Part 1 of 2.
TL;DR – WordCamp Miami is an AMAZING conference, but we still have lots to do educating people on security.
I’d be remiss if I didn’t start this post with acknowledging the incredible work and effort put in by David Bisset, Ptah Dunbar and all of the other organizers for this year’s WordCamp Miami. With the exception of a couple of very minor hiccups, the event went off without a hitch. I can’t thank the organizers enough for everything they did to make WordCamp Miami 2017 a success.
Started Friday morning by meeting and sharing a ride with the wonderful, talented Shilpa Shah, cofounder of Hummingbird Web Solutions. Shilpa flew for 27 hours to come to WordCamp Miami! She reminded me immediately of why I love attending WordCamps: incredibly intelligent, kind, helpful people coming together to share their knowledge. I was honored to be able to get to know her, and will most definitely be taking her up on her offer to come visit India.
I decided to attend the BuddyPress/REST API pre-conference workshop. We don’t use BuddyPress but I was interested in learning more about it, and definitely wanted to dig more into the REST API. David Laietta did a great job introducing us to what BuddyPress is, and what it isn’t, and when it can be a good fit in his BuddyPress 101 talk. Next up, I have to give Tara Claeys major props for embracing the 80’s theme and her inner Jane Fonda to share how her firm used BuddyPress to power a wellness challenge. I really wish I had taken a photo of Tara’s outfit! UPDATE: Erica Lynn saves the day! Erica had the photo I was wishing I had taken and was kind enough to let me post it here!
After lunch was Andrew Taylor from Pantheon to discuss the REST API. The most exciting piece from this talk was that I learned of some undocumented “features” of the REST API that I believe are exploitable. For now that’s all I’ll say until I can dig into them further, and report to the appropriate parties. Besides that, I learned that WordPress has added quite a few capabilities in the REST API for custom post types simply by setting show_in_rest to true when registering a new post type.
Brian Messenlehner made a great Axl Rose, and did a good job of introducing people to his service AppPresser. John James Jacoby‘s presentation was equally intriguing as he discussed the current state of BuddyPress and his plans for its future.
Friday night was the speaker dinner. I had a wonderful time hanging out with Jonathan Brinley and Mike Herchel, and then playing Cards Against Humanity with Mike, Kimberly Lipari, David Laietta, Scott Mann and several other people. I got to experience my first plantain and had a thoroughly engaging conversation with Mike and his buddy Kyle on Drupal, how Drupal is changing the update process, the current controversy and the future of Drupal.
I was the first session in the morning on Saturday. I left the hotel early with plans to get some coffee and a bagel on campus before heading over to the auditorium. Much to my disappointment, I discovered that there aren’t any coffee shops on the FIU campus open on Saturday mornings. WHAT?! What kind of campus doesn’t have coffee regularly available on the weekend? Luckily, my man Patrick Alexander hooked me up with some cuban coffee (though not the cuban espresso that I would fall in love with later). With my caffeine firmly taken care of, I headed back over to the vendor area to meet up with Victor Santoyo from Sucuri. Absolutely incredible guy. Wicked smart. From there I headed back over to get set up for my talk.
Not sure how many people were in my session, but all-in-all, I think it went pretty well. The presentation is normally an hour in length so I had to trim quite a bit out and talk a bit faster than I would have liked in order to squeeze it into the 30 minutes I had available. People seemed to appreciate the information I shared with them, and I ended up having numerous conversations with people later on the subject of securing their site. From there I headed back over to the Sucuri booth to hang out with Victor and discuss things further with people that had attended my talk.
By this point Sal Aguilar had arrived, so he and I manned the booth while Victor went over to do his AMA talk. Sal is also an incredibly talented security analyst for Sucuri. Not only does he work for Sucuri but he’s also the organizer of WordCamp Nicaragua 2017! Sal and I discussed the state of security on the web, the acquisition of Sucuri by GoDaddy and what that means for the future of Sucuri, and the history of WordCamp Nicaragua and challenges he has faced in trying to make sure WordCamp Nicaragua 2017 happens. Sal is a hard worker, and I have no doubt #WCNI2017 is going to be a huge success.
Next up was Mike Herchel’s presentation on WordCamp & Drupal: Community and Contribution Differences and Lessons. As I had suspected, there are many more similarities between the two camps than I think most people are willing to admit. Ended up eating lunch with Mike and Kyle where discussed some of the challenges organization face in trying to keep their tech stacks up-to-date.
After lunch was Chris Wiegman‘s extremely fast session on Securing Your Webserver. I really think the track chairs did a disservice relegating Chris’ presentation to an 8-minute lightning talk. TONS of good information, but only enough to leave you wanting more information. As I had suspected, he discussed php-fpm (something I strongly encourage you to implement if you run your own webserver) and firewalls, but he also covered fail2ban and chrooted jail, two topics that I really wanted more information on. Specifically, I’d like to implement fail2ban in our own environment combined with the network restrictions we’ve added. Chroot jail I was unfamiliar with and now am digging into. Luckily, I know Chris so I’ll just bug him directly.
I spent the remainder of the day hanging out in the Sucuri booth and in the happiness bar. I helped several people with issues on their sites ranging from simple CSS issues to a site that had been compromised. It was my experience that afternoon (and a few sessions on Sunday) that made me realize that those of us in the infosec space still have a long way to go in terms of educating everyone on proper site security. I’m not throwing shade at any person, and especially not anyone that I assisted in the happiness bar. On the contrary. Everyone has to be new at some point, and we can’t expect everyone to be knowledgable on security right from the beginning. What we need to do is make sure securing their site is intuitive and easy. We need to make sure that we make products that are secure to begin with and stay secure with little-to-no-effort on the part of the end user. And we need to make sure there are plenty of talks, sessions, articles, etc. for anyone who has questions or wants to dig in deeper.
At this point, I need to give major props to Fernando Polania. Not only did he offer to give me a ride back to the hotel Saturday afternoon, he also came back Sunday morning to pick me up AND took me to the airport Sunday evening. Oh, and he also organized all the food at WCMIA. All of it. Seriously, this dude is amazing. Super nice guy. Fernando, if you’re reading this post, I’m buying you dinner next time I see you.
The after party was fun. David orchestrated a game of trivia via kahoot.it. I ended up winning a PHP Elephant (donated by PHP Women) of which my daughter absolutely loves. The mall where the event was held had a live latino band that was incredible. It was at this point that I realized 1. I really wish I had taken more spanish in college, and 2. I really enjoy the latin culture. The music, the atmosphere, the food, the language. If I hadn’t been so exhausted I would have stayed later and soaked up more of it.
Continue to Part 2.