Monday, 23 March 2015

Making Applications Secure



Developing applications that are secure is becoming an essential part of the toolkit of any programmer, and project managers are increasingly tasked to ‘Make it more secure - we don’t want to be the next headline…’ In 2015, this has become a major priority for many people.

So if you want a week of immersive training in making mobile, web and other applications more secure, then I thoroughly recommend the SecAppDev conference. It’s an intense program of background lectures where you learn the theory, and hands-on workshops where you get to try it out for real. Even better, it’s set in a renovated 17th century university location 25 kilometers east of Brussels, arguably the epicentre of Europe, and easy to get to by train or plane. Leuven is a charming ‘student city’ venue, full of bikes and cobbled streets, and where you can walk to just about anywhere inside the ring-road in less than half an hour. And the cars on that outer ring aren’t allowed far into the central area, so apart from a few busses, students and bikes rule! There’s a very good overview of the history of Leuven here: https://www.cosic.esat.kuleuven.be/course/about_leuven.shtml

The SecAppDev conference is held in the Faculty Club, to the south of the centre of Leuven. http://www.facultyclub.be/en/ It’s a perfect mix of old exteriors and modern interiors, and whilst this is the Dutch/Flemish part of Belgium, the conference language is English. KU Leuven, the University of Leuven, founded in 1425, is the oldest Catholic University in the world.

Inside the conference, you step straight into the 21st century. The two-track program covers topics like post-Snowden, cryptography, TLS hands-on, SDL, Threat Modelling, and web/mobile hardening. I like following a topic and getting immersed, and so I went to the sessions where the introductory lecture covered the theory, and then the hands-on double-lecture provided a detailed hands-on workshop with plenty of opportunity to dig deep into the material. Pre-prepared VMs are used for some of the workshops, so that everyone has an isolated and common starting point, and I was particularly impressed with the TLS session, where you configured an Apache web server (on Fedora) from scratch so that HTTPS worked properly by using tools like mod_ssl and Open_SSL, replacing the default self-signed certificate with a trustable one from a CA using a CSR, generating a key-pair using Open-SSL… The Threat Modelling workshop was notable too, with teams competing to find flaws in a web system. The lecturers were all very familiar with their subject matter, and I learnt a lot.

If a day of intense learning wasn’t enough, the local chapter of OWASP had an evening event on the Tuesday night, which was an opportunity for more learning and networking. With the Computer Security and Industrial Cryptography (COSIC) research group and the Department of Electrical Engineering nearby, and the meeting being held in the Department of Computer Science, there was a large and informed audience.

There is a wealth of information on the SecAppDev website ( http://secappdev.org ), with handouts going back to 2007 (the first SecAppDev was in 2005, so this was the 11th conference!), video recordings of lectures before 2013, A YouTube channel for more recent videos ( https://www.youtube.com/channel/UCSii2fuiLLlGqaR6sR_y0rA ), and a blog which has an entry that describes the user experience in more detail: http://secappdev-org.blogspot.co.uk/2014/02/secappdev-2014-reflections-from-ido.html 

Secappdev.org is a non-profit organisation whose aim is to broaden security awareness in the development community and advance secure software engineering practices. For me, the week at SecAppDec 2015 taught me a lot, provided consistently excellent interactive workshops, good networking and follow-up opportunities, and was totally worthwhile. If you develop, or manage developers, or just want to be ‘security-savvy’, then you should be considering attending SecAppDev 2016!

Oh yes, and the food at the Faculty Club was wonderful!


Sunday, 15 March 2015

Pause for thought

I've read enough blogs to recognise the signs. An initial flurry of posts, then a few pauses, then a few more bursts, then a longer pause, followed by a burst, and then just a single post, and then... nothing.

Usually that's it. There are lots of possible explanations: the blog writer has got a new job, or moved on, or something else. Whereas a newspaper column would quickly be replaced, blogs are different. They continue to exist on the Interweb, although that increasingly out-of-date 'last' entry is like a flag that hints at an underlying 'story' or maybe just a simple reason, but no more than that. Like:

http://nancyspoint.com/when-bloggers-stop-blogging/

https://smartblogger.com/mediocre-blogger/

https://www.nomipalony.com/gdpr-for-bloggers/

But sometimes it is different...

(And sometimes it is self-inflicted: https://moz.com/blog/12-things-that-will-kill-your-blog-post-every-time )

Last or Final?

When people post to blogs, the 'latest' post is also the 'last' post - in the sense of the 'last so far'. Irregular postings that don't say 'this is my final post' are always going to be the 'most recent', 'latest', 'last so far', etc. Interestingly, even a 'final' post could be followed by a 'my previous post was not my final one!'. Extrapolating from this, then the concept of a 'death-bed post' is an intriguing one. (Some blog posts start to get close to this topic, for example: https://community.macmillan.org.uk/blogs/b/community_news/posts/guest-post-sorry-i-m-not-in-service )

Gaps analysed partially

There have been quite a few gaps in postings to this blog, and based on this evidence, then my analysis would have been exactly the same as for any other blog. But then, surprise, surprise, there have been some new entries. And more intriguingly, I am now posting an entry that examines what happens when a blog pauses and then restarts. I suspect that this makes this entry doubly rare, and so something really unusual.

The reasons for my gaps are mildly interesting, and faintly unusual (depending on how you measure the degree of unusual-ness), and I won't bore you with them, which isn't meant to trivialise them, merely to downgrade their significance. The world is an intriguing place, and sometimes events impose themselves on you.

Nice conclusion!

So I'm more than happy to say that sometimes, interesting and unlikely things happen. After several  challenging pauses, I'm now going to try and write the occasional blog post again.

Irregularly.


Here.



From me.




To you.





(Yep, reading all that 'New Wave' SF from the 1960s has been a big influence on my use of 'new lines' !)