I went to a great number of interesting sessions. Most were not that well attended, which probably means that I’m a freak who loves odd ball stuff. That’s a shame, because I got a heap out of the conference overall.

Some highlights:

Cloud talks were everywhere. This is the new Ajax. I went to enough cloud talks to be all clouded out. A common theme is who owns the data and how open are cloud systems, really? Open core versus open source was a huge meme.

Breaking it open: How one consulting firm took it open. This was easily the most thought provoking session I attended in all of OSCON. It’s a shame only about 20 others caught it too. Rob and Alexandra were totally engaging and gave heaps of insights to what worked, and more importantly some of the hiccups that hit them unexpectedly, like the Excel spreadsheet from hell.

Moving to the cloud with NYTimes. This was one of those cloudy talks I told you about. I didn’t learn a lot that I didn’t already know, but it was interesting to learn how it went down at NYT.

Deploying an open source cloud on a shoestring. This topic was close to my heart as we’re doing it, but I sank a little when I learnt of the exact scale of the AT&T Labs deployment. In the end, I think different folks have different meanings for “shoe string”. Good talk, as I learnt a fair amount about realistic cloud architecture.

Eucalyptus: the open source infrastructure for cloud systems. Another cloud talk.

Data center automation with Puppet. I went to the latter part of the Puppet tutorial, so I didn’t learn much new at this session, but that’s okay. Puppet will probably end up as part of our infrastructure (need to talk to the guys).

Driving Apache Traffic Server. This talk rocked. Lots of cool information about how Yahoo does their CDN, and the resurrection of a really old (and closed) code base into what is ATS today. I’m going to try it out, but it may not suit our needs as it doesn’t do true SSL load balancing (today).

The hall way track was also pretty dang fine. I met and introduced myself to many folks I’d only seen on Twitter or the blogosphere. I took in the latter half of the phpBB BoF and met the guys, which was cool as I could finally put names to faces. I ran the OWASP BoF session on Thursday night, which had a few folks turn up, including the Portland Chapter Leader.

Internet sucked big time most days. I think the next time I come, I’ll bring a smaller laptop or an iPad or something with a long battery life as finding space near power all the time sucked. This is partially because my Mac’s battery or logic board is failing, but it is also partially a home truth – there’s only so much coding I did during the days as I found most of the talks so engaging and relevant to my interests.

It’s interesting to see the latest fads. For those who had > 13″ laptops, Macs were about 20 to 1 the favorite choice. Netbooks were very common (probably about 15-20% of the crowd), but I saw more iPads than netbooks, which surprised me as it’s so read only, and this conference is not a read only crowd.

All in all, a satisfying and interesting conference let down by the complete lack of security talks.

Scalable Internet Architecture – Theo Schlossnagle

I’m very sorry Theo, but I couldn’t take much more hand waving and so I left at half time. I think this is more about where I am in my career – most folks seemed interested and what not, but this session was the wrong one for me. So I bailed.

Using Puppet – A beginner’s tutorial – James Turnbull and Jeff McCune

James and Greg were on song and I really should gone with my initial gut feeling and gone for this talk from the get go. Excellent hands on tute filling in the gaps in my Puppet knowledge. I’ll be taking the lessons learnt from the half tute I managed to attend back. We might even implement Puppet! Seems fairly straightforward.

Request Tracker Bootcamp – Jesse Vincent

This is the primary reason I plumped for OSCON 2010. There are a few talks over the next few days, but we use RT … badly … within our organization, and that needs fixing. I learnt nearly everything I needed to use it properly, including:

• The RTFM module – mark out a solution as the appropriate answer. This is exactly what we need
• The RTIR incident response module – a solution for CERT style incident handling. This is not quite what we do, but I will look at it anyway.
• The PGP plugin. Definitely going to try and get this going.
• How to fix a few niggling issues. I entered some new tickets for me to handle when I get back.
• How to configure custom fields … good to know for future enhancements to our use of RT

I’m glad I attended – this was a great session and definitely recommended to anyone using RT. Jesse is a good tutor, and as the original author, he definitely knows his stuff.

In other news

I headed into Portland city for the first time to go get my Mac serviced. The light rail is eerie – it’s just like Melbourne trams, but more segregated from traffic. Getting taxis is a fools errand in Portland. Public transport is king here baby.

My Mac’s battery had been dying unexpectedly over the last month or so, especially at the least reasonable times. At other times, the battery would last a good two and a bit hours (like today), but the randomness of it all is distressing, especially when there’s data loss. So I made an appointment with the Apple Genius Bar yesterday, and popped in today.

They ran some diagnostics. My battery was found to be acceptable albeit towards the end of its working life. The power adapter is fine. That means if the issue continues, I will need a new logic board. On an out of warranty Mac. DOH! Could get expensive.

I came back and had dinner with an ex-colleague of mine – Paul Hanchett. They’re doing it hard in the USA. We didn’t really have much of a GFC in Australia, but here… whoa. I see on Twitter (#oscon) I missed OSCON Ignite. The in crowd liked it very much, but … I’d still rather have dinner with an old friend than do more slides today.

I flew on the new A380 with Qantas. Nice plane. As per usual, there’s a mix of flight attendants – the openly hostile, the “can’t see you, didn’t see you”, and my favorite, the “never around”. We were down the back of the aircraft, which is fun if you like turbulence (I do), but not so fun for the elderly couple next to me. There was a party of teens in the middle section who had no in flight entertainment units. The units are ancient and have been recycled from other aircraft – and take about 10 minutes to reboot. They run Red Hat Linux from 2002 on some VIA Cyrus processor. So it was like a little party. I got like one hour of fitful sleep  in the 16 hour flight.

LAX is better. They ripped out the old customs hall, and replaced it with something like an airport instead of a manifestation of hell on earth. The customs folks even smiled. I’m not sure what about, but it feels more human than previous times.

There was a stuff up with my hotel and teknology fangummy (they’ve heard about it but don’t think it’ll catch on), but luckily, Australian business hours had just begun and I was in about 28 hours after leaving my folks place.

PHP Quality Assistance – Sebastian Bergmann

My first tutorial was Sebastian Bergmann of PHP Unit fame.

This was an awesome tutorial, and I found out a lot about tools that I had only just started to scratch the surface with. I am definitely going to setup a continuous integration server for my projects whilst I’m in Portland.

Sebastian was a good speaker, but I would have liked more demos in the first half. The demo of Hudson was possibly more informative than the slides itself. Definitely recommend seeing more Sebastion Bergmann talks!

Slides

Productive Programmer – Neal Ford

I attended this session with high hopes as most Thought Works folks I’ve met have been very switched on. Neal seems very switched on, but … this talk started out very slow and covered blindly obvious things that I think we’re all familiar with (source code control, comfy chairs, etc). The tutorial was definitely looking like a hated “hand waving” tutorials.

I considered bailing but none of the other talks in this time slot really were yelling my name. I might have tried Chris Shiflett’s tute as he’s a friend, but I wouldn’t learn much there, so I stayed for the second half.

The second half was a Top 10 with a small Top 10 “Corporate Code Smells” inside. Luckily, the second half was a bit more edifying and informative, but more from a “food for thought” point of view rather than any special insights into enterprise architecture or techniques that I’ve never heard before. This could be due to the point where I am in my career, but I was hoping for more.

The main things I learnt were the hard lessons learnt from Neal’s career. I wish there was more war stories with solutions, and far more detail throughout. If I was Neal, I’d look hard at thinking about the OSCON audience. These guys are mostly devs looking to make the jump to architect. Refactor the talk to be about that jump, the patterns, the scalability of ideas, and so on. Then it would be a HUGE improvement over the comfy chair talk we got today.

The thing I really didn’t like was the slamming of WebSphere (“#1 Code Smell. There’s a reason that WSAD is not WHAPPY”). Slammed not once, but twice in the same list. I don’t like WSAD that much either (it’s an overpriced Eclipse + J2EE reference container + IBM’s own special plugins and “enterprise” / cluster juice), but it’s like saying “your tool sucks”. Yes, but it didn’t need to be said twice in the same list, and I think most folks in the room who actually use it are forced to use it, and are unlikely to be able to move away from it. If you need the things WSAD can do, there’s few alternatives today.

Slides TBA

OWASP – Birds of a Feather

I’ve set up a OWASP Birds of a Feather session at 8 pm on Thursday night in D136. Hope to see you there!

A sample of non-functional requirements in the OSCON 2010 program:

• Configuration Management – check*
• Deployment – check
• Documentation – check
• Efficiency – check*
• Legal issues – check
• Performance – check*
• Maintainability – check*
• Quality – check*
• Scalability – check*
• Testability – check*

* I’m going to a few of these tutes and talks

And what they don’t cover:

• Compliance – 0 talks
• Privacy – 0 talks
• Safety – 0 talks
• Security – 0 talks, 1 three hour tutorial

And yet, security is the only NFR that can close your business, destroy shareholder value, get you sued, cost you dearly in compliance and remediation costs, limit your organization or project to irrelevance, and destroy privacy for millions of folks in one fell swoop of ineptitude and cluelessness.

One day, the papers committee will get a clue. It’s not 2010, though.

So all my open source chums – see you in Portland!

Program highlights:

• Keynote: Ross Anderson from Cambridge University. I’ve wanted to meet Ross for many years. Those guys are legends!
• Keynote: Bruce Schneier. I bet there are groupies
• w3af – Andrés Riancho. This is one of the best free toolkits I’ve tried recently. It’s awesome.
• HTTP Parameter Pollution, Luca Carettoni, Independent Researcher & Stefano Di Paola
• OWASP Source Code Flaws Top 10 Project, Paulo Perego, Spike Reply
• O2 Advanced Source Code Analysis Toolkit, Dinis Cruz
• … many others!

Although I would love to be there – I had a blast at OWASP EU 2006, I can’t attend this year. Which is a shame, because OWASP AU 2009 was huge fun, and I can’t imagine OWASP EU 2009 would be anything less.Don’t make the same mistake as me! Book now!

The training materials I’ve developed using OWASP ASVS covers all the ground in the ASVS in one day, from a developer perspective:

• About the Application Security Verification Standard
• What you need to verify code
• About Risk 
• The ASVS Levels
• Verifying Architecture
• Verifying Authentication
• Verifying Session Management
• Verifying Access Control
• Verifying Input validation
• Verifying Output encoding / canonicalization
• Verifying Cryptography
• Verifying Error Handling / Logging
• Verifying Data Protection
• Verifying Communications Security
• Verifying HTTP Security
• Verifying Configuration
• Verifying Malicious Code
• Verifying Internal security controls
• How to write a decent report and how to communicate (good and) bad news 

It’s going to be a long day, so bring your game to the sunny Gold Coast, Australia. OWASP AU is a true bargain compared to commercial offerings.

If you have some training budget, book a ticket and come see me and have a blast!

Book my course now

All about OWASP AU 2009

There’s going to be lots of discussion about OWASP’s various projects, and work out futures for all of them. It’s going to be a defining event in OWASP’s existence, and I wish I could have been there.

You can find out more about the summit here:

http://www.owasp.org/index.php/OWASP_EU_Summit_2008

I’ve left my run fairly late for the projects I contribute to (the OWASP Guide, Top 10, Coding Standard, etc), which is a shame, but since chairing a session requires some dedication and time, I couldn’t find folks on the ground in time to replace me. There was talk of me presenting remotely via Skype, but I haven’t followed that up, and the calendar looks very full. We’ll see if there’s a way I contribute in other ways.

I still need fresh victims^H^H^H^H^H volunteers for the OWASP Developer Guide, Top 10 2009, and Coding Standard. Please e-mail me vanderaj @ owasp . org if you can help write a paragraph or two per day.

I think I may have been one of the very few courses that concentrated on defense, which is Black Hat’s tongue in cheek slogan (“Digital Self Defense”). I taught the folks in there (about a 50/50 mix of devs and PMs/architects/designers etc) not only “this is a SQL injection” but hey, we have a complete solution for this, and this is how it works.

The class was originally 15 – 20 in size, but ended up being more than double that. I’m pleased with the outcome and how many folks really liked the course. Hopefully, it will lead BH into more actual digital self defense rather than just claiming that territory whilst promoting offense, offense, offense.

I met up with a fair number of folks, including Dinis, and all too briefly Jeremiah, RSnake, Arian Evans, the blokes from the NAB (Justin et al), my mate Justin Derry who is now at Fortify, and a bunch of others.

I took in almost all of the appsec 1.0 / webappsec 2.0, except for the last session of the last day. It was a good conference and well worth the visit this year. There are always a couple of weak talks, including the one from the network pen testers who have cottoned on to 0days involving web apps which I found very amusing because they thought they were so hard core and l33t. Here’s a hint guys: if you can’t get 8-20 0days out of any web app, you’re not doing it right. It’s like whack a mole or stealing candy from a sleeping baby. And authorization attacks are automatable if you have the right tools. The only interesting thing from that talk was an extension of the old file format jumble, where some file formats have headers and some have trailers, and thus you can make a valid file that is both one thing and another. They had a GIF and a JAR. Past precedents include both ELF and Win32 binaries (from back in 2001) in the one binary, the 1×1 pixel image that is also a PHP exploit (my favorite). I’m sure there’s others prior to 2001.

Anyway, enough ranting for me. I had a good time, and I can hardly complain as I was sponsored there by my employer and thus bore nothing of the real costs of this trip.

I’ve identified the following security talks for those security folks still considering going to OSCON (although I’d recommend saving your money for OWASP USA as we already have a schedule of 45 web app sec talks in three tracks, and two full days of tutorials, including several two day courses where you’ve got an actual chance of learning something. Just saying.)

• Securing the PHP environment with phpsecinfo, by Ed Finkler. This should be good – I’ve used it before and it’s a pretty cool way to tie down PHP properly. And Ed has contributed Inspekt to OWASP, and therefore he’s cool by me.
• PHP: Architecture, Scalability and Security, by Rasmus. Rasmus knows what he is talking about, but I don’t know how deep the security aspect will be. Hopefully, enough as it’s a three hour talk.
• PHP Taint Tool: It ain’t a parser, by Luke Wellings, a friend of mine from Australia who now lives with his lovely wife in Columbia MD. I’d love to see this tool in action.
• Hack this App! PHP security workshop, the usual sort of scare the punters talk common in talks at conferences I attended about 5-10 years ago. I really hope there’s some solutions in this one. There’s no point in saying you have a problem unless you have a solution, which is what all three of my submitted talks were. Especially the one on securing PHP apps and ESAPI for Java (although we have a completed .NET and soon a PHP port now)
• Perl Security, three hour talk by Paul Fenwick, also an Australian of my acquaintance
• How to improve quality and security automatically in your open source projects with static analysis, by David Maxwell (Coverity). Hopefully, this is just not a vendor plug, but even if it is … it is about solutions, and I like that.
• Security 2.0: Emerging Trends in Web Application Security, by Chris Shiflett. Also a friend, but sadly, not Australian.

So five talks and two three hour longer talks. Here it is in graphical format for you:

A couple of the talks are likely to not offer that much in the way of solutions. Sadly, no Ruby, Python, administration, database, emerging topics, or people security talks. Worse, there are no Java security talks, which for an semi-incomplete track, I found sort of astounding, especially as I submitted two Java security talks and one PHP talk. The official “security” track has two three hour talks, both detailed above. Even if you look at it from the point of view of OSCON having 16 tracks, hopefully with equal time for all of the tracks assuming there was a lot of competition for speaking slots, there should be 215/16 = ~ 13.4 security talks, not 7.

Although I am glad my friends are accepted whilst talking about security, I think OSCON needs a new program committee. This one is broken.

• Training Schedule
• Conference Schedule
• Secure Registration

This is the conference track I dream about when I cry to myself re: lack of web application security in other security conferences. Awesome speakers, the Breach cocktail party (register now! Breach’s OWASP / WASC party at Blackhat’s was awesome).

I believe we are still looking for sponsors, so if you have a lead there, mail conferences ‘at’ owasp.org.

I really appreciate the WASC folks for taking a chance on collaborating with us at OWASP. With their help on the ground and on the papers committee, I think this will be one of the best appsec conferences ever! I hope to be there, but as my wife is nearly due, I may not get a leave pass from the Minister of War and Finance.