I had a pleasure to attend a seminar at my company on IT security. The theme for this session was among other things, application security. Now I was hopeful as the presenter was from an IT security company and the agenda looked interesting (DoS, XSS, SDLC…). Maybe I could learn something practical on these topics I’ve heard so much about? I do after all have to manage couple of projects with involve a bit of web application development.

Okay, I was impressed at first. The introduction ot the presentation was smooth and the slides were above average. Some little mistakes here and there, but I let them slip. But then, little by little, I started to notice disturing trends. For example, this guy constantly belittled free/open software. It was like in his mind it was impossible that free or open software could be better than commercial software. At one point he wondered how in one regard there even is a “freeware” software that does some things better than Microsoft IIS. Every time he mentioned that something was not from a commercial origins, but either a free or volunteer effort, he had to mention that despite this obvious shortcoming, this or that was still “pretty good”. I don’t know, maybe he was molested as a child by a chubby penguin or something, but I was amazed by this ignorance.

We went through the most common web application attacks and ways to mitigate them. When we got to buffer overflow, he was baffled, because he couldn’t understand how something as simple as buffer overflow is so common in many applications. In the history according to him, the roots to this problem were in the history of “unix” and C where it was OK if programs crashed. And how to solve this problem? Do not accept long strings. He had also noted from his own experience that buffer overflows and memory leaks were more common in Windows environment than in Unix environment, but he wasn’t sure why this was the case, it probably had something to do with coding styles or something. Also, his solutions to most of the security problems seemed to be adding some new technology. And in any case, we don’t even develop that much of our own tailored apps and it’s not like you can modify off-the-shelf software or their coding practices that much.

And so we went on with injections attacks and string formatting – do not allow strange characters. At this point I was also shown our company security principles, which stated that all applications must validate input and they must strip all strange characters, including “,”, “‘”, “+”, “%”, “@”, “&” and friends. Apparently many programs, like Excel, Word and Outlook are exempt of this rule as using these programs would be rather difficult if these programs didn’t accept some of these characters. He applauded our work on this and didn’t “on the surface” see any problems in it. Okay, maybe I’m nit-picking here, but the overall presentation was just horrible. I know I’m not expert on security issues, but I have read my share of Schneier and written a bit of PHP and Ruby.

I also learned that the term “hacker” originates from a time when computer resources were scarce and “hackers” were the guys who tried to get more of these resources by abusing systems. I believe the correct term would be “phreaker” and yes, I’m aware that much of the hacker subculture originates from them. And yes, throughout his presentation, he mostly used the term in negative way, so it is totally possible he used it as a umbrella term for all kinds of people who abuse the functionality of systems.

Now, the audience was IT managers and people who probably before this seminar didn’t know what session hijacking is or SQL injection was, but explaining these wrong, even if these guys don’t even need to know what they are anyway, was still quite amazing. I’m talking about a partner of a IT security consultancy here. Now, to be fair, he knew the basics, like the difference between identification, authentication and authorization which he constantly pointed out, and as he pointed out, he wasn’t a “technical person”, but hey, why are you giving this presentation?

Suffice to say, I left the seminar early.

Do you, the readers of this fine blog, have any experience with security experts who aren’t? As far as I know, this guy was from a reputable company and their services are most likely good and rest of their staff knowledgeable, so I’m not going to name and shame them. Have you noticed general tendency that in business world, FOSS is seen inferior to commercial software just because they’re free?

Kari is an IT project manager at an utility company and when not managing the ensuing chaos or not misspelling Bruche Schneier’s name, enjoys watching The Amazing Race and is determined to go to Australia and see a wombat crossing sign with his own eyes.

I’m fed up with SPAM. I can’t stand it anymore. I received more than 500 spams just today by email, plus a couple hundred more junk comments on this blog. Fortunately, Askimet does quite a good job, but I’m sure I still lose comments from true readers. SPAM is torture, it’s jeopardizing the balance of the Internet. I’ve come to a point where I receive about 10 times more SPAMs than regular emails everyday, a situation that has never to my knowledge occurred in regular, snail mail.

PLEASE SOMEONE, DO SOMETHING AGAINST SPAM.