An Ode to SSL

SSL, oh SSL
you're not working very well
if only you were trouble-free
oh how happy I would be

OWASP Meetings and Software Developers

Why do I never meet any software developers at the local OWASP meetings that I attend? That's been bothering me. OWASP stands for "Open Web Application Security Project". Developers create web applications. Developers need to be aware of security issues in order to build better software. So why don't I meet developers there?

Now you may be wondering, "so who do you meet?" Well, I'd say the majority are security consultants of one form or another. A few are principles of companies that perform security audits, some build software to sell for promoting better security. Last night at the meeting I attended, I sat next to a PCI Compliance consultant and so I added a little to my knowledge about that. I also tend to meet system administrators, but usually they're higher up the ladder and not the guys down in the trenches, but I'm not sure that's always true. Also, keep in mind that I'm not the most outgoing social butterfly you'll ever meet, so there could easily be other developers there and we just don't meet up.

The meetings I've been to have covered some fascinating topics, often focusing on XSS attacks, but not always. They've been a bit scary, too. I tend to go home and start looking for new ways to lock down all of my computers. Last night's meeting especially compelled me to focus on that! I wish that other software developers would discover these meetings and find them to be as intriguing as I do.

(P.S. I'll give more details about that meeting in another post - it was memorable.)

OWASP Malicious Code Injection and Privacy

Last night I went to a local OWASP chapter meeting on two topics: malicious code injection and online privacy. Both topics scared the bejesus out of me and I've been completely obsessed with locking down computers all day today. In fact, my poor boss had to listen to quite a long rant on the subject this morning. It's lucky that he's interested in security, too.

First off, I want to say that the local chapter here is doing a great job of setting up meetings and finding interesting speakers. This meeting was combined with the San Francisco chapter and was held at the eBay offices. In fact, the plan is for all future meetings to be combined. They had a free meal for everyone, which was quite nice and they didn't forget about vegetarians, either. That included assorted beverages and beer, too. They also had free t-shirts: OWASP shirts, and the moderator of the privacy panel had shirts from his company to give away. It was a great deal from the standpoint of freebies.

The speaker presenting the malicious code injection had quite simple slides. The real impact was in the words he said, which can probably be summed up as "be very, very careful - you can never be too careful". He had an example online banking site as the victim of his XSS exploits. He didn't have time to cover everything, and so he pointed everyone to the infamous RSnake XSS Cheat Sheet. That wasn't the first time that's been mentioned at OWASP meetings, but probably it can never be mentioned enough. The bits that struck me the most about the presentation were the talk about SSL proxying, his comments that root kits are so sophisticated nowdays that no one can detect them, and his closing statement that he wipes his OS probably about every two weeks and reinstalls - that's how paranoid he's become - the expert! Yikes!

Then we were on to a panel discussion about online privacy. I actually thought it was going to be boring and was plotting my escape, but I was so wrong. The panelists were great. The questions were mostly driven by the audience, and many kept going back to the Electronic Frontier Foundation lawyer (whose name I didn't write down and it's not listed in the OWASP website). He was fascinating to listen to. The other panelists were great, too. I especially enjoyed the points of view raised by Larry Pingree of Safeway and a very knowledgeable gentleman from Kaiser Permanente. The main bit of information I took away is this: don't ever give any more information to anyone than you absolutely have to and especially don't give it out to anyone not in the United States (this was from the perspective that we were in the US, of course), because as much as we may complain about invasions of our privacy here, we have it the best here of anywhere else in the world.

Overall, it was a great meeting, 5 thumbs up. Now I have to go lock down some more computers. Hmmm, maybe I could convince the neighbors to let me in to tweak theirs just a little...

OWASP Workshop and Panel Discussion, Part 1

I went to a San Jose Chapter OWASP meeting tonight. As always, it was an eye opener, and I'll have more to tell later, but right now I just want to say "Microsoft - bleck, phffft, pittooey".