Speaking at S-3 Con 2006

I’m giving two talks at the Software Security Summit in San Diego on February 8th. You can see details on the Wednesday schedule.

One of my talks is Your Network Can’t Fix Your Software. My thesis is basically this:

If you play free association word games with people in real-world IT departments, when you say “security” they will say “firewall.” For your network perimeter, this is fine. As an approach to securing software, it is myopic and insufficient. The central thesis of this session is that, while firewalls are valuable, they are not sufficient. This session presents four classes of problems you find in networked software, explains why they must be fixed in the software itself (not in the network) and then shows how you do that.

The four vulnerability classes that I discuss are:

  • Poor input handling
  • Misplaced trust
  • Poor choice of nonces / identifiers
  • Advertising vulnerabilities

For now, I’ll leave out details of what I have to say. Slides will be available from the conference.