Speaking at Linux.conf.au 2013

I’m glad to say that I’ve been accepted to speak at linux.conf.au 2013.

My talk is how to apply the OWASP Developer Guide 2013 to your open source project.

The Open Web Application Security Project (OWASP) Developer Guide 2013 is coming soon. In this presentation, you’ll learn about the major revision to one of the major open source code hardening resources.

The new version will encompass not only web applications (although that is its primary focus), but also general advice for all languages, frameworks, and applications through the use of re-usable architecture, designs, patterns and practices that you can adopt in your code with a bit of thought.

Learn about:

  • The latest research in application security
  • How to apply new patterns to eliminate hundreds of security flaws in your apps, such as the bizarre world of race conditions, distributed and parallel artefacts. Few apps can afford to be single threaded any more, and yet these subtle flaws are easily prevented if you only knew how
  • Challenges of documenting bleeding edge practices in long lived documents
  • How to pull together a global open source document team whilst holding down a day job

If you code web apps, or write apps that need to be secure, this is a must attend presentation!

Come see me! Challenge me! Make the Guide better for non-web apps!

Upcoming speaking engagements – AusCERT and iTSMF

I am scheduled to talk or give tutorials at a couple of places so far this year.


I am giving a two day Secure Coding tutorial using OWASP’s Application Security Verification Standard.

This course is different to most security training courses you’ll ever take. It teaches architects, lead developers and developers how to design and code in a positive fashion. You’ll learn of about 80 controls over the two days, and complete four hands on labs and a bunch of demos. Of course, you’ll see me demonstrate ninja levels of breaking crappy applications, but my primary goal is for you to build secure software.

Now that you want to come, you should bring your laptop with the ability to run a 64 bit VMware VM. As the VM is Linux, it could be converted to KVM, Xen, Parallels, or Virtual Box. You can take the VM home along with the slides and learn even more later.

This is the cheapest method of getting instructor led training by me. Registration here. There’s about 10 spots left as far as I’m aware.


Later in the year, I am giving my well received talk at itSMF, an ITIL aligned operations conference, on how to make your security dollars work harder for you. This talk is aimed at CIO, CISO’s, and those who are tasked at securing their stuff with ever less budget, or ever more capability (or both).

OSCON 2010 Wrap Up

Well, OSCON is over for another year. It’s been a great conference. Shame there were essentially no security talks (1/216 talks is not good enough). I will have to talk to them next year about including a Security track or let OWASP organize a Security Camp, like Scala and the cloud folks had this year.

I went to a great number of interesting sessions. Most were not that well attended, which probably means that I’m a freak who loves odd ball stuff. That’s a shame, because I got a heap out of the conference overall.

Some highlights:

Cloud talks were everywhere. This is the new Ajax. I went to enough cloud talks to be all clouded out. A common theme is who owns the data and how open are cloud systems, really? Open core versus open source was a huge meme.

Breaking it open: How one consulting firm took it open. This was easily the most thought provoking session I attended in all of OSCON. It’s a shame only about 20 others caught it too. Rob and Alexandra were totally engaging and gave heaps of insights to what worked, and more importantly some of the hiccups that hit them unexpectedly, like the Excel spreadsheet from hell.

Moving to the cloud with NYTimes. This was one of those cloudy talks I told you about. I didn’t learn a lot that I didn’t already know, but it was interesting to learn how it went down at NYT.

Deploying an open source cloud on a shoestring. This topic was close to my heart as we’re doing it, but I sank a little when I learnt of the exact scale of the AT&T Labs deployment. In the end, I think different folks have different meanings for “shoe string”. Good talk, as I learnt a fair amount about realistic cloud architecture.

Eucalyptus: the open source infrastructure for cloud systems. Another cloud talk.

Data center automation with Puppet. I went to the latter part of the Puppet tutorial, so I didn’t learn much new at this session, but that’s okay. Puppet will probably end up as part of our infrastructure (need to talk to the guys).

Driving Apache Traffic Server. This talk rocked. Lots of cool information about how Yahoo does their CDN, and the resurrection of a really old (and closed) code base into what is ATS today. I’m going to try it out, but it may not suit our needs as it doesn’t do true SSL load balancing (today).

The hall way track was also pretty dang fine. I met and introduced myself to many folks I’d only seen on Twitter or the blogosphere. I took in the latter half of the phpBB BoF and met the guys, which was cool as I could finally put names to faces.¬†I ran the OWASP BoF session on Thursday night, which had a few folks turn up, including the Portland Chapter Leader.

Internet sucked big time most days. I think the next time I come, I’ll bring a smaller laptop or an iPad or something with a long battery life as finding space near power all the time sucked. This is partially because my Mac’s battery or logic board is failing, but it is also partially a home truth – there’s only so much coding I did during the days as I found most of the talks so engaging and relevant to my interests.

It’s interesting to see the latest fads. For those who had > 13″ laptops, Macs were about 20 to 1 the favorite choice. Netbooks were very common (probably about 15-20% of the crowd), but I saw more iPads than netbooks, which surprised me as it’s so read only, and this conference is not a read only crowd.

All in all, a satisfying and interesting conference let down by the complete lack of security talks.

OSCON 2010 – Day 2

Woke up at 5.55 am. Mr Body is seriously confused. I finished breakfast by 7 am. This is not right.

Scalable Internet Architecture – Theo Schlossnagle

I’m very sorry Theo, but I couldn’t take much more hand waving and so I left at half time. I think this is more about where I am in my career – most folks seemed interested and what not, but this session was the wrong one for me. So I bailed.

Using Puppet – A beginner’s tutorial – James Turnbull and Jeff McCune

James and Greg were on song and I really should gone with my initial gut feeling and gone for this talk from the get go. Excellent hands on tute filling in the gaps in my Puppet knowledge. I’ll be taking the lessons learnt from the half tute I managed to attend back. We might even implement Puppet! ūüôā Seems fairly straightforward.

Request Tracker Bootcamp – Jesse Vincent

This is the primary reason I plumped for OSCON 2010. There are a few talks over the next few days, but we use RT … badly … within our organization, and that needs fixing. I learnt nearly everything I needed to use it properly, including:

  • The RTFM module – mark out a solution as the appropriate answer. This is exactly what we need
  • The RTIR incident response module – a solution for CERT style incident handling. This is not quite what we do, but I will look at it anyway.
  • The PGP plugin. Definitely going to try and get this going.
  • How to fix a few niggling issues. I entered some new tickets for me to handle when I get back. ūüôā
  • How to configure custom fields … good to know for future enhancements to our use of RT

I’m glad I attended – this was a great session and definitely recommended to anyone using RT. Jesse is a good tutor, and as the original author, he definitely knows his stuff.

In other news

I headed into Portland city for the first time to go get my Mac serviced. The light rail is eerie – it’s just like Melbourne trams, but more segregated from traffic. Getting taxis is a fools errand in Portland. Public transport is king here baby.

My Mac’s battery had been dying unexpectedly over the last month or so, especially at the least reasonable times. At other times, the battery would last a good two and a bit hours (like today), but the randomness of it all is distressing, especially when there’s data loss. So I made an appointment with the Apple Genius Bar yesterday, and popped in today.

They ran some diagnostics. My battery was found to be acceptable albeit towards the end of its working life. The power adapter is fine. That means if the issue continues, I will need a new logic board. On an out of warranty Mac. DOH! Could get expensive.

I came back and had dinner with an ex-colleague of mine – Paul Hanchett. They’re doing it hard in the USA. We didn’t really have much of a GFC in Australia, but here… whoa. I¬†see on Twitter (#oscon) I missed OSCON Ignite. The in crowd liked it very much, but … I’d still rather have dinner with an old friend than do more slides today.

OSCON 2010 Day 1

Travelling to the USA was as exhausting as ever.

I flew on the new A380 with Qantas. Nice plane. As per usual, there’s a mix of flight attendants – the openly hostile, the “can’t see you, didn’t see you”, and my favorite, the “never around”. We were down the back of the aircraft, which is fun if you like turbulence (I do), but not so fun for the elderly couple next to me. There was a party of teens in the middle section who had no in flight entertainment units. The units are ancient and have been recycled from other aircraft – and take about 10 minutes to reboot. They run Red Hat Linux from 2002 on some VIA Cyrus processor.¬†So it was like a little party. I got like one hour of fitful sleep ¬†in the 16 hour flight.

LAX is better. They ripped out the old customs hall, and replaced it with something like an airport instead of a manifestation of hell on earth. The customs folks even smiled. I’m not sure what about, but it feels more human than previous times.

There was a stuff up with my hotel and teknology fangummy (they’ve heard about it but don’t think it’ll catch on), but luckily, Australian business hours had just begun and I was in about 28 hours after leaving my folks place.

PHP Quality Assistance – Sebastian Bergmann

My first tutorial was Sebastian Bergmann of PHP Unit fame.

This was an awesome tutorial, and I found out a lot about tools that I had only just started to scratch the surface with. I am definitely going to setup a continuous integration server for my projects whilst I’m in Portland.

Sebastian was a good speaker, but I would have liked more demos in the first half. The demo of Hudson was possibly more informative than the slides itself. Definitely recommend seeing more Sebastion Bergmann talks!


Productive Programmer – Neal Ford

I attended this session with high hopes as most Thought Works folks I’ve met have been very switched on. Neal seems very switched on, but … this talk started out very slow and covered blindly obvious things that I think we’re all familiar with (source code control, comfy chairs, etc). The tutorial was definitely looking like a hated “hand waving” tutorials.

I considered bailing but none of the other talks in this time slot really were yelling my name. I might have tried Chris Shiflett’s tute as he’s a friend, but I wouldn’t learn much there, so I stayed for the second half.

The second half was a Top 10 with a small Top 10 “Corporate Code Smells” inside. Luckily, the second half was a bit more edifying and informative, but more from a “food for thought” point of view rather than any special insights into enterprise architecture or techniques that I’ve never heard before. This could be due to the point where I am in my career, but I was hoping for more.

The main things I learnt were the hard lessons learnt from Neal’s career. I wish there was more war stories with solutions, and far more detail throughout. If I was Neal, I’d look hard at thinking about the OSCON audience. These guys are mostly devs looking to make the jump to architect. Refactor the talk to be about that jump, the patterns, the scalability of ideas, and so on. Then it would be a HUGE improvement over the comfy chair talk we got today.

The thing I really didn’t like was the slamming of WebSphere (“#1 Code Smell. There’s a reason that WSAD is not WHAPPY”). Slammed not once, but twice in the same list. I don’t like WSAD that much either (it’s an overpriced Eclipse + J2EE reference container + IBM’s own special plugins and “enterprise” / cluster juice), but it’s like saying “your tool sucks”. Yes, but it didn’t need to be said twice in the same list, and I think most folks in the room who actually use it are forced to use it, and are unlikely to be able to move away from it. If you need the things WSAD can do, there’s few alternatives today.

Slides TBA

OWASP – Birds of a Feather

I’ve set up a OWASP Birds of a Feather session at 8 pm on Thursday night in D136. Hope to see you there!

Going to OSCON 2010

I know I’ve ranted about this before, and this post is no different.¬†OSCON still doesn’t have any security talks, which is like an engineering conference that doesn’t have any structural integrity talks.

A sample of non-functional requirements in the OSCON 2010 program:

  • Configuration Management – check*
  • Deployment – check
  • Documentation – check
  • Efficiency – check*
  • Legal issues – check
  • Performance – check*
  • Maintainability – check*
  • Quality – check*
  • Scalability – check*
  • Testability – check*

* I’m going to a few of these tutes and talks

And what they don’t cover:

  • Compliance – 0 talks
  • Privacy – 0 talks
  • Safety – 0 talks
  • Security – 0 talks, 1 three hour tutorial

And yet, security is the only NFR that can close your business, destroy shareholder value, get you sued, cost you dearly in compliance and remediation costs, limit your organization or project to irrelevance, and destroy privacy for millions of folks in one fell swoop of ineptitude and cluelessness.

One day, the papers committee will get a clue. It’s not 2010, though.

So all my open source chums – see you in Portland! ūüôā

OWASP EU 2009 Coming Soon!

OWASP EU 2009 is coming up! This year, it’s held in¬†Krak√≥w, Poland.¬†Time to book!

Program highlights:

  • Keynote: Ross Anderson from Cambridge University. I’ve wanted to meet Ross for many years. Those guys are legends!
  • Keynote: Bruce¬†Schneier. I bet there are groupies
  • w3af – Andr√©s Riancho. This is one of the best free toolkits I’ve tried recently. It’s awesome.
  • HTTP Parameter Pollution,¬†Luca Carettoni, Independent Researcher & Stefano Di Paola
  • OWASP Source Code Flaws Top 10 Project, Paulo Perego, Spike Reply
  • O2¬†Advanced Source Code Analysis Toolkit, Dinis Cruz
  • … many others!

Although I would love to be there – I had a blast at OWASP EU 2006, I can’t attend this year. Which is a shame, because OWASP AU 2009 was huge fun, and I can’t imagine OWASP EU 2009 would be anything less.Don’t make the same mistake as me! Book now!

Training coming along nicely

For those of you sitting on the fence about coming to OWASP AU 2009, it’s time to book. ūüôā

The training materials I’ve developed using OWASP ASVS covers all the ground in the ASVS in one day, from a developer perspective:

  • About the Application Security Verification Standard
  • What you need to verify code
  • About Risk¬†
  • The ASVS Levels
  • Verifying Architecture
  • Verifying Authentication
  • Verifying¬†Session Management
  • Verifying¬†Access Control
  • Verifying¬†Input validation
  • Verifying¬†Output encoding / canonicalization
  • Verifying Cryptography
  • Verifying Error Handling / Logging
  • Verifying Data Protection
  • Verifying Communications Security
  • Verifying HTTP Security
  • Verifying Configuration
  • Verifying Malicious Code
  • Verifying Internal security controls
  • How to write a decent report and how to communicate (good and) bad news¬†

It’s going to be a long day, so bring your game to the sunny Gold Coast, Australia. OWASP AU is a true bargain compared to commercial offerings.

If you have some training budget, book a ticket and come see me and have a blast!

Book my course now

All about OWASP AU 2009


Although I am unable to attend, I hope you can attend the OWASP EU Summit, to be held next week in Portugal.

There’s going to be lots of discussion about OWASP’s various projects, and work out futures for all of them. It’s going to be a defining event in OWASP’s existence, and I wish I could have been there.

You can find out more about the summit here:


I’ve left my run fairly late for the projects I contribute to (the OWASP Guide, Top 10, Coding Standard, etc), which is a shame, but since chairing a session requires some dedication and time, I couldn’t find folks on the ground in time to replace me. There was talk of me presenting remotely via Skype, but I haven’t followed that up, and the calendar looks very full. We’ll see if there’s a way I contribute in other ways.

I still need fresh victims^H^H^H^H^H volunteers for the OWASP Developer Guide, Top 10 2009, and Coding Standard. Please e-mail me vanderaj @ owasp . org if you can help write a paragraph or two per day.

Black Hat 2008

Well, I’m back from another year at Black Hat. This time, I taught one of my company’s 2D Web Application Security courses.

I think I may have been one of the very few courses that concentrated on defense, which is Black Hat’s tongue in cheek slogan (“Digital Self Defense”). I taught the folks in there (about a 50/50 mix of devs and PMs/architects/designers etc) not only “this is a SQL injection” but hey, we have a complete solution for this, and this is how it works.

The class was originally 15 – 20 in size, but ended up being more than double that. I’m pleased with the outcome and how many folks really liked the course. Hopefully, it will lead BH into more actual digital self defense rather than just claiming that territory whilst promoting offense, offense, offense.

I met up with a fair number of folks, including Dinis, and all too briefly Jeremiah, RSnake, Arian Evans, the blokes from the NAB (Justin et al), my mate Justin Derry who is now at Fortify, and a bunch of others.

I took in almost all of the appsec 1.0 / webappsec 2.0, except for the last session of the last day. It was a good conference and well worth the visit this year. There are always a couple of weak talks, including the one from the network pen testers who have cottoned on to 0days involving web apps which I found very amusing because they thought they were so hard core and l33t. Here’s a hint guys: if you can’t get 8-20 0days out of any web app, you’re not doing it right. It’s like whack a mole or stealing candy from a sleeping baby. And authorization attacks are automatable if you have the right tools. The only interesting thing from that talk was an extension of the old file format jumble, where some file formats have headers and some have trailers, and thus you can make a valid file that is both one thing and another. They had a GIF and a JAR. Past precedents include both ELF and Win32 binaries (from back in 2001) in the one binary, the 1×1 pixel image that is also a PHP exploit (my favorite). I’m sure there’s others prior to 2001.

Anyway, enough ranting for me. I had a good time, and I can hardly complain as I was sponsored there by my employer and thus bore nothing of the real costs of this trip.