Originally posted by on . Reposted with permission.
I recently attended the SecAppDev
conference in Leuven, Belgium from February 10th – 14th. The conference
is hosted in February at the Faculty Club which is in the Groot Begijnhof van Leuven and organized by Johan Peeters. While I didn’t recognize many of the speakers I have to give special note to three speakers in particular: Ken Van Wyk, Jim Manico, Dr. Bart Preneel.
Ken van Wyk is an currently an independent consultant and previously worked at the Software Engineering Institute at Carnegie Mellon. Ken is well known for authorship or contributing authorship to a couple of excellent books on security – most notably O’Reilly’s Secure Coding: Principles and Practices.
Jim Manico is an author and educator of developer security awareness trainings as well as one of the members of the Global Board of Directors for the OWASP foundation. He has a 17 year history building software as a developer and architect and is a frequent speaker on secure software practices. Jim’s energy when he talks is highly infectious and really draws you in to the presentation and discussion.
Dr. Bart Preneel is a professor at KU Leuven focusing primarily on cryptography as a point of his interest. His knowledge of cryptography is expansive and he has a very grounded perspective on what it really takes to provide confidentiality and integrity to data in this day and age of NSA snooping and monitoring. I found his lectures (and there were a fair number of them) very informative and insightful. I definitely learned an enormous amount from him (and from Ken and Jim as well).
The discussions below are not meant to be detailed reporting on the sessions I attended at SecAppDev but rather a general impression – a flavor – of those sessions. The materials for those sessions are available on the SecAppDev website and recordings of the sessions are available on their YouTube channel.
Monday, February 10, 2014
Having arrived in Brussels at 07:30 I was stuck at the airport for a short while trying to find my luggage. My flight with Delta had me going through Amsterdam before arriving in Brussels and to my surprise my luggage did not go on the same flight. Rather, Delta, for reasons I cannot fathom, sent my bag down to Atlanta and from there on a direct flight to Brussels. So, I didn’t get out of the airport until approximately 08:00 (but hey, at least I had my luggage!). I took the train from the airport to Leuven and from there walked to The Leuven Institute for Ireland in Europe (also known as the Irish College). This was kindly arranged for me by Johan Peeters and I throughly enjoyed the stay. After dropping my bags there I got cleaned up and went straight to the conference. While I missed the first presentation of the day (Principles of Computer Security) I was able to attend three other talks that day: Low Level Exploits and Countermeasures, the SDLC Workshop, and Security Testing Fundamentals. Each was interesting although the topics were already well known to me.
Tuesday, February 11, 2014
All of the sessions on Tuesday were excellent! I attended Dr. Praneel’s talk on Cryptographic Algorithms first, followed by Dr. George Danezis‘ (of the University College London) presentation on Access Control. In the afternoon I attended Dr. Praneel’s Entity Authentication and Jim Manico’s Entity Authentication and Session Management presentations. All in all, excellent talks by all o the presenters with Jim Manico’s Entity Authentication and Session Management as being a real eye-opener with material I could immediately use on some projects within Itron and some personal side projects as well.
Wednesday, February 12, 2014
On Wednesday I decided to attend the Threat Modeling session led by Jim DelGrosso of Cigital, Inc in the morning. I’ve been doing threat modeling on applications and product designs for several years now and I have to agree with Jim – it’s kind of an apprenticing learning curve – the more threat models you do, the better you get at them. Jim presented a different approach to threat modeling than the one I’m used to but it gave me a lot of good food for thought in how to improve the approach I use. I have some work ahead of me to make changes but I think it will definitely be for the better.
After the threat modeling session I attended the Advanced Cross-Site Scripting (XSS) Defense session given by Jim Manico. I definitely learned quite a bit here. While I can’t go into the details in such a short area I feel that I took away a lot of new insights on how to both test for XSS vulnerabilities in the products I deal with as well as how to defend against XSS exploits. It may take a little while to integrate that into the development teams’ approach but I think it will definitely be worthwhile.
Finally, I sat in on the SSL/TLS hands-on session given by Thomas Herlea. Thomas clearly knows his material and this session would have been best given as a two-hour workshop rather than an hour-and-a-half. We spent quite a bit of time getting the VirtualBox VMs working properly and that tended to be a problem given the time constraints. The material was good (although I already pretty much knew it) – but I felt that the session was hampered by the difficulties people were having just getting the VirtualBox setup. It would have helped immensely if Thomas had provided the VMs prior to the session along with detailed setup instructions for those who haven’t worked with VirtualBox before. The material is definitely good – but the presentation and execution of the session was weak.
Thursday, February 13, 2014
Thursday proved to be a fantastic day at the conference. I spent the morning attending Ken van Wyk’s Hands-on Mobile Apps presentation. This was an absolutely fun three hours! Ken is the lead for OWASP’s iGoat project (similar to the OWASP’s WebGoat project) which provides an iPhone simulator to learn about some of the attacks against the Apple iPhone platform. The current version of iGoat is 2.0 and requires Xcode 5.0 on the Mac platform to work – but it’s an amazing tool. Not only do you learn how to hack the iPhone (albeit, yes, it’s iOS 6 based and iPhone 4 as well) but you also learn how to fix the very problems you’re hacking. It’s an amazing tool and I highly recommend anyone who has any interest in gaining some level of understanding of the iPhone platform to go and get iGoat.
In the afternoon I attended Dr. Preneel’s Post-Snowden Cryptography session and Lieven Desmet‘s Recent Web Security Technology session afterwards. I was somewhat disappointed that Dr. Preneel didn’t discuss the longer range impacts of the NSA’s actions on cryptography but I found it a very informative and useful discussion nonetheless. The session on Recent Web Security Technologies provided a very nice window into additional efforts being made in standards groups and in the development of HTML5 to provide more security to websites and to provide additional defenses to current attacks.
Friday, February 14, 2014
In the morning I attended Ken van Wyk’s Hardening Mobile Apps session. This follow-on (actually it could be done as a standalone presentation as well) to the Hands-on Mobile Apps workshop on Thursday was again, an excellent session. Ken goes through (as much as is possible to go through in only an hour and a half) how to harden mobile apps on the iPhone and iPad platforms. I would like to see him develop this into a longer workshop like the Hands-on Mobile Apps workshop the day before. I think it would be immensely helpful to many developers and app architects.
After the Hardening Mobile Apps session I stayed around for the Authorization with OAuth 2.0 provided by Jan Van den Bergh. While I haven’t followed OAuth development very much I am aware with some of what’s going on around it. OAuth started out as a small, independent project that was meant to solve specific problems with authentication on the web. The OAuth 1.0 specification which came out with RFC 5849 was simple and met the requirements specified by the community and the developers. As I understand it, and again I haven’t been following OAuth that much lately, as OAuth 2.0 was being developed it became bigger, more complex and much more unwieldy than the original OAuth 1.0. One of the biggest critics of the OAuth 2.0 specification (and of the standards process as a whole) was Eran Hammer who was the IETF working group editor for the OAuth 2.0 effort. After three years of work Eran left the IETF working group and disavowed the effort claiming a wide variety of issues – many of which seem quite valid. OAuth is interesting as it tries to address a very pernicious problem – but the current specification of OAuth 2.0 may be more complex and more unwieldy than is necessary. I can’t say – but I do understand that there was a lot of bad blood within the IETF working in the end. It’s a shame because it’s something that the web needs very badly.
The final session I attended was Dr. Preneel’s Cryptography Best Practices talk. As with his previous talks this one covered an immense amount of material and provided some good food for thought on how to correctly implement cryptography in products.
While the material presented at a fair amount of the talks I attended were already known to me I still walked away from the overall conference feeling like I had really learned something. If you have a chance to be in Europe next year and you’re interested in attending an excellent conference focusing on secure application development – I highly recommend you attend SecAppDev.
Ken van Wyk is an currently an independent consultant and previously worked at the Software Engineering Institute at Carnegie Mellon. Ken is well known for authorship or contributing authorship to a couple of excellent books on security – most notably O’Reilly’s Secure Coding: Principles and Practices.
Jim Manico is an author and educator of developer security awareness trainings as well as one of the members of the Global Board of Directors for the OWASP foundation. He has a 17 year history building software as a developer and architect and is a frequent speaker on secure software practices. Jim’s energy when he talks is highly infectious and really draws you in to the presentation and discussion.
Dr. Bart Preneel is a professor at KU Leuven focusing primarily on cryptography as a point of his interest. His knowledge of cryptography is expansive and he has a very grounded perspective on what it really takes to provide confidentiality and integrity to data in this day and age of NSA snooping and monitoring. I found his lectures (and there were a fair number of them) very informative and insightful. I definitely learned an enormous amount from him (and from Ken and Jim as well).
The discussions below are not meant to be detailed reporting on the sessions I attended at SecAppDev but rather a general impression – a flavor – of those sessions. The materials for those sessions are available on the SecAppDev website and recordings of the sessions are available on their YouTube channel.
Monday, February 10, 2014
Having arrived in Brussels at 07:30 I was stuck at the airport for a short while trying to find my luggage. My flight with Delta had me going through Amsterdam before arriving in Brussels and to my surprise my luggage did not go on the same flight. Rather, Delta, for reasons I cannot fathom, sent my bag down to Atlanta and from there on a direct flight to Brussels. So, I didn’t get out of the airport until approximately 08:00 (but hey, at least I had my luggage!). I took the train from the airport to Leuven and from there walked to The Leuven Institute for Ireland in Europe (also known as the Irish College). This was kindly arranged for me by Johan Peeters and I throughly enjoyed the stay. After dropping my bags there I got cleaned up and went straight to the conference. While I missed the first presentation of the day (Principles of Computer Security) I was able to attend three other talks that day: Low Level Exploits and Countermeasures, the SDLC Workshop, and Security Testing Fundamentals. Each was interesting although the topics were already well known to me.
Tuesday, February 11, 2014
All of the sessions on Tuesday were excellent! I attended Dr. Praneel’s talk on Cryptographic Algorithms first, followed by Dr. George Danezis‘ (of the University College London) presentation on Access Control. In the afternoon I attended Dr. Praneel’s Entity Authentication and Jim Manico’s Entity Authentication and Session Management presentations. All in all, excellent talks by all o the presenters with Jim Manico’s Entity Authentication and Session Management as being a real eye-opener with material I could immediately use on some projects within Itron and some personal side projects as well.
Wednesday, February 12, 2014
On Wednesday I decided to attend the Threat Modeling session led by Jim DelGrosso of Cigital, Inc in the morning. I’ve been doing threat modeling on applications and product designs for several years now and I have to agree with Jim – it’s kind of an apprenticing learning curve – the more threat models you do, the better you get at them. Jim presented a different approach to threat modeling than the one I’m used to but it gave me a lot of good food for thought in how to improve the approach I use. I have some work ahead of me to make changes but I think it will definitely be for the better.
After the threat modeling session I attended the Advanced Cross-Site Scripting (XSS) Defense session given by Jim Manico. I definitely learned quite a bit here. While I can’t go into the details in such a short area I feel that I took away a lot of new insights on how to both test for XSS vulnerabilities in the products I deal with as well as how to defend against XSS exploits. It may take a little while to integrate that into the development teams’ approach but I think it will definitely be worthwhile.
Finally, I sat in on the SSL/TLS hands-on session given by Thomas Herlea. Thomas clearly knows his material and this session would have been best given as a two-hour workshop rather than an hour-and-a-half. We spent quite a bit of time getting the VirtualBox VMs working properly and that tended to be a problem given the time constraints. The material was good (although I already pretty much knew it) – but I felt that the session was hampered by the difficulties people were having just getting the VirtualBox setup. It would have helped immensely if Thomas had provided the VMs prior to the session along with detailed setup instructions for those who haven’t worked with VirtualBox before. The material is definitely good – but the presentation and execution of the session was weak.
Thursday, February 13, 2014
Thursday proved to be a fantastic day at the conference. I spent the morning attending Ken van Wyk’s Hands-on Mobile Apps presentation. This was an absolutely fun three hours! Ken is the lead for OWASP’s iGoat project (similar to the OWASP’s WebGoat project) which provides an iPhone simulator to learn about some of the attacks against the Apple iPhone platform. The current version of iGoat is 2.0 and requires Xcode 5.0 on the Mac platform to work – but it’s an amazing tool. Not only do you learn how to hack the iPhone (albeit, yes, it’s iOS 6 based and iPhone 4 as well) but you also learn how to fix the very problems you’re hacking. It’s an amazing tool and I highly recommend anyone who has any interest in gaining some level of understanding of the iPhone platform to go and get iGoat.
In the afternoon I attended Dr. Preneel’s Post-Snowden Cryptography session and Lieven Desmet‘s Recent Web Security Technology session afterwards. I was somewhat disappointed that Dr. Preneel didn’t discuss the longer range impacts of the NSA’s actions on cryptography but I found it a very informative and useful discussion nonetheless. The session on Recent Web Security Technologies provided a very nice window into additional efforts being made in standards groups and in the development of HTML5 to provide more security to websites and to provide additional defenses to current attacks.
Friday, February 14, 2014
In the morning I attended Ken van Wyk’s Hardening Mobile Apps session. This follow-on (actually it could be done as a standalone presentation as well) to the Hands-on Mobile Apps workshop on Thursday was again, an excellent session. Ken goes through (as much as is possible to go through in only an hour and a half) how to harden mobile apps on the iPhone and iPad platforms. I would like to see him develop this into a longer workshop like the Hands-on Mobile Apps workshop the day before. I think it would be immensely helpful to many developers and app architects.
After the Hardening Mobile Apps session I stayed around for the Authorization with OAuth 2.0 provided by Jan Van den Bergh. While I haven’t followed OAuth development very much I am aware with some of what’s going on around it. OAuth started out as a small, independent project that was meant to solve specific problems with authentication on the web. The OAuth 1.0 specification which came out with RFC 5849 was simple and met the requirements specified by the community and the developers. As I understand it, and again I haven’t been following OAuth that much lately, as OAuth 2.0 was being developed it became bigger, more complex and much more unwieldy than the original OAuth 1.0. One of the biggest critics of the OAuth 2.0 specification (and of the standards process as a whole) was Eran Hammer who was the IETF working group editor for the OAuth 2.0 effort. After three years of work Eran left the IETF working group and disavowed the effort claiming a wide variety of issues – many of which seem quite valid. OAuth is interesting as it tries to address a very pernicious problem – but the current specification of OAuth 2.0 may be more complex and more unwieldy than is necessary. I can’t say – but I do understand that there was a lot of bad blood within the IETF working in the end. It’s a shame because it’s something that the web needs very badly.
The final session I attended was Dr. Preneel’s Cryptography Best Practices talk. As with his previous talks this one covered an immense amount of material and provided some good food for thought on how to correctly implement cryptography in products.
While the material presented at a fair amount of the talks I attended were already known to me I still walked away from the overall conference feeling like I had really learned something. If you have a chance to be in Europe next year and you’re interested in attending an excellent conference focusing on secure application development – I highly recommend you attend SecAppDev.
