Set in sunny Dublin the day hosted a wide range of interesting talks on Web application security related topics. The conference was very well attended and seemed to have people from a wide variety of backgrounds.
John Viega's keynote kicked off the day with a theme that persisted over many of the talks, which is the need to have a realistic and pragmatic approach to security. John has had a lot of experience in managing software security teams and one of the key messages that we took from the talk is that perfectly secure software is unattainable and that it's important to focus limited resources where they will make the most difference.
After that keynote there was a brief mini-presentation from Eoin Keary and Dinis Cruz on what's the OWASP board have been focusing on over the last year and what's in store over the next 12 months. We also got a mini version of Samy Kamkars Blackhat presentation How I met your Girlfriend, which had made a neat combination of XSS issues in home routers and Geo-Location facilities provided by Google, to allow for precisely locating someone based on them visiting a site you control.
The conference split into two tracks at this point, the following covers highlights from each.
Dr Marian Ventuneac had an interesting presentation looking at how web application vulnerabilities can affect a wide range of e-mail security appliances, including virtual appliances and SaaS offerings (eg, Google Postini). It was a good reminder of how widespread web application issues can be and also why it's important to review all web application interfaces that are in use by an company even if their provided by a "trusted" vendor.
After that 7 Elements' David Stubley was up to talk about "Testing the resilience of security". This is something that we'll be covering on our main site so we won't talk about it too much here other than to congratulate Dave on a well received presentation.
In the other room at the same time, Ryan Berg from IBM gave a very enthusiastic presentation on the process of secure development and the reality of software security. It was interesting to hear the theme of assuming that your internal network is compromised come up again from Ryan. There's been a growing chorus of voices in the security industry pointing to the fact that the complexity of modern IT environments and the flexibility demanded by business management mean that it's almost impossible to rely on a "secure perimeter" as a defence, and instead defenders should assume that attackers have some level of access to the internal network when designing their security controls.
Dan Cornell from Denim gave a fun canter through the subject area of iPhone and Android applications under the title "Smart Phones with Dumb Apps". Key take away was around the need to educate developers that the bad guys can and will decompile your application, so be aware of the sensitive data they contain. Another point made was that even though iPhones swamp the market at the moment, Android sales have the largest take up rate momentum, given this we feel that development of Android applications for financial organisations will become more prevalent as they become the next "must have" for business marketing and sales teams.
After lunch in the scenic Trinity College Dining Hall, Professor Fred Piper gave a talk on the changing face of cryptography. His talk covered quite a bit of the history of cryptography and how it's uses have changed over time. Fred also touched on some areas where cryptography goes wrong and he made the point that it's usually the implementation of an algorithm that is successfully attacked rather than the algorithm itself.
The next presentation that we sat in on was from Dinis Cruz on his O2 platform. As usual with Dinis there was an awful lot of information to take in, but it's obvious that he's doing some really interesting things with the O2 platform, and it'll be very interesting to see how it matures over time.
After Dinis, the remaining two members of the 7 Elements team (Rory Alsop and Rory McCune) were up, to talk about the realities of penetration/security testing. We've put our slides up here but this topic is one that we want to cover off in more detail in this blog over the next couple of weeks.
Unfortunately after that our time was up and we needed to head off to the airport to get back off to Scotland.
Thanks to Eoin and the team for inviting us over to present.
No comments:
Post a Comment