Archive for August, 2007

« Older Entries

Two Bits — RIA wiki page and CapSec

Wednesday, August 29th, 2007

four bits . . . six bits . . . a dollar?

Two items of interest –

1. The OWASP wiki page following up from the meeting on the 23rd where we discussed RIA’s (Rich Interactive/Internet Applications — the “I” stands for different things depending on which vendor you quote) is here:

http://www.owasp.org/index.php/RIA_Security_Smackdown

If you are on the OWASP wiki, you can of course contribute.

2. CapSec is TONIGHT at the Brickskeller in Dupont Circle — once the new job stops kicking my butt (probably some time in September) I may put a website up for it. If you’re in DC, please stop by, we’ll be getting going around 7:30 PM.

Posted in CapSecDC, OWASP, information security, meetups | No Comments »

August OWASP DC Meeting

Sunday, August 26th, 2007

At last thursday’s OWASP DC meeting at Aspect Security in Columbia, Andre Ludwig presented an examination of various application frameworks that are currently coming to the forefront in the web and internet-rich application world. The presentation was a feature-level review of the frameworks in question, and though Andre apologized for it not being in depth, the presentation and resulting discussion filled a three hour meeting.

The presentation covered Adobe AIR, Google Gears, Microsoft Silverlight, and Sun’s JavaFX. The future of these types of applications was the source of much water cooler talk at Black Hat, even among luminaries such as Dan Kaminsky and Jeremiah Grossman. Flash and the technologies it has spawned are viewed by many as the biggest areas of exploration — and future woes. The Rich Interactive/Internet Application frameworks take the idea of extending web applications in different ways. Some of them are providing extra capabilities or access to web applications, and others are moving from the web browser to the desktop.

(more…)

Posted in OWASP, information security, web people | 5 Comments »

Security Meetups for the end of August

Wednesday, August 22nd, 2007

I’ve been very busy with the new gig, but there are some security meetups in the near future that merit mentioning:

Thursday, August 23rdOWASP DC is having a meeting at the offices of Aspect Security in Columbia MD at 6 PM.

Aspect is located at 9175 Guilford Road (Suite 300) in Columbia MD.

Thursday, August 30thCapSec is having its third meetup at 7:30 PM at the Brickskellar near Dupont Circle in Washington DC. CapSec doesn’t have a website yet, but I may stand something up just so that it has a point for disbursing information. This is one of the CitySec style meetups — no real agenda, just stop by and have a beer and gab with other people in the Information Security field. I’m curious to see who made it to Black Hat or Defcon, and any interesting stories they may have.

Thursday, September 6thOWASP DC and OWASP VA are participating in the OWASP Live O event this year, by having a mini-conference. Unfortunately, Live O doesn’t have an official website either, currently. The registration for the conference is here, register soon if you are interested, all of the venues they are considering will probably have an attendance cap. The conference WILL be starting during the day, at around 1 PM, so be aware of this if you want to attend.

Current scheduled presentations are:

* Honeyclients and Malicious Web Servers  – Kathy Wang – Mitre
* A malcode perspective on web application privacy – Blake Hartstein – iDefense
* Practical Web Privacy with Firefox – Chuck Willis- Mandiant
* A sneak peak at Jeff’s new “Enterprise Security API” – Jeff Williams – Aspect Security/OWASP
* Digital Rights Management – James Stibbards – Cloakware

Posted in conferences, information security, web people | No Comments »

A Change for Me

Wednesday, August 15th, 2007

Most of the people reading the blog right now may already know this, but this friday will be the last day at the job I have held for over five years. I have been a systems engineer and administrator at the National Institutes of Health, wearing a wide variety of hats for the Enterprise Messaging and Infrastructure Branch at the Center for Information Technology.

The new opportunity I have been presented has a wide variety of things going for it, but one facet I’ve had a hard time getting my head around is that it is NOT a security position primarily. I’ve always been the guy who “also does security” at every IT job I’ve ever had, and for the past few years I’ve been “THE security guy” in my group. It will be odd to not have that be my primary focus anymore.

So why the change?

The new gig is going to be being an Application Engineer (and Architect) for various systems for a contracting company, working primarily with Adobe’s Enterprise solutions such as Livecycle and Acrobat Connect. Other hats I’ve worn over the years are high-availability, multi-tiered application architecture, and networking — these combined together are what are leading the charge in the new direction. I’m very excited about the potential, as I think that (for want of another term) presence-empowering applications are the wave of the future on the internet, and technologies based on Flash are (for a variety of reasons) the way to go when moving beyond things that work inside the traditional HTTP framework and it’s requirements. Asynchronous apps have done amazing things in the past few years, and in many ways have greatly increased user experience in a way that the name “asynchronous” makes misleading. But as things near “synchronous” interaction (through varieties of streaming media and data exchanges), the playing field changes.

Already the web is showing that the future resides not with just applications being created by vendors, but application systems. The projects I work on will use various technologies out of boxes with different labels on them, but the system as a whole that is created will (hopefully) be greater than the sum of it’s parts. Presence-empowering applications will hopefully evolve into something that will bridge the gap between the synchronous and the asynchronous, and then they will truly rule the net.

Why?

(more…)

Posted in career, presence | 3 Comments »

BarCamp DC

Sunday, August 12th, 2007

This past weekend, I was privileged to attend BarCamp DC and give a presentation on Web Application Security.

The BarCamp DC site has plenty of information on what it was, so I’ll just let you follow the link if it’s new to you. The “un-conference” was actually much more organized that previous BarCamp’s I’ve heard of before. I believe it’s the first time it’s been done in DC in a few years, so it’s something new for a lot of the folks involved in it as well.

We got there a little later than we would have liked, and unfortunately got the last time slot of the day for our presentation. But the most was made of it, and though I admit I did more networking and socializing than attending sessions, I had a great time and thought that there was good value in attending the event.

Our presentation was a little squeezed (in terms of time) — we had a 45 minute slot, and due to it being the last one of the day, it was really only a 40 minute slot . . . and the presentation really runs about an hour. But we did the best we could, and achieved our goal — many in our audience cared enough to follow up, ask questions, and seemed to genuinely care about a lot of the potential issues and problems discussed, and how it might affect their work and their world. We had a lot of people want to stick it out to the end even though we ran long, and we may get to do an encore at Refresh DC in November, if all goes well.

(more…)

Posted in BarCampDC, RefreshDC, conferences, information security, web people | 6 Comments »

« Older Entries