Out and About This Week

I have been out and about this week at some events in London.

On Tuesday evening I attended another meeting of the London Ajax User Group hosted as usual at the nearby Skills Matters eXchange. The meeting had attracted over 50 developers who had come to listen to the talks — one about using HTML5 Web Sockets, and the other about template-based JavaScript development. Well I shouldn't really have been surprised by the number of attendees, the user group's slogan is "London's largest group of Ajax, JavaScript and HTML5 developers", so the topics were right on target.

Micheil Smith began by describing how HTML5 web sockets can be used to provide near real-time web for interactive content. He explained how web sockets are replacing pseudo real-time techniques like HTTP polling, LiveConnect, forever iFrame, HTTP long polling, and XHR streaming. He described uses for web sockets and some of the issues that can cause problems such as ports blocked by firewalls and different traffic patterns leading to server capacity problems.

Mark Wubben then explained how sites/applications need to work with and without JavaScript. He discussed a method called Eyebrow, based on Mustache templating language and Django Template Language (DTL), which achieves this and harnesses the power of server side generation combined with application execution on the client.

These user groups are a great way to keep in touch with issues developers are having and technology trends. Then on Wednesday and Thursday I attended RSA Conference Europe 2011 which had a more corporate/security type of audience. The two presentations I found most useful were by Bryan Sullivan and Ramon Krikken.

Bryan Sullivan explained security issues related to NoSQL databases — similarities and differences with relational databases, and what extra set of issues need to be considered when designing and developing systems using these data stores. He demonstrated injection techniques against MongoDB and then moved on to compelling examples of server-side JavaScript injection using Node.js as an example. He discussed risky constructs to look for during code review and ways to avoid some typical pitfalls. Lots of things to add to my code review and security testing notes.

Ramon Krikken described usage scenarios for tokenisation of sensitive data and explained that he thought tokenisation is oversold, under-analysed and not well understood. He outlined the issues around choice of algorithm, architectural implementation, input data and business processes which have led him to the conclusion that tokenisation is cryptography, if not actually encryption. This presentation really was an eye-opener and cut right through to the weaknesses and possible attacks on such systems. If Ramon is speaking near you, make sure to go along. There is a summary podcast available.

I also enjoyed the discussion group run by Brian Honan focused on the practicalities and issues of incident response in the cloud.

My own session about attack-aware software application built upon my previous presentations at AppSec EU 2011, the Software Assurance Forum Fall 2011, the training course I gave and AppSensor Summit at AppSec US 2011. It is always good to receive views & feedback, and about ten percent of the audience of 70-80 had questions or comments to make. I will also be talking about this topic at OWASP Leeds on 25th October.