afongen

Yesterday I took Owen to Crosby Regional Park along the Mississippi River (satellite photo). We’ve been going for walks along the river since he was born, and Crosby is one of my favorite spots, a pleasant wooded oasis in an urban setting. You don’t have to step far from the road before you feel like you’re deep in the woods. On, granted, a well-maintained and usually paved trail. :) I wanted to make it there a couple times this spring before the mosquitos are out — ’cause once they’re out, they’re everywhere. It’s something of a perfect breeding ground.

We had just started walking around the lake when Owen suddenly sat in the plants at the edge of the trail. Poison ivy, of course, but I foolishly didn’t realize it until a minute or two later when he asked, “Why does my arm hurt?” Sure enough, he had a rash. Poor guy. He was a real champ, though, and didn’t scratch or even rub it once I told him that doing so would make it worse. We had to cut our walk short, but he’s eager to go back soon.

The Hennepin County Library system has RSS feeds, including personalized feeds for items out and holds. Great! Now I don’t have to write this myself. See? Laziness pays off once again.

And by subscribing to their news feed, I discovered that they’re offering Firefox on library computers now. I’m telling you, someone there is paying attention. I should track them down and shake their hand.

A few recent items of note from my del.icio.us links that I think merit calling out.

Damien Barrett writes up a few quick reviews of Mac OS X antivirus software. ClamXav looks good.

Michael Howard writes about his recent spyware experience. Which reminds me: please, please don’t always be logged in as an administrative user. This is true no matter what OS you’re using. If you’re using Windows, here’s some advice on how and why. I recently paid attention to my own advice and took away admin rights from the account I usually use on the iBook. Haven’t had any trouble.

PZ Myers, one of my favorite bloggers right now, calls out the National Center for Science Education’s answers to the sadly misleading Ten Questions to Ask Your Biology Teacher.

OWASP.Net, OWASP with a .NET focus.

Catalyst, an MVC framework in Perl. Cake, a framework in PHP. Rails is having such an interesting effect.

At some point I might just get off my duff and combine my RSS feeds. It’ll take all of 10 minutes, for crying out loud.

I finally came to grips with the realization that I won’t make it to YAPC::NA this year, which is a damn shame because it’s incredibly cheap (US$85 for 3 days! decent rooms at CDN $79/night!) and would be a great chance to go to Toronto, and I do so terribly miss living and breathing Perl. That’s bad enough.

Then, what arrives in the mail today? A brochure for a week-long workshop on studying medieval manuscripts up at the Hill Museum and Manuscript Library .

The Minnesota Manuscript Research Laboratory is a project developed by the Center for Medieval Studies (CMS) in the College of Liberal Arts at the University of Minnesota ― Twin Cities, in collaboration with the Hill Museum and Manuscript Library at St. John’s University, Collegeville.

The Laboratory’s objective is to make available to interested and qualified graduate and undergraduate students and others who are interested an orientation to the study of medieval manuscripts and their contents.

To this end, the Laboratory is developing a coordinated sequence of learning materials, which it proposes to make available on-line: for example, through websites maintained by CMS and HMML.

During the week beginning Sunday, June 5 and ending on Friday, June 10, the Laboratory will hold a workshop to help its designers test the pedagogical effectiveness of various new materials and to give participants a practical, hands-on introduction to the study of manuscripts.

This is the sort of thing that leaves me hyperventilating with excitement. Seriously. And I can’t go. If I had more than a month’s notice, if I’d budgeted for it this summer, if I weren’t years out of touch with this sort of study, if I didn’t think that a week away from the family were a bad idea so shortly on the heels of 4 days away, if I weren’t so good at making up excuses, then maybe I’d go. But alas, it’s not in the cards.

I really have to plan to do something like this next year. The Center for Medieval Studies is always putting on cool events like this. And YAPC. Gotta remember YAPC.

My web application security testing presentation at the MnSCU IT Conference last week went alright, though not as well as I’d hoped. For all I know I’m the only one who was disappointed, though, and that’s because I had too-big plans for it. It could have been improved by cutting about 20 minutes of content and planned for more audience interaction: stepping through a threat modeling session, for example, or tried live pen-testing. This was indeed what I intended, but it didn’t pan out. I spent a lot of time preparing for the talk — reading, thinking, hacking — but in the end gave inadequate preparation to actually prepping the talk itself, especially being ruthless about what did and did not end up being included. At least I had handouts this year, although I’m already catching heat for my refusal to share the presentation slides. I maintain that the slides are useless outside the context of the talk itself, though that may just be arrogance on my part.

Out of this, two resolutions:

• In my Copious Free Time, I will put together presentations to have them ready and to give myself time to hone their delivery. I already have a list of topics, so I’m on the way.
• I will write more about security here, starting by turning my presentation into a couple articles. Expect them in a week or two, depending on how often I can wrest the laptop away from Kiara.

I expect that I can make good on these without too much trouble.

The conference itself was good. No breakout sessions really stood out as fantastic, life-changing events, which is a shame. The best part was probably long conversations with colleagues, something for which there’s never opportunity at the office. (It’s funny how talking about early Christianity and the process of how texts enter the canon tends to drive others from the breakfast table. :)

I came back from the conference exhausted and a week behind in my reading. Somehow I expected to be able to sleep and read a whole lot more than turned out to be possible.

Update: I’ve posted my presentation notes.

Tiger was released Friday, but I don’t have it yet. Soon. Owen and I did drop by the Apple Store at Roseville, though, to take in the hubbub. The line was longer than what Garrick saw but still nothing like at the Mall of America store — which is a large part of why I was not at the Mall. I’ll go there for midnight releases to take part in the excitement, but not one that doesn’t feel any different than just dropping by the mall. We in line were still subject to strange looks from people who just can’t understand. Heh.

And Hitchhikers. I fully intended to be there opening day, but realized too late that Kiara was working Friday night and we hadn’t arranged a sitter for Owen. So I think it will be next week before we see it. Sigh.

There’s a bunch of new stuff on the Serenity web site, including links to the trailer. Wow, am I excited. I’m more excited about this movie than Episode III and Hitchhikers, maybe combined. Kiara and I rented Firefly a short while back, and damn was that fine TV! The movie looks like it’s going to be fantastic.

Update: A downloadable 1280×544 trailer is available.

Minnesota governor Tim Pawlenty has ordered an audit of all state web sites (registration required, see BugMeNot.com). This is in response to the audit findings I wrote about last night.

Wow. A bold and necessary step, but probably an unfunded mandate. This will make the governor look good, but I am worried that the audit won’t have nearly the resources that it needs to be done properly — and that it will result in knee-jerk overspending such as hiring consultants for quick fixes. We don’t need quick fixes, we need software development processes that incorporate security planning and assessment. On the bright side, I’m willing to bet that where there are security problems, addressing a few issues (quick fixes) will have big impact on existing apps, so a deep audit won’t be necessary. Low-hanging fruit and all that.

There are at least a couple things preventing more secure development: apathy and lack of funding. I say apathy because security is something to which people pay lip service but do not even attempt to understand. Because of that, it’s easy to point to a lack of resources to address security properly. Developer training is sadly lacking (this is true throughout the industry, and we do a terrible job integrating security in computer science curriculum) and security is not addressed throughout the development lifecycle — which ends up being more expensive.

I’ll write a lot more about this later. Were I not putting the finishing touches on handouts for next week’s presentation, I’d write more now.

A couple feeds I’ve recently discovered:

• The Minnesota Office of the Legislative Auditor web site has an RSS feed.
• FirstGov has a US government RSS library.

Cool. We need more of that.

Minnesota Driver and Vehicle Services took down their web site for online license tab renewal in response to a Legislative Auditor’s report sharply criticizing the lack of security in the site. The report is less than kind.

Good. This should be a wake-up call.

The report centers around the fact that DVS did not address findings and recommendations in a 2001 audit. There was no security program in place, inadequate documentation and processes to support secure software development and deployment. The system was found to be vulnerable at several levels: not just the application code, but network and database access as well. I credit DVS for shutting down the site and can commiserate with their lack of resources to address the problem. State government budgets are being cut right and left, and like it or not intangibles like security are often the first victims. Taking the site down might just make it seem a bit more real.

For me personally, the timing of the audit report could not be better. On Tuesday I’m delivering a presentation about web application security to college and university IT staff from throughout the state. My focus is on integrating security throughout the software development life cycle. I’ll be touching on topics such as developer training, security requirements, misuse cases, threat modeling, code review, penetration testing, maintenance and monitoring. It will be nice to have this audit report to bolster my message. And it’s clear that upper management is standing up and taking notice.

A final note. Chris Buse, an auditor who worked on this review, stopped through our offices a couple months ago and poked his head in on a web team meeting. “Say,” he asked, “are you familiar with the OWASP Top Ten?” Coincidentally, we had just been talking about it, so to my enormous gratification everyone around the table nodded their head with an air of “oh yeah, that’s old hat.” It isn’t, but we’re getting there. The projects we’re working on now, apps that will be rolled out this summer, are in good shape. I am so much more confident than ever before about the state of security in our current web development. It’s a good feeling.