Monthly Archives: October 2007

RSA Europe 2007 Trip Summary

RSA Europe 2007 was held the week of October 22nd. The conference was a three-day event, held at the Excel Convention Center, where it will also be held the next two years.

Some conference highlights follow…

Bruce Schneier Keynote

The second day of the conference opened with a Keynote from Bruce Schneier. If you ever have a chance to hear a presentation by Bruce – Do Not Pass It Up ! In addition to being a really good presenter, Bruce invests a lot of time into really thinking about and researching the mechanics of security. His keynote was entitled “Reconceptualizing Security”. I have four pages of notes from his presentation. Here are a few of the topics he touched on:

  • Great discussion of “feelings” vs “reality” of security
  • Examination of the language and cognitive challenges regarding risk
  • Discussion and some revision of Bruce’s ideas regarding “Security Theater”
  • Explanation of Lemon’s Markets
  • Are many security products sold in a Lemon’s Market ?

DEF-105: 12 Common Java Security Traps

Brian Chess gave two presentations at the conference. Unfortunately, I was only able to attend one. This presentation focused on common, and significant, security problems that must be addressed during development.

Brian referenced two resources in his presentation, both of which I plan on researching:

Fortify Taxonomy: Software Security Errors

  • This is an attempt to partition the entire space of software security flaws…

Open Source Software Vulnerability Project

  • Application of the Vulnerability scanning tools developed by Brian’s company to Open Source projects to aid in the discovery and remedy of software security errors.

HT-108: Revenge of the Rodent: Did Your Mouse Turn Evil?

Ronald Heil’s presentation about malicious things that can be done with trusted devices, such as the mouse, was brilliant. Ronald reengineers a common computer mouse, using off-the-shelf components, and turns it into one that can be used to:

  • Load malicious code onto a target computer
  • Store data stolen from the user (for later retrieval)
  • Provide attacker with remote control and data access (via Bluetooth)

DEV-109: Is Web 2.0 a Hackers Dream?

This was the third Caleb Sima presentation I have attended. Each one has been fantastic and better than the previous one.

This presentation focused on some of the application security pitfalls that Web 2.0 technologies, such as AJAX, are vulnerable to. Caleb’s presentations always mix static information with actual demonstrations of concepts. During this presentation he demonstrated a number of JavaScript application security faux pas.

A key thesis in the presentation was that Web 2.0 programing techniques, like AJAX, are dramatically increasing the attack surface of applications though movement of code to the client, were it can be easily examined and manipulated. Several examples of ‘bad logic’ or code to move to the client were given, and included:

  • Security code (coupon code validation logic, admin status flagging, etc.)
  • Input validation
  • Range control and boundary checking logic

Summary

The above summaries are highlights. I attended all of the sessions on days two and three, and found them all to be very valuable and high quality. I was particularly impressed by the great English language skills of the presenters from non-English speaking countries. I do not know if I will have the opportunity to attend the European event in the future, but I would certainly recommend it.

Cheers,

Erik

Are you attending RSA Europe 2007 ?

RSA Promo Image If you are attending RSA Europe 2007, please consider attending my presentation which is at 1:00 PM on Monday (which is the first day of the conference). The presentation is a part of the Professional Development track (PROF-103) and is titled:

Basics of the Quick Business Case:

How to Champion Your Next Information Security Initiative

The primary goal of the presentation is to help technologists, like myself, become better at influencing change and championing innovation in their organizations. That said, I also hope there is a lot of valuable information for executives, managers, and line of business stakeholders who can use these concepts to coach and prepare the individuals who are presenting innovative ideas to (or for) them. It is truly my hope that there is ‘something for everyone’ in this presentation.

Here are more details from the conference site…

Session Abstract:   This session will focus on creating and presenting Quick Business Cases: brief, six-part presentations documenting particular opportunity for innovation and seeking organisational buy-in and support. The entire enterprise benefits from better communication about innovation, and this presentation’s goal is to better enable every participant’s abilities to champion it.
Detailed Description Attendees will be presented with a set of ideas and tools focused around making them better Champions of innovation in their organizations. The presentation will begin by discussing why it is difficult to influence change and innovation, including a discussion of some of the specific problems Information Security and Risk Management professionals face. The presentation will then focus on how to construct a Quick Business Case, and how to use the Quick Business Case as a tool not just for communication but also to validate and refine the business case itself. The Quick Business Case itself is a six-part presentation that can be used as a tool to both overcome the “blank page” problem and quickly start documenting the innovation as well as structure the presentation to overcome common business communications challenges. In addition to the preparation of the document itself, we will also discuss strategies for using the Quick Business Case to develop a communications plan to validate your current ideas, learn more, and build consensus for the business case. The Quick Business Case is not intended to replace a full Business Case or Business Plan, but is a tool to document an opportunity and determine organizational interest. Of course for some initiatives or organizations, the Quick Business Case may prove sufficient for a final decision. A key goal of the presentation will be to make these techniques accessible to small teams, not requiring large budgets.

Cheers, Erik

Hello world!

Every technology adventure begins with a “Hello World” moment, whether it is getting that first computer program to run, or the first LED to blink, we always start small and build from there.

This posting is a placeholder. While it is meant to help me test out the site, look for more to come in the weeks leading up to RSA Europe 2007. In addition to presenting at the conference, I am also planning on posting some trip report information.

Until then…

Cheers, Erik