I’m going to be presenting at SD Best Practices 2007 in Boston in September.
I will be expanding upon the talk I gave at SD West 2007, “Securing the MVC Architecture“. This time, I’ll dive into some code and show some examples from the Hacme series of applications.
The gist of the talk is to address application security as an architecture issue. The Model-View-Controller architecture shows up in a lot of web frameworks, and in the talk I discuss common security patterns that make sense, both for people who develop MVC frameworks and people who develop applications using MVC frameworks.
[DIAGRAM MISSING]
This diagram, which I thought of over breakfast one morning, was the “A-Ha!” moment for this topic. I wondered, what are the ideal places to fit security code into MVC? In my presentation, I talk about why each piece goes where it does. I also dig into some real world examples (Ruby on Rails, Struts, ASP.NET) that do and don’t implement these security patterns.
My colleague from Foundstone, Rudolph Araujo, is also presenting there. I have no doubt that his talk on Security Code Reviews will be filled with insight and real-world experience.
Send me an email if you’re going to be at the show or at TechMash and want to meet up.