It was my first application security conference, it had a good mix of application security topics and other information security and privacy related stuff.
I also found a good mix of attendees, both developers and core information security folks. I was particularly impressed not only by the sheer number of people from the development community who attended this conference but by the amount of knowledge and understanding this group possessed in the field of information security. I have blogged about the need to make applications more secure and the need for secure development and testing, it was great to see the support and understanding, I think it is an extremely good sign for India and Indian companies.
There was not much vendor booths, I am not sure if it was intentional, did not get a chance to ask this to the organizers.
SANS had a booth and it was great to hear that they are going to start some of their courses in India in coming months,they already had 3 courses as part of this conference. Suresh, who is the MD for Asia Pacific, told me that they are going to have two courses in Bangalore in February, 2010.
Here are the notes from some of the talks I attended.
How to Blackbox test almost anything - Aviram Jenik
- Majority of today's vulnerability discovery is through blackbox testing, also known as fuzzing
- Blackbox testing is about testing inputs
- Inputs are the biggest problem and mostly ignored by the developers
- Testing proper inputs solves majority of the problems
- Threat modeling is a repeatable process to find and address all threats to a product.
- The best time to identify threats and remediate them is at the design stage.
- Create a data flow diagram first and update it when changes are made.
- For mitigation, use standard and common mitigation steps.
- Validate thoroughly.
- SDL threat modeling tool is one of the tools provided by Microsoft to help identify threats and mitigation steps
I thought this was the best talk, I am biased because of "privacy" being one of my favorite and also because of the tools that he discussed in the talk being familiar to me, I had blogged about one of them, the phishing game back in October. Dr. PK talked about some of the privacy concerns and specifically about the non availability of empirical data on privacy losses in India. He also talked about both human side and technology side of phishing and discussed some of the tools that were part of his research.
Ten things web developers still aren't doing - Frank Kim
Frank talked about some of the common web programming techniques that can easily be implemented. Some of his tips were:
- Use well known validation code such as OWASP ESAPI
- Perform proper canonicalization
- Perform output encoding and escaping
- Employ strong password
- Use CSRF guard from OWASP