You know that it’s a wild and dangerous world out there on the Internet. You don’t need to be convinced that your application needs to be secured against intruders, hackers, bots, and worms. You’ve vaguely heard of XSS, CSRF, Authc, Authz, and the rest of the AppSec alphabet soup, but you’re not sure how to structure your application, what controls you need, or how to make sure you’re making the right investments of time and money to efficiently minimize risks.
This session will present some patterns and anti-patterns in web application architecture and process. We’ll talk about how to identify the parts of your application that require the most attention and which parts of your SDLC need the most security TLC.
Examples will be mostly in Java and JavaScript, but the ideas will be largely language-agnostic, so attendees will not need to be experts in either. This will be a technical talk, but appropriate to both programmers in the trenches and the managers who love them.
Daniel Somerfield has over 15 years experience developing software for retail sales, corporate communications, enterprise development, and IT security and compliance. In 1997 he co-founded ISNetworks, a company specializing in digital signature and encryption technologies. While running ISNetworks, he and business partner Jess Garms co-wrote several articles and “Professional Java Security” published by Wrox Press.
He currently lives in San Francisco, working as a consultant at ThoughtWorks, where he spends a lot of time thinking about how to help companies be productive, efficient, and secure.