Yesterday I arrived in Chicago for my first TEK·X PHP conference. After getting in, I had an interesting conversation with Bill Karwin over dinner. Bill is the author of SQL Antipatterns and is presenting on SQL Injection Myths and Fallacies as well as Models for Hierarchical Data with SQL and PHP here at TEK·X. I was able to pick his brain on a wide range of topics including his thoughts on NoSQL and Object-Relational Mappers (ORMs). I tend to be skeptical of both (although there are certainly uses for both) and I got the sense from our conversation that my skepticism is well founded.
Today was tutorial day, or day zero. This morning I attended Arne Blankerts’ Bad Guy For a Day – A Websecurity hands-on tutorial. I liked that he took a step back and looked at the different types of security such as the transport layer, infrastructure layer, data warehouse, user interface design, user level security, and application level security. He talked about the usual suspects such as cross-site scripting (XSS), session fixation, cross-site request forgery (XSRF), and SQL injection. Filtering input and escaping output was also addressed, of course. He demonstrated attacks on several security holes in an (intentionally) badly written application. Take a look at the slides for more details.
One last note: if you happen to be here at TEK·X then be sure to rate the sessions on joind.in. The speakers really appreciate the feedback!