This week I attended Interop NY for 5 days and thought I would share some highlights from the week.  The daily commute was painful, but Javitz is only a brisk 15 minute walk from Penn Station and a pretty cool venue overall.

Day One:  The first day I attended an all day workshop consisting of an intro to web application penetration testing.  It was a nice review of some of the popular exploits today, and if you are responsible for writing or supporting a web app I would highly recommend you become familiar with the OWASP top 10.

Hint:  If typing <script>alert(‘Hi Hacker’)</script> in an input box on your website produces a pop up box, be afraid.  Be very afraid… Some useful tools reviewed included sqlmap, Burp, and an awesome cross-site scripting checker called XSS-Me.

Day Two:  On the second day I attended another all day workshop which focused on components of a risk management program.  The preso was very well put together and the speaker made some interesting points.  For example, the cloud should be defined as anything out of our direct control. There is no such thing as a “best” practice. Refer to industry recommended practices instead. IT security is subset of Information Security which is a subset of Enterprise Risk Management.

Days 3-5:  Vendor Expo and Educational Sessions

The following day was the kickoff of the expo and began with the first of two keynotes.  The headliner was Seth Myers and he did a 30 minute stand-up with some technology jokes peppered throughout.  He shared a story about that one time he jumped on his friend’s computer and typed the first few words of a search and the terrifying search history of his friend appeared…AWKWARD. There were some other great keynote guests like a VP from CBS and HBO.  The founder of Gilt was there and the CTO from Obama’s campaign in 2012.  There were some others as well.  Overall, they had some very insightful comments prepared and even some non-orthodox ways of running their enterprises.  For example, Gilt makes changes to production every 15-30 minutes by breaking apart their website into hundreds of small applications managed by different groups.  Essentially, they are mimicking open source development within the enterprise.  Several company execs agreed that there is a major talent shortage and believe strongly in developing talent internally and keeping your employees content.

Throughout the keynotes and the 1 hour sessions over the next 3 days, I heard many technology buzz words absolutely destroyed.  Can I get an amen?!

• Big Data is just data.  We need Big Answers.  – Harper Reed (Formally Obama 2012 CTO; Modest, Inc.)
• Big Data is just business analytics with lipstick. – John Pironti (IP Architects, LLC.)
• Cyber, Cyber, Cyber, Cyber, Cyber…stop it! – David Rhoades (Maven Security)
• The cloud is just adding another data center that you don’t manage. – Elliot Glazer (Dunn and Bradstreet)

The vendors came out in DROVES.  I heard one vendor throwing around a new term I can imagine picking up speed, “encryption in-use.” The irony of it all is that one of the ongoing messages throughout the Information Security and Risk Management track was to stop buying “widgets” you will not make full use of before first making full use of the “widgets” you have.  With that said, the expo was a very effective way to get up to speed quickly on a wide range of vendor offerings.  Although, I think I will need a new work number because I have no doubt that it will be ringing off the hook from now on.  Good thing I registered with my CISO’s phone number instead of my own…

In addition to chatting with many vendors and sitting through several vendor specific presentations, below is a list of the sessions I attended.  Feel free to reach out if you want more information about any of them, but the slides from every presentation is available right HERE.

Rating:  Fair – I’d go back for the keynotes and expo, but I felt like they were trying awfully hard to stretch a 2 day conference into a 5 day conference.

Thanks for reading and don’t forget to subscribe!