Code Review for Security


Comments are closed.

Great talk/tutorial, very hands on.

This tutorial was very informative and fun. It was definitely worth coming for the tutorial day to be in this talk. Anthony's knowledge and passion on this subject come through so naturally.

The basics of this session were a good review of application security.

Would have preferred more of a walk through on some of the code. Might have fun to try writing secure code, rather than always reviewing existing code. I'd also like to see non-framework/platform code.

Anonymous at 14:39 on 8 Feb 2014

it was excellent however i wish we could have had more time to dive into the other repos that were left more as homework. I learned a lot.

Great tutorial. He did a great job of getting everyone involved.

Excellent talk. I love how he made us think about what was wrong and made us find things on our own, but some of the repositories were a bit long for us to go through in the small time frame given. After we analyzed them ourselves and discussed what we found I would have liked it if Anthony would have showed us where he started and all the points he had found so that we would know what we missed. This seemed to happen sometimes, but not with them all and I think there were many things we missed that weren't discussed.

Maybe instead of relying solely on audience recon, have an answers slide(s) after each repo with all the problems with the code and we can discuss how to fix them all. Then maybe ask the audience if they saw anything else to discuss.

I'd have enjoyed a little less of, "Here, see what you can find in this code" and a little more on how things work and best practices to avoid the pitfalls.

For example, the discussion on timing attacks was very interesting. Mr. Ferrara did a fair job explaining how it worked, but glossed over the solution a little too quickly.

The repos were too deep for a cursory look to identify issues quickly for an audience who isn't habituated to doing so.

Even something like a walkthrough of creating a secure login page and process for tracking valid authentication would have been wonderful. Could have stepped through how and why each pitfall was mitigated. I've often been told how 'not to do something' without the information on how it 'should' be done.

We were told that when using the mcrypt library, using ECB mode with rijndael was bad, and CBC was good. Information on why would have been nice, and how bad is 'bad'? If you used CBC, you have to be able to recover your IV for decryption, right? What if you don't want to use the same IV for all your data, or store that in your DB to protect the encryption in case of theft of the DB? ECB might need to be an option. Perhaps a separate talk on how to properly implement the mcrypt (or other crypt) library would be nice. (NOT how to roll your own encryption, which we all know is bad.)

Clearly Mr. Ferrara knows what he is talking about. Would just like a little different format in the tutorial.

I enjoyed your security review, and I'll be checking out your blog.

This was one of the talks I was expecting to attend and I enjoyed it and learn a lot more about security, reviewing code for security on open source repos was really fun.
The only thing that I wish we've done is to review code in pairs or share some of our own code to review.

One of the best talks I attended at this conference. Anthony was a very clear and focused speaker, and his presentation was very hands-on. The code snippets and real-life open-source projects he selected for examples demonstrated a lot of the topics he covered. I learned quite a lot!