Paid Advertising
web application security lab


Normally I skoff at user conferences and now I know why. Sylvan von Stuppe had a pretty funny writeup on the first day of SPICON. For those of you who aren’t in the know, SPICON is a SPI Dynamics user conference. That’s not unusual for big companies so that they can do lunch and learns or otherwise help their consumers to better understand the new product offerings as well as get feedback. In fact, if you are working with a vendor that doesn’t offer at least a beta program, run!

Anyway, it’s a fairly embarrassing read. Maybe there are a lot of beginners in the audience but most of the topics covered thus far are pretty cut and dry, however if you are looking for a primer on how to set up training on basic web application security principles for development this is pretty much right on. Anyway, interesting read!

4 Responses to “SPICON Notes”

  1. Erik Peterson Says:

    I’d actually like to thank Sylvan Von Stuppe for not writing more. We had a lot to show during SPICON, most of it pretty sensitive stuff that we would not want out competition to get a hold of right away. I know it was hard for him to do, but we here at SPI definitely appreciate that Sylvan did not blog any of our next gen product presentations out on the web.

    But don’t take my word for it, I’d recommend you speak with him and get the scoop on how cool things were before you jump to any conclusions. There were over 100 very happy SPI Customers, many of whom did the talking and presenting for us. It was an experience I will not soon forget and I can’t thank our customers enough for coming and sharing so much with us.

    Well see everyone next year at SPICON 2007!!

  2. RSnake Says:

    Hey, Erik. No doubt there was good stuff presented due to comments like, “At a high level, it looks like in broad-strokes, they’re going exactly where everybody else is - trying to merge all the existing technologies across the SDLC, but with some exciting improvements in WI 7 Beta.”

    However comments like this don’t look great, “There were some beginners in the class, but I think as a whole, nobody really learned much.”

    Of course these aren’t my comments, this are Sylvan’s, and I’m not putting words into his mouth. I don’t have his email address to verify for myself. But as I’m not a competitor (or even in the security industry at all for that matter), if you have interesting technologies to show, I’d love to hear it. I spoke with Billy Hoffman and several other SPI guys at an impromtu round table at a DefCon party about some ideas he had but pretty much all of them were about client side protection and I believe in the end (granted we were both drinking at the time to my belief may be mistaken) we agreed most of those ideas wouldn’t work or would cause other issues for users. So I would imagine those weren’t the ideas you’re referring to.

    Without any way to guage the new concepts, having not heard them for myself, I sort of have to take other people’s word for the “cool”ness factor. I don’t get invited to a lot of vendor cons these days as I’m not in the business anymore (everything I do is self funded), so my means are largely limited to what people publically disclose or whisper to me on the side.

  3. Sylvan von Stuppe Says:

    To clarify - I liveblogged many of the sessions I attended at SPICON. I think RSnake’s original post (”it’s a fairly embarrassing read”) was mostly in reference to the “advanced” web hacking class. The advanced web hacking class was not advanced at all (IMO, anyhow), but I didn’t ask people individually if they learned anything new. But the “advanced” hacking class was only one of two sessions on the first (and optional) day of the conference.

    Most of the other sessions I attended had some value. Allen Paller’s session was exceedingly interesting, and I failed to do it justice in the blog. Billy’s information was probably helpful to some, but not new information for me - but he’s quite passionate about what he’s finding. When I spoke to Billy afterwards, he confirmed my original thoughts - AJAX doesn’t make new vulnerabilities, it just exposes more of the existing ones. And the roundtable with others in the industry was very valuable - although SPI just facilitated the discussion.

    And the information I can’t discuss - I saw the roadmap and a beta of an upcoming product. The roadmap just showed SPI was moving in mostly the same direction as the rest of the industry, and has some really cool ideas for some of their products - I can’t go into details. And I saw a demo of a product going into beta that looks very promising, but again, I can’t go into detail.

    I’ll post this on my blog as well to try to clear up any confusion. I’m sure all three readers of my blog will appreciate it.

  4. RSnake Says:

    Thanks for writing Sylvan, I think you cleared things up nicely.

    I’ve felt the same way you do that AJAX doesn’t create “new” classes of vulnerabilities, although it does increase the attack surface area. JSON is the only thing that is really “new” that is coming out of the AJAXy web2.0 world that has had any interesting issues in it. I’m still skeptical about some things you may be able to do with XML, but that won’t change until browsers do, most likely.

    But in reference to your latest blog article, you will have a job for many years to come if any of us have anything to do with it. The only way web application security issues could go away is if we were to stop researching them.