I made it back to the States after the ROOTS conference and wanted to post some comments. It was a great conference with a lot of interesting folks and I was thrilled to have the opportunity to present.
On Tuesday, Andre Klingsheim and Lars-Helge Netland gave a great talk on Architectural Risk Analysis. They ran us through a fantastic exercise where we had to work with folks at our tables and rank the most common causes of death in the USA. My partner and I did all right – we got all the right causes of death but had some of them in the wrong order. That was useful for examining perceived versus actual risk. They also discussed the traditional Risk = Probability x Impact formula for quantitative risk analysis and why it is challenging to apply consistently across practitioners and projects so we also looked at qualitative risk analysis. This is great material for software developers to cover and having more conversations in this area can do nothing but help increase the awareness of software security issues across the industry.
Martin Knobloch and Marinus Kuivenhoven gave a fantastic Application Security Workshop on Wednesday. They went through an introduction to OWASP tools like WebScarab and WebGoat and then walked through the OWASP Top 10 2007 with examples. I have been over this material a number of times, but I got a lot of benefit out of a number of the examples and case studies they talked about. Again – presentations like this can only help to get the software development community more interested in the security implications of the applications they are producing.
Thanks again to the ROOTS committee and all the attendees.
dan _at_ denimgroup.com
(The picture is of an extremely well-dressed stick figure crossing the street in Bergen, Norway)