I’m speaking at S-3 Con in San Diego on April 14th. The conference runs the 12th to the 14th. My talk is entitled Software Vulnerabilities that Pass Through Firewalls: How to Spot Them and How to Fix Them.
My thesis is basically this:
If you play free association word games with people in real-world IT departments, when you say “security” they will say “firewall.” For your network perimeter, this is fine. As an approach to securing software, it is myopic and insufficient. The central thesis of this session is that, while firewalls are valuable, they are not sufficient. This session presents four classes of problems you find in networked software, explains why they must be fixed in the software itself (not in the network) and then shows how you do that.
The four vulnerability classes that I discuss are:
- Poor input handling
- Misplaced trust
- Poor choice of nonces / identifiers
- Advertising vulnerabilities
For now, I’ll leave out details of what I have to say. Slides will be available from my site in May.