Today I attended the Microsoft DevDays 2004 event in San Francisco. Overall, I'd give it a 6.5 out of 10. Better than a six but not quite a seven (how is that for redundant?). I stayed with the Web Security track, so my impression is based on those sessions.
I missed the larger chunk of the opening keynote, but the last 20 minutes or so that I did catch did not impress. Perhaps it was because I am already familiar with Reporting Services and Whitehorse, or maybe it was because the presenters did not exude confidence or excitement, or perhaps it was because of glitches in the demos. Whatever it was, things got off to a rocky start and didn't get much better from there.
In the first session, Fletcher Johnson went over ASP.NET security fundamentals. Fletcher is a charismatic speaker and things started off well. However, he soon ran into some trouble with the demos and had to handwave a good chunk of his presentation (windows authentication and impersonation, exactly the concepts I often see people struggling with). In all likelihood the demo glitch was not his fault, but unfortunately that seemed to be the theme of the day. Towards the end of the session, he was asked a question related to forms authentication and he answered it plainly wrong. That just killed it for me.
The second session, Threats and Threat Modeling, was presented by Sam Gill. Sam also got off to a good start but was soon tripped up by demo problems. As an aside, I think what separates good presenters from average ones, is their ability to perform under pressure. For whatever reason, the DevDays presentations proved challenging for everybody and I am disappointed to say that really noone managed to recover gracefully. In any case, the presentation concentrated on two types of attacks: SQL injection and cross site scripting. The examples were quite exaggerated. Not that I doubt that people do create sites that are that vulnerable, but I also hope that same people don't get to keep their jobs for long. Still, it was good to be reminded and tomorrow I plan to do a full sweep of the code just to make sure I always validate my inputs and HTML ecode my outputs...
I got into a discussion with folks from ObjectWare about their O/R mapper and was late to the Defenses and Countermeasures session presented by Keen Browne. While not as strong a speaker as the previous two, Keen struck me as having a much better grasp of technology. The highlight of his talk was the various options for treating (securing) database connection strings. I am not sure I buy the recommended approach (registry + DPAPI) but it was interesting to see those options described.
Last session of the day, Examining an End-To-End, Hack-Resilient Application (OpenHack 4) was presented by David Deatherage. I am sorry to say, David was the dullest speaker of the bunch. He went over the architecture of the OpenHack application (written by folks from Vertigo) and highlighted the areas of particular interest (input validation, output encoding, securing the database, and so on). Nothing was particularly new or exciting. Apparently, of the 80,000+ attacks on the application, none succeeded. I am curious, what was considered an “attack“. The number just seems awfully high. I am also curious how the other participant of the OpenHack competition, Oracle, faired with their application. Since nothing was said about it, I can only assume that they weathered the storm equally well.
I didn't stick around for Juval Lowy's closing keynote, so I can't comment on it.
So why did I rate the event so low? In one word: organization. It seems that all the problems the speakers were having with their demos stemmed from two causes: unfamiliar equipment and unfamiliar script. I will give the speakers the benefit of the doubt and assume that it wasn't their fault ('cause it was either that or they all slacked off). The machines weren't configured properly per demo needs with appropriate user accounts and/or permissions and above all either weren't beefy enough or were too bogged down. As to the scripts, it became pretty obvious that each speaker had to follow a pretty detailed, multi-page slide and demo script. This makes sense considering that Microsoft wants to present the same information to developers in many locations. Unfortunately, every presenter struggled with the script. Either the scripts were handed down too late and people weren't given enough time to prepare or they were just plain difficult to follow. Whatever the cause, this aspect of the event needs work for next time.
My next gripe is with lunch. No, not the food (which was pretty good and the presentation and delivery were great). No, my issue is with marketing partner demos that were forced on us during the meal. First of all, there were all of maybe ten companies in the partner pavilion and plenty of time to visit each one and have a conversation with the sales folks, so the grand demos were just not needed. But most importantly, to force loudspeaker demos on us during lunch: the prime opportunity to meet people and network, in the middle of a PAID event, was just unforgivable!
My last organization point is not so much a complaint as it is a request: next time, please consider helping out with parking. :-)
The one other observation I would like to make has to do with the background of the speakers. It seems that the people giving presentations, perhaps with the exception of Keen, haven't really spent too much time in the proverbial trenches lately. Not that there is anything wrong with that, and their experience no doubt gave them valuable perspectives on the subjects they were presenting. The problem is that they really couldn't answer technology (or code) questions “outside the script” with much expertise. Perhaps in the future, Microsoft should book two people for each session: one would be the speaker and the other would be the true technology expert (yes, a coder) who would be there to back up the speaker when it came time for Q&A.
posted @ Wednesday, March 10, 2004 7:39 PM