On Wednesday (25th April 2012) I attended Security B-Sides London, held at the rambling and inelegant Barbican Centre in central EC1, and which overlapped with the schedule for Infosec Europe way out on the west side of London.
I must say the two cinemas used for the day's presentations were most suitable, with good visibility, clear sound systems and comfortable seating. The organisers should be thanked for planning and executing such a great day. Every session I went to was of a high quality and in each I learned new things. I listened to Stephen Bonner talking about elegant security, Ian Maxted about social engineering, Thorn Langford about site-based risk assessments, Brian Honan on getting the security message across to senior management, Abraham Aranguren on exploratory web application testing and Sandro Gauchi on escalating privileges in web applications.
However, I'd like to focus on two mobile phone app related sessions by David Rook (aka Security Ninja). David is well known for his generous contributions to the application security community, especially his efforts to promote secure development principles, Agnitio the code review tool and Windows Phone App Analyser.
His presentation about Windows Phone 7 Platform and Application Security Overview was the only talk I actually took extensive notes at during the day. Following an introduction to Windows 7 place in the market and development using Visual Studio using the .Net compact framework, he discussed platform and application security in detail. Wonderful. It will save me days of research. I think he mentioned on Twitter, that the slides will be made available online shortly.
Mid-afternoon I attended his workshop on using his self-built software tool Agnitio, which helps arrange, track and monitor code review processes within development teams. The focus of the workshop was to walk through version 2.1 and especially the in-built code searching and examination functions. These can be used to help identify higher-risk functionality, or code which has to meet development guidelines, using a powerful extensible list of patterns cross-referenced to the code review checklist items. The tool has improved greatly since I last reviewed it in 2010, and I am looking forward to using it to develop custom checks for some of my clients. I was very impressed with its ability to decompile Android code and then run a standard set of tests against it.
Both Agnitio and Windows Phone App Analyser are free to download and use.
David Rook had won SC Magazines' Rising Star Award the previous evening. It was much deserved, and I must say reflects very well on Realex Payments who appear to be supportive of his activities to improve application security — and clearly not just within their own company, but for their customers, competitors and the wider market. I am sure many other companies would not be so enlightened.
Posted on: 29 April 2012 at 20:52 hrs