Archive for the 'Conferences' Category

Conferences, OWASP

Rundown of the Twin Cities’ first OWASP conference

As I’ve mentioned here once or twice, the Minneapolis-Saint Paul chapter of the Open Web Application Security Project put on its first conference on Tuesday. By most accounts, it was a success and we’re likely to have another. I believe there were 150 attendees or thereabouts, which I think is pretty dang good for a few weeks of basic word-of-mouth advertising.

The University was gracious enough to donate the use of the theater in the student center, but we needed somewhere for lunch and were at least lucky enough to be able to stay in the building instead of walking across campus or send people out on their own. So logistics around the space were a little weird. I spent an hour or so of the morning just directing people to the registration desk on the second floor, then back down to for the talks in the theater in the basement (or is it 3rd and 1st floors? whatever). In the end, although it might have seemed mighty strange in the morning, I don’t think anyone minded much.

While I was playing usher, I missed Kuai Hinojosa’s introduction and the first part of Jeff Williams‘s presentation, but I did make it down for most of Jeff’s talk about ESAPI, the OWASP Enterprise Security API.  The popular frameworks don’t do nearly enough to guide developers toward building secure software, which is where ESAPI steps in as a set of APIs for building secure web applicationbs, with both an extensible interface and a reference implementation. Right now, the development of the main project is happening in Java, which I know was disappointing to many in the audience who don’t work with Java. But there is an active .NET ESAPI, as well as a less active PHP port, to which contributors are welcome and encouraged. If you are writing Java web apps, you should look at ESAPI now. It’s good stuff. Talks are underway to see about getting some of this in the next servlet spec, which would be fabulous.

Arshan Dabirsiaghi then gave an entertaining and engaging talk about the OWASP Intrinsic Security Working Group, which is a new project trying to get at the heart of the problems in web application security, largely having to do with browser security. Which is a mess. They’ll have their say about HTML 5, too, and will provide input hoping to steer the spec away from security disasters.

I was surprised at lunch to have an actually tasty vegetarian option, a portabello mushroom sandwich on ciabatta. It was probably the bread that sold me. Ciabatta’s the new hotness in bread, after all.

Anil Kumar Revuru from Microsoft spoke about a few things they have going on in the Connected Information Security Group. I had to step out during the first part, so missed much of what he had to say about their framework, but I did catch some of the tools he demoed. Pretty cool stuff, and the Anti-XSS library is a must-have if you do .NET web apps.

I’m torn about the threat modeling tool. On the one hand, it is clearly good work that I’m sure can prove beneficial once a team has worked with it for a while. I believe very strongly that threat modeling is a Good Thing. On the other hand, the threat modeling tool seems extremely heavy-handed, a lot of fiddling with an external application, and I can’t imagine working with a development team that would tolerate it. If I tried to introduce threat modeling with the use of that tool, I’d never get it off the ground. That said, a new version is due out next month, and Adam Shostack is involved. His paper on threat modeling experiences at Microsoft (PDF) was enlightening. So maybe I can hold out hope again. I’ll at least watch the demo available on an SDL progam page.

Brian Chess talked about static analysis and some of the interesting work in that space. I greatly enjoyed this talk, although I can’t remember much of it. :-) He talked about how static analysis tools have evolved, and what you can and cannot do with them. I will say this: a compelling metaphor goes a long way. His saying that “writing secure software is like making safe-to-eat burritos” caught some Twitter-love.

If you liked hearing about ESAPI and CISF, you might also have enjoyed hearing Elliot Glazer speak about the security framework at the Depository Trust and Clearing Corporation, which last year moved $1.86 quadrillion in transactions. Ahem. I hope to get a copy of his slides and post them to the OWASP site, since they were very text-heavy and hard to read but seemed worth reading. The framework seems well thought-out and practical, a bit process-heavy for some but not nearly as bad as you might think it would be, as everything he identified in the process always serves a clear purpose. And has saved them more than once.

Corey Benninger of the Intrepidus Group treated us to real-world phishing examples and trends, and walked us through the discovery of a simple but effective session hijacking attack against a brokerage that cost real money. These are always fun and frightening to see. A great way to round out the regular talks.

We were then treated to an appearance by Richard Stallman. Given fifteen minutes, he explained how free software is an ethical concern. Free-as-in-freedom, of course, not free-as-in-beer. I’ve seen him do this a couple times, and I have to say that he does it well. His talk might not have had an obvious bearing on security, but I’m glad he was there. We don’t talk about ethics enough. I don’t, anyway.

All the talks will be posted online. Stallman’s will of course not be available in Flash, because that is not a free format. For him, expect Ogg Theora.

All in all, I think this was a good conference,  I can’t believe we pulled it off and charged only $25 per person! That was no doubt a key factor in getting people to attend. I mean, for twenty-five bucks it’s almost easier to pay out of pocket than to try to convince your boss to pay. ‘Course, for $25 it’s hard to imagine a boss not paying. And to hear these great speakers at that price… marvelous. We were fortunate this time in that the speakers found their own way here instead of having OWASP pay their way. Hopefully we can keep the cost down in the future.

There are things that we can do better in the future. I already mentioned the weird physical logistics, for example. I’d like to see even more along the lines of practical guidance on how to build security into web applications. That’s a core strength of OWASP conferences that I think we should play up as much as possible: they’re for builders more than for breakers. If you look at the agenda, the talks were largely focused on building, but they sometimes got a bit abstract. The only other real concern I had is the perception that OWASP is focused on the enterprise to the exclusion of, well, non-enterprise. That’s not my impression of the organization, but with a focus on Java and .NET in the talks, and with almost no Macs in the audience, it’s an easy impression to give. We have a thriving tech community in the Twin Cities, not all of it so enterprisey, and it would be good for everyone to engage them.

A tip of the hat to Lorna Alamri, who did most of the leg-work for the logistics of actually getting the conference going, and to Kuai Hinojosa, who has done a tremendous job this year growing the chapter and getting the word out about OWASP and web application security. Both had great ideas for the conference, and it really came together. Bang-up job.

Conferences, JavaScript, RIA, Security

Conference sessions are over. Now I can read again.

When last I wrote, I was busy working on a few talks. They went reasonably well.

MinneWebCon was a lot of fun, an engaging, upbeat conference. There were almost 250 attendees, about two-thirds of which were from the University of Minnesota, which put on the conference. Eric Meyer delivered a keynote in which he discussed craftsmanship in the web professional. How very relevant. Amy Kristin Sanders’s midday keynote offered useful insights about internet law that I cannot do justice to. In Mark Heiman’s enchantingly engaging talk about the search for a social networking tool for Carleton College alumni, I learned about Elgg, an open source social networking platform that looks pretty damn good. I’ll have to take a closer look.

The smartest bit of scheduling was to put unconference sessions immediately after lunch. Rather than nodding off on a full stomach, we got engaged in animated discussion, keeping energy high for the afternoon. Brilliant. The social networking session largely highlighted Twitter, which fit in well with the active back-channel Twitter chatter going on. Tony Thomas wrote a little about that.

My own presentation on JavaScript went almost as well as I hoped, although I ended up not being able to touch on Ajax except immediately afterward in a quick response to a question as I was unplugging from the projector. My emphasis was on taking functional pages and layering helpful behaviors onto them with unobtrusive JavaScript. Video will be available at some point, and I’ll be making my presentation notes available here (and there) soon.

And by the way: in case you didn’t know, jQuery is fantastic.

Many thanks to the MinnWebCon organizers for putting on a great conference and for allowing me to participate. I’m looking forward to next year.

Unfortunately, I was having so much fun preparing for my MinneWebCon talk that I gave short shrift to prepping for the two presentations I had scheduled at the MnSCU IT conference this past week. Thankfully I deliberately chose topics on which I could speak extemporaneously if need be. They turned out okay, but (as always) not as good as I had hoped. My first session explored the limits we’re bumping into with Ajax, especially user interface challenges, nontrivial client-server data communication problems, and the fallacies of distributed computing — setting the stage for the emergence of rich internet application technologies like Flex, AIR, and Silverlight. None of these technologies actually solve the problems, except making it easier to create better-looking UIs, but they should be watched closely. Hell, I’d use Flex in a heartbeat for certain things like, oh, an ERP.

I also spent a few minutes pointing toward all the activity going on around programming languages, concurrency, and flexible approaches to databases (non-relational, sharding, etc.), all related to rising expectations of what software should be able to do and how quickly we should be able to create said software. I talk about this stuff all the time, but hardly anyone seems to believe me. I hope that I at least planted a seed or two that will bear fruit in future discussion, and was heartened upon my return from the conference to see Tim Bray take it up:

Near as I can tell, we’re simultaneously at inflection points in programming languages and databases and network programming and processor architectures and Web development and IT business models and desktop environments. Did I miss anything? What’s bigger news is that we might be inflection-point mode pretty steadily for the next few years.

I don’t know whether I’ll put together notes. I suppose I ought to.

I was a little worried about the session on software security principles, since I had completely changed course on what I wanted to do the night before, but it turned out to go quite well. I wanted to start a discussion, examining common software development scenarios where I often find vulnerabilities, letting the group identify security principles that should guide development. WIth the help of a few security-minded individuals and a lot of people not afraid to put themselves out there even when they weren’t sure of themselves, we did just that. It was a good, active conversation. I was a concerned that one guy who brought up a quite valid point — that by moving our ERP from Win32 client-server to a web application, we’ve increased exposure and risk — was discouraged by the response. I talked with him today, though, and found that he wasn’t at all discouraged and that he had learned what I wanted people to learn:

  • the threat is no longer amateur;
  • software is rarely designed with security in mind, and that’s where the attacks are taking place;
  • there are core principles that should help guide software design and development, such as not trusting input, using least privilege, and so on.

For people like him for whom this is all new, next time I will prepare handouts. If you’re looking for a preview or something to use now, I suggest you start with the excellent resources from the Microsoft patterns and practices group, including Guidance Share. It is not all Microsoft-specific, and there are some real treasures. For a quick run-down of security principles, see this blog entry by J.D. Meier, which lays them out nicely against Microsoft’s security frame.

To my mind, the highlight of the conference was Mike Janke‘s whirlwind tour of the MnSCU network and data centers. We really need to see more of that. Watching his presentation leaves no question of the scale and complexity of the problems of doing IT for an organization the size of ours, and the tremendous job that Mike and his team have done.

The real conference is of course not the sessions but the connections made with people there. Many good conversations were had, but I still didn’t connect with everyone I had hoped to. Folks, you know who you are. Let’s not wait until next year, okay?

Whew! My conference season is pretty much over, so excuse me while I go tackle that growing stack of books.