RSA Europe 2007 Trip Summary

RSA Europe 2007 was held the week of October 22nd. The conference was a three-day event, held at the Excel Convention Center, where it will also be held the next two years.

Some conference highlights follow…

Bruce Schneier Keynote

The second day of the conference opened with a Keynote from Bruce Schneier. If you ever have a chance to hear a presentation by Bruce – Do Not Pass It Up ! In addition to being a really good presenter, Bruce invests a lot of time into really thinking about and researching the mechanics of security. His keynote was entitled “Reconceptualizing Security”. I have four pages of notes from his presentation. Here are a few of the topics he touched on:

  • Great discussion of “feelings” vs “reality” of security
  • Examination of the language and cognitive challenges regarding risk
  • Discussion and some revision of Bruce’s ideas regarding “Security Theater”
  • Explanation of Lemon’s Markets
  • Are many security products sold in a Lemon’s Market ?

DEF-105: 12 Common Java Security Traps

Brian Chess gave two presentations at the conference. Unfortunately, I was only able to attend one. This presentation focused on common, and significant, security problems that must be addressed during development.

Brian referenced two resources in his presentation, both of which I plan on researching:

Fortify Taxonomy: Software Security Errors

  • This is an attempt to partition the entire space of software security flaws…

Open Source Software Vulnerability Project

  • Application of the Vulnerability scanning tools developed by Brian’s company to Open Source projects to aid in the discovery and remedy of software security errors.

HT-108: Revenge of the Rodent: Did Your Mouse Turn Evil?

Ronald Heil’s presentation about malicious things that can be done with trusted devices, such as the mouse, was brilliant. Ronald reengineers a common computer mouse, using off-the-shelf components, and turns it into one that can be used to:

  • Load malicious code onto a target computer
  • Store data stolen from the user (for later retrieval)
  • Provide attacker with remote control and data access (via Bluetooth)

DEV-109: Is Web 2.0 a Hackers Dream?

This was the third Caleb Sima presentation I have attended. Each one has been fantastic and better than the previous one.

This presentation focused on some of the application security pitfalls that Web 2.0 technologies, such as AJAX, are vulnerable to. Caleb’s presentations always mix static information with actual demonstrations of concepts. During this presentation he demonstrated a number of JavaScript application security faux pas.

A key thesis in the presentation was that Web 2.0 programing techniques, like AJAX, are dramatically increasing the attack surface of applications though movement of code to the client, were it can be easily examined and manipulated. Several examples of ‘bad logic’ or code to move to the client were given, and included:

  • Security code (coupon code validation logic, admin status flagging, etc.)
  • Input validation
  • Range control and boundary checking logic


The above summaries are highlights. I attended all of the sessions on days two and three, and found them all to be very valuable and high quality. I was particularly impressed by the great English language skills of the presenters from non-English speaking countries. I do not know if I will have the opportunity to attend the European event in the future, but I would certainly recommend it.