Thursday, July 15, 2010
I had fun attending OWASP NZ Day 2010.

There were 6 great sessions - plus Graeme and I presented a talk on encryption, and how to develop applications using encryption:

Brett Moore: Don't try this at home
Roberto Suggi Liverani - Defending Against Application Level DoS Attacks
Paul Craig: What to do when you get pwned?
Metlstorm: Low Scuttling Chillicrab
Graeme Neilson / Kirk Jackson: Tales from the Crypt0
Quintin Russ / Mike Jager - Hosting and Security
Dean Carter: Ramblings of an ex-QSA

I came away with that feeling of satisfaction where you know you've learnt lots, but haven't had time to digest and process it all yet. Some of my immediate takeaways are:

  • Input validation is still a big area of problems in most apps
  • Application bugs and inefficiencies can be vectors for denial of service attacks
  • If you get pwned, hacked or DOS'd, you need to have a plan of what you're going to do to recover, and if there's a chance that you need law enforcement involved, you need to get a forensic analyst involved very early on (preferably in advance)
  • There are lots of computers on the internet in NZ, and lots of them have obvious vulnerabilities. No-one is doing anything about this (at least, no-one good is doing anything about this!)
  • Bad development practices lead to problems in the hosting environment. App and deployment security problems live on
  • Credit cards are the devil, and should be treated as such :)
Thanks Roberto and Lech for organising, I'm looking forward to next year!

Kirk

Comments are closed.