I had blogged about presenting a tutorial on Fuzzing at STeP-IN Security Testing Theme Conference at Pune. In the same context, I attended the conference on 16-17 April. It was all worth my time, some lessons learnt and some to share as a part of this blog post.
This report is not all roses. It’s to portray my honest opinion about *my* experience at the conference.
16 April, 2009: Pre-Conference Tutorials
The conference started with pre-conference tutorials, where the first one was on “B2B Application Security Testing” by Tarun Banga, Sr. QE Manager, Adobe Systems . Though the topic may not convey it fully, the actual premise of discussion was Threat Modeling and Web Application Security. The first part of the session was on threat modeling and worked out well in terms of discussion of the topic in detail with a hands-on exercise. The second half could not be completed. Reasons? Probably too much content for a 3 hr tutorial or catering to a range of audience or attending to a couple of participants at the sake of majority of participants. Positives? An open-minded presenter who was not hurrying through the contents.
Second was our session on “Fuzzing – Ensuring Software Security though Automated Data Corruption” (I was joined by Senthilvel, an expert in testing AV solutions, working as Sr Project Lead at McAfee). It wouldn’t be apt for me to comment on the quality of our session as such. We had some lessons learnt being a part of the first session. We tailored our talk as per the audience. We finished the presentation on dot with a very positive feedback (formal feedback yet to be got). Negatives? I felt a little redundancy at some points. We need to be better organized in terms of content allocation. Positives? A technical session for an audience yearning for some good technical inputs rather than discussion about what they can easily find on web.
17 April, 2009: Conference
The topic for second day can be summarized as Web Application Security and if we consider the Panel discussion, the importance of Security Standards. It needed either a change in the theme of conference or selection of papers.
With a welcome note by Rajesh Bharathan and keynote address by Shyamal Ghosh, the conference started on a very good note. The focus of both was every person’s alter ego on web and related security. They also addressed the nature of recent threats and the growing intent of financial gains on part of hackers.
This was followed by a series of papers, out of which the ones which I found of good quality were “Application Layer (Layer 7) attacks“, mostly because of its energetic presenter Sameer J. Ratolikar, “Application Security – Need to Change the Mindset” by Dr. Pramod Damle because of the intuitive presentation and analogies, “Techniques in Web Service Security Assessment” by Umesh Chandak for the technical quotient (although the presenter needs serious work on presentation skills) and more than all mentioned so far, “Incidents in a Web Driven World” by Arvind Doraiswamy (Paladion Networks) for a presentation most effective for a security testing conference from all angles.
The Panel Discussion was on the topic – “Significance of Security Standards for Information Security” with some of the most intelligent minds in the industry. Outcome? I am not sure about others. For me, it did not work. It was not at all an appropriate topic for security testing conference. The same set of people could have enlightened the audience on a topic relevant to security testing.
What Worked for me?
- A 2-day conference dedicated to the field of security testing
- Meeting relevant people in the industry – both as presenters and as audience
- A good mix of audience – technical / non-technical, functional testers, performance testers, security testers, academicians…
- Good choice of papers (I will not say great)
- Enthusiastic Organizing Team
- Should I say food?
What Didn’t Work for me?
- Redundancy in content. Almost everyone talked about XSS, SQL injection.
- The theme of the conference was “security testing” and not “security”. There can be some overlap but too much talk on seriousness of security and threats rather than talking from the perspective of a software tester made things dull
- Why should a security testing conference talk only about Web Application Security? This was seen on second day which was the main conference day catering to a much bigger audience than the pre-conference tutorials.
- The topic chosen for Panel discussion was not exactly relevant for a security testing conference. It was a better fit for a security conference.
“Probability of life is 0. Probability of death is 1. We still live for an average of 65 years, consuming viruses, worms everyday. Software systems should be like us.” – Dr. Asoke Talukder, Corporate Adviser, Saharanext
Overall, QSIT has done a good job in starting a 2-day theme conference focused on security testing. I look forward to a more fulfilling conference from them, with the understanding that there were some lessons learnt.