Security Development Session In The UK

Imagine if security was cool like Silverlight....

But security is not that cool, so the biggest challenge I faced was presenting security topics in a way that people enjoy  it. Here are some techniques I used while I was delivering number of security sessions in MS Services UK.

• I talked about security coding practices. The audience was few technical guys, consultants. So they know pretty much about security - I hardly could tell them something new. So my technique was presenting some effectiveness and efficiency tricks to find flaws and also (most important) give best practices to counter those flaws - either anticipating it through better design or by effective assessments of code. Here are some of techniques:
  • More Powerful Security Tool
  • Security Code Inspection - Eternal Search For SQL Injection
  • Code Inspection - First Look For What To Look For
  • .Net Assembly Spoof Attack

I also used some hacking exposed to add some salt and pepper - it usually entertain people, these can be good examples:

• • How To Hack WCF - New Technology, Old Hacking Tricks
  • App Architecture with Security in mind - Video, Part II
  • Password Cracking Tools For SQL Server
  • Stored Procedure Is Not A Silver Bullet Against SQL Injection Attacks

 

• I talked to very broad audience during general session about what Security Engineering is al about and "what-is-in-it-for-me" for MS as a whole and for Services organization specifically. Here I showed commonly broad non-security tools to do security stuff. For example, I showed Security .Net Code Inspection Using Outlook 2007. It surprised people that their day-to-day tool of trade actually can do security stuff. I used a lot's of quotes from third parties like I Thought Security And ROI Are Nonsense When Used Together - it sounds more authentic.
• Then I talked  about lifecycle integration for security engineering. There is a lots of confusion mostly because of information avalanche and multiple interpretations, so I walked the audience phase by phase explaining proper technique to each phase, possible outcomes, lessons learned from actual engagements and some funny stories from trenches - it is important to have fun, since security is most boring thing in the world.

That was fun, for me at least. I got some nice feedback like "You presented dry topic [security] in very funny way - I enjoyed it very much and it was very informative", "I always thought security is a boring thing - your presentation was very entertaining and with clear messages".

 It was actually my first time in the UK and I learned a lot about famous English sense of humor - it was everywhere. I learned that UK is very expensive.

Thank you Graham and James for the opportunity! Looking forward to work with you soon.