LogoSquare

Denim Group Website

About

My Photo
Powered by TypePad

Recent Posts

Categories

Subscribe to this blog's feed

Archives

Add me to your TypePad People list
Denim Group



Programming Blogs - Blog Catalog Blog Directory

January 26, 2009

The Road to Houston TechFest

By Dan Cornell

I was up in Houston last weekend for the rescheduled Houston TechFest.  The hurricane delayed this from the original date, but the event was still packed.

I flew into Houston for the day to give my talk on Static Analysis Techniques for Testing Application Security.  Unfortunately, when I was headed to my early-morning flight, I noticed that the airport had been overrun by birds:
IMG_0193
Yikes!  I didn't know who my pilot was, but I wasn't convinced he would be able to successfully land a 737 in the San Antonio River.  After all, the Hudson is a little wider than the Riverwalk...

Fortunately I made it to Houston all right and checked in with the TechFest folks.  The event was at the University of Houston so I went to the bottom of the student center where the event was being held to try and get some work done before my talk.  I soon found myself trapped between a bunch of martial arts students:
IMG_0195
And some folks playing "Magic - The Gathering" :
IMG_0196
No offense to the "Magic - The Gathering" crowd, but I had to cast my lot with the martial arts folks.  Cards representing elven chain mail and whatnot are no match for a crowd of folks ready to break actual bricks with their hands.

Fortunately everyone got to remain friends and I made it to my talk unscathed.

There was a great group there and we had some great questions such as:

  • Does the fact that most .NET static analysis tools rely on decompiling MISL make .NET, as a language, less secure than Java? (Both Java bytecodes and .NET MSIL are pretty easy to decompile, so there aren't a ton of differences there.  .NET static analysis tools usually use MSIL binaries because .NET code exists in a variety of languages and it is easier to write one parser/decompiler for MSIL that will work for all .NET languages wheras Java bytecode is almost always compiled from Java source code, thus making Java source or Java bytecode reasonably equally attractive choices for tool builders.)
  • Are there any subsets of PMD rules that are best for running security checks? (There are security-specific PMD checks, but they are mainly related to API misuse.  I don't know of any collection that includes the explicit security rules along with rules from other categories that often have security implications.)

One thing I talked about Saturday that was relatively new was the OWASP Open Review Project (ORPRO) which provides advanced static analysis capabilities for open source projects.

Overall it was a great session and I will be posting the slide deck shortly.

--Dan
dan _at_ denimgroup.com

January 26, 2009 in .NET Users Group, Application Security Tools, Blogs, Conferences, Dan Cornell, Denim Group, Dynamic Analysis, Fortify, Information Security, Java, Microsoft, Open Source, OWASP, Pro Services Life, Science, Security, Speaking Events, Static Analysis, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)

Videos from SegSaddle Visit

By Dan Cornell

Yesterday I posted about SegSaddle's presentation to the Denim Group Lunch and Learn program.  I put together a YouTube playlist with videos from the SegSaddle visit to Denim Group.

Here they are:





--Dan
dan _at_ denimgroup.com

January 26, 2009 in Blogs, Dan Cornell, Denim Group, Pro Services Life, Science, Web/Tech | | Comments (1) | TrackBack (0)

January 25, 2009

SegSaddle Visits Denim Group

By Dan Cornell

One of the great things we do at Denim Group is our Lunch and Learn program where we have lunchtime presentations from Denim Group folks as well as others.  We were fortunate enough to have Brian Hughes and Lissa Martinez from SegSaddle drop by the office last Friday to give a talk and - more importantly - let us try out their products.  SegSaddle makes after-market modifications for the Segway Personal Transporter to make it more useful for a wider range of people.

Brian talked us through the design of their SegSaddle and SegSurrey products that allow Segway riders to sit while riding.  Then we all got to take turns riding.

DanSegSurrey3
The SegSurrey was so easy to ride even I could figure it out.

SegSurrey_Greg
Greg trests his skills on the in-office slalom course.

SegSurrey_Lucas
Lucas and Brian.

DarylSegSurrey1
Brian shows Daryl the ropes.

There are some more photos of the event up here on Flickr.

Thanks again to Brian and Lissa.  We have had some great Lunch and Learn presentations, but getting the chance to try out their Segway modifications really took the cake.

SegSaddle_BrianLissaMugPresentation
Lissa and Brian received Denim Group mugs and PostIt notes for their troubles.  Exciting!

--Dan
dan _at_ denimgroup.com

January 25, 2009 in Blogs, Dan Cornell, Denim Group, Pro Services Life, Science, Web/Tech | | Comments (0) | TrackBack (0)

November 05, 2008

OWASP EU Summit in Portugal: Monday

By Dan Cornell

OWASPBoard

This week I'm in Portugal at the OWASP EU Summit '08.

Just after I arrived on Monday I had the opportunity to talk about AJAX security and sprajax to a group of students at the 1 day OWASP event at the University of Algarve.  The slide deck was a shortened version of the one from when I presented at OWASP Montgomery.  I always enjoy speaking to University students because you have to work hard to frame the material in the appropriate context.  For example - how do you explain SQL injection to someone who has never written a database application?  How to explain PCI compliance to someone who has never worked inside an enterprise that takes credit cards?

I finally got some sleep Monday night after a day and a half of flights, airport wait time, presentations to University students and the conference kickoff.  This is shaping up to be a great event.  More to come.

--Dan
dan _at_ denimgroup.com

November 05, 2008 in AJAX, Application Security Tools, Conferences, Dan Cornell, Denim Group, Fortify, Information Security, Java, Open Source, OWASP, Pro Services Life, Science, Security, Static Analysis, Threat Modeling, Training, Travel, Web 2.0, Web Application Security, Web/Tech | | Comments (0) | TrackBack (0)