The ITWeb security summit is coming up next week from the 11th to 13th of May. This is a conference we're quite excited about, and have been involved in for the last few years, but most recently, we've been able to further our involvement beyond just speaking.

For years I jealously watched as SensePost'ers would trundle all over the world shaking hands and drinking beer with the leet haxors of the world. Then a few years ago, the ITWeb Security Summit brought over Kevin Mitnick. I remember sitting in the audience awe'd not so much by what was said (sorry Kevin, I'm sure it was interesting) but at the fact a real celebrity hacker was meters from me. I still keep his lock-pick business card as a memento. Since then, the summit has gotten bigger and better. ITWeb previously brought out people like Bruce Schneier (who I think thought I was a stalker), David Litchfield, Johnny Long (he's African now), Johny Cache, Richard Stiennon, Roberto Preatoni and Phil Zimmerman (he video conf'ed in from his hospital bed after emergency heart surgery).

While meeting some of the international speakers was awesome, there was always a feeling that the conference was too vendor dominated. To help remedy this, last year SensePost was asked to put together a technical committee. SensePost's guidance on international speakers had an immediate effect and last year we had a ton of hacker rock stars: Jeremiah Grossman, Window Snyder, Adam Shostack, Mike Dahn, Tyler Moore, Frank Artes, Phil Zimmerman (this time IRL) and even The Gruq washed himself and made it over. In addition to the international speakers, the technical committee (which I was lucky enough to be part of) evaluated and voted on all talks, with the ability to vote out sponsor talks if they weren't up to scratch. While we had some teething problems (for example we weren't able to review all final presentations in detail) and made a mistake in trying to fit more speakers into a "turbo track", I feel the quality of the conference improved significantly.

After the conference, one of the awesome memories was the "Hackers on Safari" trip we took the international speakers on (and some of the technical committee, if they agreed to do dishes). It proved to be a really great way to "sell" South Africa to the international speakers. As we watched a battery of cameras synchronously snap many pictures of the "the asses of Africa" (the animals kept turning their back on us), we were reminded what a great place South Africa is.

This year is looking even better than last. There's a solid line up of international speakers: Kingpin, Moxie, Charlie Miller, FX, Dino Dai Zovi, Saumil Shah, Nitesh Dhanjani & Jeremiah Grossman. In addition, a third track has been created for security products with the other two focusing on the technical and business aspects of security respectively. We should see a lot of quality South African talks. Unfortunately, some promising talks and speakers had to be dropped to make space, but hopefully this is an indicator of higher quality and popularity rather than poor judgement.

Additionally, this year on the 13th of May @7pm (the last day of the conference) there is a hacker's party organised by our local unconference ZaCon (for full details follow the link), which is within walking distance from the conference venue. The party's aim is to raise funds for Hackers for Charity, with voluntary donations of R50 being asked, and HFC shirts for sale. Hopefully it will also provide a chance for members of the local scene who are unable to afford ITWeb tickets the ability to meet some of the international and local speakers.

This past Thursday we received notice that Boogterman & Partners would be a host company for the CANSA Shavathon 2010 taking place on Friday, 05/03/2010. So when I send out an email to everyone at SensePost, little did I know at the time what a huge thing this would turn into. However I really shouldn't be surprised as this is a typical show of how "We Roll"!

I was challenged (as the only girl in the office) to shave my head for CANSA. Well what can I say, the guys really wanted to see me do this because the enthusiasm was amazing! However more importantly we raised R3000.00 for this worthy cause and I was also able to donate my hair (as it met the length criteria) to make a wig and a R100 also goes to CANSA when they sell it. CANSA Shavathon's goal was to raise R10 million and it would seem they have raised over R19 million so far which is brilliant! Showing how supportive South Africans are in general to this worthy cause which makes me proud to be South African!

So all in all this turned out to be one of the most amazing charity runs I have been involved with and definitely worth sacrificing my hair for! I want to send out a special thank you to all the guys that I work with that donated money to this important cause and also a BIG thank you to the guys that came with to support me and also had their heads shaved!

I am truly honored and proud to work for a company like SensePost and even though I am the only girl in the office I wouldn't want to work any where esle :) Just incase you don't believe us.....here are the pictures.

ZaCon came and went, "and a fun time was had by all!"

The first run was a semi-cosy affair held at the University of Johannesburg, with 16 speakers holding the crowd from 08h00 till 18h00. ZaCon had many SensePost faces, but is not expressly an SP initiative.. It's a community based con aimed at growing the next gen of South African hax0rs..

My brief ~12 minute intro: "Why Zacon" explains some of the organizers thinking.. You can watch me blab [here] and you can watch the rest of the videos [here]

/mh

We were invited to speak at the recent ISSA2009 conference in Joburg, a local mostly academic security conference and I decided to carry a message in addition to the regular demo-style talk with which we try to entertain. By co-incidence, Haroon also had his peer-reviewed talk on Apple Exploitation Defences accepted so there were two SensePosters talking to the tweed jackets. I figured the most important bit of the presentation should be mentioned first, so before we carry on I'd like to present our attacker:

He was quite dashing and very well received. With that out that way, let's carry on...

The message of the invited talk was this: universities should be doing more to educate Comp Sci graduates with regards to designing and building secure software (actually, anyone who is involved in application dev, including Comp Sci, Informatics, Software Engineering etc.) From an international perspective this is probably self-evident and security courses at undergraduate levels do abound or at least security in integrated into non-security courses in a meaningful way at prominent varsities in the US and EU, however this idea is not wide-spread in local academia. By way of comparison, a brief survey of notable local Comp Sci departments did not yield a single undergraduate course that listed security in any course contents (as in, covered at some point), whereas entire undergraduate courses in compilers, AI, graphics and game design were available. In a recent blog, Matasano's Ptacek blogged that if you're typing A-E-S into source code, you're doing it wrong. Contrast this with my experience of a security course at a ZA university that contained more material on X.509 certs than on secure coding and defensive coding techniques.

It leaves devs in a very bad place. They enter industry without any knowledge on how to design, build or analyse secure applications and, since their first encounter with security requirements is often as a result of an incident, the subsequent impression of security people and requirements is not positive. Even if they are sent on security training by their respective organisations, the training will in all likelihood cover only those aspects of security that pertain to the technologies that the organisation uses leaving the devs with what amounts to bolted-on knowledge. Smarter people than I have differentiated between education and training, with the former taking place at univerisities and training happening ad-hoc when the need arises.

There is definitely room for both education and training in the security space, however when developers solely look to industry training to provide their entire secure development knowledge, such bolted-on knowledge just doesn't suffice.

Incidentally I don't pretend to believe that secure coding is completely teachable but that's not attainable in any subject, just as exposing students to parallel programming doesn't guarantee they're writing race-free code. However they will understand races, know what they look like and be able to fix them without tilting over at the first sight of overwritten data. The same goes for fundamental security patterns.

As such, we went to the conference with a wishlist of what we'd like undergraduates to cover at some point in their degree, so that when they leave university after their first degree they are already in a position to at least consider the security implications of a given piece of software in a rigorous manner and identify and try mitigate some of the threats through prior exposure in a friendly environment.

The list below really is basic and I'm hoping will be a starting point for discussion. Actual implementation will require much fleshing out, but the skeleton that flesh should be packed around might look something like:

1. Secure coding techniques
   • Never trusting user-input
   • Exposure to common attack vectors
   • Assertion and return-code checking
2. Pen-and-paper analysis (threat models, attack trees)
3. Destructive testing
4. SDLC modifications
5. Security libraries

With this out the way, we opened the floor to questions/comments (none) and then invited the gathered attendees to contact us if interested looking to implement these in their undergrad courses.

[public slides]

Rich Mogull (who's stuff I really quite dig) has launched an 'Open Patch Management Survey' via the SecurityMetrics blog. Its an interesting idea, and they plan to release both their analysis *and* the raw data, which might be really insightful for our VMS stuff.

Corporations can take the SurveyMonkey survey at http://www.surveymonkey.com/s.aspx?sm=SjehgbiAl3mR_2b1gauMibQw_3d_3d, and there's some nice material already available at http://securosis.com/projectquant.

Here's the rest of Rich's message (pls forgive the cross-post):

Our goal here is to gain an understanding of what people are really doing with regards to patch management, to better align the metrics model with real practices. We're doing something different with this survey. All the results will be made public. We don't mean the summary results, but the raw data (minus any private or identifiable information that could reveal the source person or organization). Once we hit 100 responses we will release the data in spreadsheet formats. Then, either every week or for every 100 additional responses, we will release updated data. We don't plan on closing this for quite some time, but as with most surveys we expect an initial rush of responses and want to get the data out there quickly. As with all our material, the results will be licensed under Creative Commons.

We will, of course, provide our own analysis, but we think it's important for everyone to be able to evaluate the results for themselves. All questions are optional, but the more you complete the more accurate the results will be. In two spots we ask if you are open for a direct interview, which we will start scheduling right away. Please spread the word far and wide, since the more responses we collect, the more useful the results.

If you fill out the survey as a result of reading this email please use SECURITYMETRICS as the registration code (helps us figure out what channels are working best). This won't affect the results, but we think it might be interesting to track how people found the survey, and which social media channels are more effective.

/charl