Blogging has been light here for a while, though Twittering hasn’t.The past few months have seen a busy travel schedule and a number of talks; maybe time to quickly dump links to the various slide sets here:
- At RSA Conference in San Francisco, I spoke on a panel about security usability with fellow Web Security Context Working Group members Mary Ellen Zurko, Rachna Dhamija, and Phillip Hallam-Baker. No slides, but a reasonably nice discussion.
- At the Web Conference in Beijing, just two weeks later, I ended up on a panel on policy languages, with Renato Iannella, Piero Bonatti, and Lalana Kagal.
- Also at the Web Conference, I spoke about Widgets – Web Vulnerabilities for All, taking a look under the hood of some commonly found widgets, and explaining how they can be used to break into your computer. As much as I like that Widgets are making it easier to write portable network client applications, as much do I think that the current platforms’ security models make it far too risky to actually run these beasts. We’ve got some catch-up work to do there.
- In Web Application Security Issues at the same conference, I also talked about widgets, but then asked the question what the programming practices there tell us about the future of Web Applications, when ever more security critical code actually runs on the client. That outlook is rather dark right now, in terms of security. (Although it won’t get much worse than the current situation.)
- Finally, I went to nearby Ghent, to talk about HTML5 and what’s security relevant in there. Slides here: Would you like fries with that? In short, there’s a bunch of good work being done in that spec, but other parts need some serious attention from the security community.