Yesterday I was somewhat disappointed. Today the GOTO I know and enjoy is back!
The day is not finished, but I can already say I learned stuff today. I went to the two web security talks. For a while now I've gone to the security talks at the conferences I go to and it seems to me that the signal to noise ratio is generally low at these talks. I think that this is to some extend because both speakers and conferences assume that the audience sees security as boring, so they try to make security digestable by disguising it, wrapping it in gags etc. All of which risks to detract from the actual content.
Both the web security talks at GOTO today were well worth going to, though. The first talk by Aaron Bedra was about spotting attacks by looking at the behavior of clients and the second by Niall Merrigan was about defensive programming. Both were good, but I will focus on the first.
Aarons talked about how you can have your web server keep an eye out for suspicious behavior. Suspicious behavior could be a number of things, like a client doing only HTTP POST requests, clients originating from countries that your site is not aimed at or clients making requests that do not look like the requests created by the browser indicated by the user agent. Each of these behaviors are only indicators though, but if a combination of them are present you are likely seeing an attack. Such a combination is a signature.
Taking this a step further Aaron talked about how you can profile clients based on these signatures and identify clients that are likely rogue. Once identified another part of the system can take the appropriate action, which can range from simply rejecting the client with e.g. 403s over just introducing extra hoops to jump through (think CAPTCHA or security questions), to just flagging the the client and store thee information for later analysis.
Lastly Aaron talked a bit about the framework he created for dealing with these sorts of things; RepSheet, which I do hope to find the time to look into some more.
That's it for today except for this: If you're at GOTO tomorrow you must go to Bodil Stokkes talk, otherwise you're doing it wrong :)