Skip to main content
March 16, 2009

SOURCE Boston Conference Was a Blast

I had a great time at the SOURCE Boston conference last week. Veracode was a sponsor and a few Veracoders participated as advisory members or volunteers. I had the pleasure, along with Chris Eng, of presiding over the application security track. I think all the talks were of high quality but still a few stood out for me:

Dino Dai Zovi on Mac OS Xploitation. Dino showed how to exploit a quicktime heap overflow. He got the built in iSight camera to take a picture of his victim and send it to him just by clicking on a malicious quicktime movie file. He talked about how exploiting OS X is 1999 all over again because of the lack of ASLR and stack canary protection. He said hacking Windows and Linux is a chore, but OS X is still fun.

Chris Gates and Vince Marvelli on Attacking Layer 8: Client Side Penetration Testing. Client side attacks are on the rise and now the corporate attack of choice yet we don't pen test for them. What's up with that? The video for this one is already available online at Vimeo.

Val Smith on Dissecting Foreign Web Attacks. Val unwound one of the popular attacks of our time: compromising web sites to install malicious code that owns the browser and then installs a bot. We all understand it is possible but it is great to see all the tricks of the trade. It is pretty clear that the source of this one was China.

Chris Hoff on The Frogs Who Desired A King: A Virtualization and Cloud Computing Security Fable Set To Interpretive Dance. This talk is being touted as the best ever. Unfortunately I missed it. Can't wait to see the video.

The videos for all the SOURCE talks should be on-line over the next few weeks. Check

Here is another review of the conference that will help you decide which videos are worth watching:

Veracode Security Solutions
Security Threat Guides

Related Content

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.