In April I will be presenting a lot of things at cf.Objective(). Here is a short list:
Secure CFML trainingPete Freitag and I will be doing a full-day training on building secure CFML applications. We are going to be taking a fun, pragmatic approach to the topic.
We will start with an application that is full of vulnerabilities and we are going to hack that applications. We are actually going to deploy real attacks against the application to see how it works. We'll even use some hacker tools to automate attacks. By doing this we can better learn how to think like a hacker, which better enables us to code while thinking "how could this be exploited?".
Once we finish hacking the application lessons, we will go into the code and fix them, then we'll try to hack them again and see the results. It should be a great all-around, hands-on learning experience. If you have not already signed up for the course, you still can. The early bird price has been extended indefinitely.
Here is a list of some of the hacks (and countermeasures) we'll be discussing. This is NOT a complete list.
- Basic and Intermediate SQL Injections
- Cross-Site Scripting (In-depth)
- Path Traversal Attacks
- User Enumeration Attacks
- Request Forgeries (XSRF)
- Indirect Object Reference
Practical Ajax SecurityThis is the presentation I have made the least progress on so far, so I cannot offer much of a preview. We will be talking about how adding Ajax functionality to your application can increase the vulnerability and how you can go about mitigating the risk associated with that.
Ajax is a lot of fun. I have been doing it extensively with Adobe AIR lately. And I have had to consider how it fits into the security model of my application. So I should also be able to provide some best practices and tips.
I'm looking forward to spending more time putting this presentation together.
We will discuss, amongst other things, the AIR security model, file-system access, SQLite databases (encrypted and unencrypted), the encrypted local store and more.
A Brief Introduction to CryptographyThis is the presentation I am looking forward to most. I have been working long and hard on researching it and putting together a fantastic slide deck.
In this presentation we will look a little at how cryptography works, and we'll look at some very basic examples. We'll have some fun demonstrations, and even a 'CFML Celebrity Popularity Contest'. I will public the encrypted name of the winner early, and anyone interested can determine if they can crack my cipher and spoil the surprise announcement.
The second half of this presentation will be about using encryption in ColdFusion is a practical way. Technically, it could be done by "filling in the blanks", but when you leave this presentation, you will understand what you filled into those blanks, and why.
I will also soon release a ciphertext that anyone who wants to can try to crack. If anyone does crack it, I will get them something cool. Like a FAQU subscription, or $50 at Amazon.
BoF SessionNothing has been announced yet, but I am hoping to get a Birds of a Feather (BoF) session for Saturday night. Of course, the BoF would be security focused (unless they go with the Guitar Hero BoF).
Last year the security BoF had an AWESOME turnout. I had some security-related prizes to give away, and it was awesome. A lot of great discussion and questions.
ConclusionI have A LOT planned for cf.Objective() this year, and I am just one person. Think of the other 100+ people that are planning this event, plus the 300+ attendees. This conference is going to be fantastic.
It is not too late to register, nor is it too late to get in on the pre-conference classes. If you have any questions about any of this, please feel free to contact me. My contact form is linked at the bottom of the page, or hit me directly at jason (@t) 12robots (.) com