told that the library was already booked, so a new location for October's meeting is being sought. Check the OWASP Twin Cities page for updates.
Update, 8 October. Tuesday's meeting is at the Plymouth Public Library, 6 - 8 p.m.
September 14, 2005
When we bought our house last fall, we chose Comcast for phone and internet service. At first we weren't even going to get a land line and just rely on our cell phones, but after Kiara locked her phone in the garage, we decided that for safety's sake we should have a land line. We would have gone with Qwest, since it's a bit cheaper and DSL is fast enough for our needs, but no one we talked to at Qwest could find our address in the system, so they couldn't even provide phone service. Never mind that the house has been there fifty years and Qwest provided service to the previous owners, we weren't in the system and that's that.
So Comcast seemed the obvious choice, both for phone and internet (we didn't want cable TV). A few dollars more expensive, but faster -- and they acknowledge the presence of our house. And tech support was phenomenal the few times I needed to call it, even when they were obviously disappointed and confused by my using a Mac. Really, I felt upbeat after every call. How often does that happen with tech support?
And we were pleased. For a few months, at any rate. Then small annoyances started to add up. We would be without internet service for hours, sometimes days with neither notice nor explanation. No, that's not entirely true: whenever I called, I'd be told it was scheduled downtime. That lasted for days. Downtime happens, I know, but there was an awful lot of it "scheduled." And although I never used the Comcast email address, we got a lot of spam sent to it.
We were also disappointed with the phone number we'd been given. Whoever had had it before, apparently just a few weeks before we inherited it, left a lot of unpaid debts. I kid you not, easily 90% of the phone calls we got were not for us, they were collection agencies after this guy. We just stopped answering the phone. Had we stayed with Comcast, we would have a new phone number, no question, but is it just a coincidence that a coworker who also used Comcast for phone service had the same problem? Probably, but it's an odd one.
This spring, Qwest found our house in their system, and we dropped Comcast right away. We didn't and don't expect that Qwest service will be that much better, but so far it's been fine. No unexpected — excuse me, scheduled outages. My coworkers are aghast that I'd go with DSL over cable modem because it's slower, but I've rarely found that to be a problem. Right now I'm more hampered by the flaky wireless on the laptop than anything else. We're content with Qwest, and we'll stick with 'em for a while. I'm in no hurry to change my phone number again, and now the phone works even if we lose power. :-)
A few days ago, Comcast nailed the lid on the coffin. They sent a bill for long distance calls made in late July and August. There are two problems with this:
Billed for calls we obviously never made. The guy I talked to at Comcast was as confused as I. He couldn't even see that I'd been billed at all, or had any charges on my account. Great. So I'm ignoring the bill for now, and hoping that the customer service guy really did make notes on my account. With my luck, I can just see this going to collections because their accounting system is frelled.
September 11, 2005
Not that these two events are even remotely equivalent, but I don't want to miss them this year: Talk Like a Pirate Day on September 19, and Banned Books Week, September 24 - October 1.