Billy Hoffman: HP very much wants to keep SPI intact. This isn't an
acquire-and-strip-our-resources type of thing. They understand we're the leader in Web application
security. SPI Dynamics has over 1,000 customers right now and we talked at a third of all Web
application talks at Black Hat last year, so we're clearly the leader and they know this. They
don't want to kill the golden goose.
So HP has openly expressed that it wants to hang on to SPI Dynamics' talent?
Hoffman: Oh, yes. We certainly have a large number of customers but it's not like they're buying us for our customer portfolio and ditching us. They realize the people, the research and intellectual property and the knowledge we have of Web application security is really what makes us valuable and they very much want to keep us intact.
At last year's Black Hat conference you warned that Ajax-based
applications are being adopted quickly without a lot of thought about security. Will that be a
recurring theme for you this year as well?
I'll be taking [the issue] to the next step. People are starting to realize there are issues
with Ajax and I think developers kind of fall into some of these mistakes. I routinely browse
around Ajax Web sites and forums and developers are still very much confused about which part of an
Ajax app is running on the server and which part is running on the client. The danger is anything
you put on the client an attacker can see in terms of secrets, data you may be caching temporarily,
program application logic or flow -- all this information. You want to be very careful about what
you're pushing to the client. We see things like Microsoft Silverlight, which is
their version of Flash. It allows Web developers to build rich applications on both the client and
server using the same language, in C-sharp or what have you. The problem is that this blurs the
line even more as far as where code is running and who can see what. So our big presentation is
Ajax-ulation, which I'm giving with my co-author, Bryan Sullivan. We're writing a book called
"Ajax Security" (Due out Nov. 1) and we'll be giving away a chapter at Black Hat.
Will a demo be part of the Premature Ajax-ulation presentation?
Hoffman: We're going to run through a sample travel Web site we built complete with rich Web services, a nice Ajax-y feel and we'll run through it and say hey, here's a Web site we built using the techniques and design patterns in these books and Web sites and here's why we just built one of the world's most insecure applications. Here are the problems, here's what we didn't know, here's what all those books that tell you how to program in Ajax aren't telling you and how it's leaving you open.
You're also doing a presentation called "The Little Hybrid Web worm that could" …
Hoffman: We'll talk about Web worms, which we've seen on the rise over the last year with one affecting MySpace, one affecting Yahoo and some affecting Google. We've really seen these on the rise in the past year.