I really intended to get this out earlier this week, but me o’ my has this been a busy week.
Anyway, day 2 at RSA 2010/Security BSides started in the reverse order of day1. I went to sessions at RSA first and then tottered over to Security BSides for the afternoon.
My day 1 recap can be found here.
Again, great content in both locations.
I started the day out at RSA.
2010: A Web Hacking Odyssey – The Top Ten Hacks of the Year by Jeremiah Grossman
In this 50 minute talk, Jeremiah attempted to talk about the top 10 web based hacking hacking methods for 2010. These are not hacks of particular sites, but ways in which sites can be hacked. There were two amazing things about this talk:
- That he even tried to do it in 50 minutes.
- That he was successful.
This was a great talk and Jeremiah did a great job of covering a lot of ground. If you are interested in more detail, his presentation deck is available here.
Some pretty nifty stuff was shown and best of all, most, if not all, were free. Many of them plug right into Visual Studio making them even more available to the developer. It is worth your time to explore the SDL site that Microsoft has available for you here and the SDL blog here.
Risk Management: Getting Engage by Kevin Riggins (me)
The next stop on my RSA Wednesday was the Peer-2-Peer session I moderated. Again, there will be a separate post about it, but the short and sweet is that we all need to find ways to get information security risk management engaged in the business and the business engaged in information security risk management.
This was my last session at RSA for the day. I headed over to Security BSides for pizza and more great sessions.
The first order to business was to grab some lunch
SDL Lite by Marisa Fagan
Marisa’s lightning talk was a quick demonstration of how we can implement a SDL “lite” process. Interesting stuff. Marissa could really use your help. Errata Security is conducting a survey about the use of secure development methodologies. From the post:
Errata Security is conducting a survey on the real world usage of software development methodologies such as Microsoft SDL, OWASP's SAMM, and BSIMM. We are interested in learning which organizations are successfully implementing these methods, and also the reasons companies are abstaining from using these methods.
Help her out and take the survey.
Risk Management - Time to blow it up and start over? by Alex Hutton
Alex know risk. I enjoyed this talk and it definitely generated some thought for me. As Alex said, though, this wasn’t a “throw everything you are doing away” talk. It was look at the current state and trying to figure out if there is a better way. From his description:
Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products, (GRC) guess what? We're doing it wrong. Fundamentally wrong. This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach.
He did mention the new Verizon framework that looks pretty nifty.
That was pretty much it for the day from a conference perspective. I went back to my hotel to work for a bit and then it was time to head to the Security Bloggers Meet-up which was a lot of fun. You can see some photos from that event here if you are interested, luckily none of my ugly mug