PHPSW: Security, April 2017
12 Apr 2017
at BaseKit
Talk comments
It was pitched perfectly for me. The combination of technical concepts with straightforward language was really helpful, I came away feeling that I'd learnt a lot about one subject, including actionable information and an understanding of some of the technical language (acronyms) in this area. It was very useful that concise yet complete tidbits of whats and hows were peppered throughout without being code heavy (what should I use, how should I use it), as a result 2FA feels very doable without the need to re-research it.
I benefitted from the frequent reminders that users are inherently lazy, as well as the questions afterwards which probed the feasibility of this becoming mainstream.
Good talk, as I've been meaning to look at the inner workings of Two Factor Authentication (the algorithm).
The simplicity will hopefully push me to implement it soon, but I also appreciate the comments that while the basic check is easy, we need to develop a full solution - e.g. ability to remember the browser (to avoid annoying the customer); and a fallback process (when the user drops/looses their phone).
A good intro to the differences between OWASP Top 10 Security Risks (the classic well known list), vs the Top 10 Proactive Controls (which is a better list for developers to review).
I didn't know the Proactive Controls list existed, and agree that this is much better for developers to read and understand - e.g. Parameterise Queries (C2) is a known thing you can do and read up on, whereas Injection (A1) is a general concept that covers many things (parameterised queries being a good solution for the SQL injection problem, but does not cover Command Injection).
The only change I'd make (very minor) is that I might remove one of the slides which shows the simple website path, it was shown a few times, which might be good for some people (who learn better with repetition), but with a short talk, I don't think it was necessary (for me).
Experienced presenter that took his time and spoke with confidence. Handled questions responsibly answering and reflecting on those that he could and acknowledge when he didn't know the answer.
Genuinely interesting topic as I didn't know how 2FA worked. Would have been good to hear some more thought leadership probing some questions about it's usage etc.
A genuinely engaging and interesting talk from a very experience presenter.
Well written, not rushed. Informative enough, but not confounding for those with no experience with 2FA.
Showed how easy it is to implement and critically - inspired probably more than just myself to go away and put it in place in their applications.