Defending Yourself: Integrating Real Time Defenses into Online Applications
This presentation was by Michael Coates, the AppSensor Project Lead. Michael works as a Senior Application Security Engineer at Aspect Security. AppSensor is a real time defense system with the goal being to protect an application by detecting who is bad and getting rid of them before they do bad things. My notes from this session are below:
Agenda
- AppSensor Project
- Malicious Attackers
- Application Worms
Detecting Attacks the Right Way
- Integration
- Detect INSIDE the application
- Understand business logic
- Effectiveness
- Minimal false positives
- Immediate response
- Effort
- Automatic detection
- No manual work required
Detection Outside the Application (WAF)
- Application context not available
- No concept of access violations
- Custom application + Generic Solution != success
- Ex: Changing the account ID in /viewAccount?id=1002
Inside the Application is Best
- Understand application & business context
- Integration with authentication & user store
How Does AppSensor Protect the App?
- Take many requests for an attacker to find a vulnerability
- Takes fewer requests by AppSensor to determine that the user is malicious
AppSensor is Faster than Attacker
- User identified as malicious and blocked before a vulnerability is found
Categories of Detection
- Request
- Authentication
- Access Control
- Session
- Input
- Encoding
- Command Injection
- File IO
- User Trend
- System Trend
Attack Detection: Real vs Cyber World
- Why do bank robbers get caught?
- Why don't hackers get caught?
Let's Change Things - Applications Should...
- Detect attacks
- Understand normal use vs suspicious use
- Instantly identify attackers
- Shutdown attackers in real time
- Modify application accessibility for defense
Detecting Malicious Users
- Many malicious attacks are obvious and not "user error"
- POST when expecting GET
- Tampering with headers
- Submissions of XSS attack
Detecting Malicious Users
- Bypassing client side input validation
- Transaction using functionality not visible to user role
- Multiple access control violations
- Change of user agent midsession
- Double encoded data
The Code
- Leverages ESAPI!
- 3 lines to setup AppSensor
- 2 lines per AppSensor detection point
Setting up AppSensor
- Configure response action object (log logout, account lock)
- Create AppSensorIntrusionDetector with response action object
- Set ESAPI intrusion detector
Defining Response Policies
- ESAPI.properties file
- Define
- Threshold count
- Interval of events
- Response action
- Per exception type or aggregate
2 Lines to Use AppSensor
- Check for "maliciousness"
- Create new AppSensorException
Understanding the Intrusion Exception
new AppSensorIntrusion Exception(
- request.getServletPath(),
- "ACE1",
- "User Message",
- "Direct object tampering with ..."
);
AppSensor vs Scanners
- Tools attempt 10,000s of generic attacks
- AppSensor stops automated scans nearly instantly
AppSensor vs Human Attackers
- Very difficult for attacker
- Requires advanced obfuscation for each attack
- Multiple probes == detection
Application Worms on the Rise
- Twitter Worm
- MySpace Samy WOrm
- Huge damages for site
- Remediation
- Cleanup
- Bad PR
- Infected Users
- Leverage XSS and CSRF
Detecting/Preventing an Application Worm
- Can you find/fix all XSS?
- Pattern matching easily foiled
- Block the common factor!
- Worms use XSS and CSRF for propagation
- 1000% usage increase -> problem
- Our example: updateProfile, updateStatus, updateName
Case Study: Samy
- MySpace Application Worm
- XSS worm embedded in User Profile
- Exponential Growth of Samy's friends
Samy vs AppSensor
- AppSensor detects uptick in addFriend usage
- Compares against trended info
- Automatic response initiated
- Alert admin +200% add friend usage
- Alerts admin 2nd time +500% add friend usage
- Automatically shuts down add friend feature
- Result
- Worm contained
- Add friend temporarily disabled
- Site stays up
Benefits of Trend Monitoring
- Detection of
- Application worms
- Scripted attacks/probing
- CSRF attacks
- Alerting of excessive activity
- Selective feature shutdown for overall stability
AppSensor in Action
- Demo social networking app
- Defended with AppSensor trend monitoring
What's Under the Hood?
- REST communication between AppSensor & App
- Support Response Actions (warn user, logout user, disable user, etc)
AppSensor Brain
- Drools - Rule Based System
- Support for complex rule sets - much more than just counting feature usage
- Evaluates objects in Drools memory
The Exploit
- XSS infects victim's "Status" with worm
- CSRF adds victim as friend of Charlie
Defend with AppSensor
- AppSensor Policy
- Notify admin if events > 5
- Disable service if events > 10
- AppSensor notices anomaly - alerts admin
- After 10 events AppSensor disables just that feature of the site
- Users protected, worm contained, site stays up
Trend Monitoring Benefits
- Auto detection of attacks
- ...
Development Issues within AJAX Applications: How to Divert Threats
This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below:
Agenda
- What is AJAX?
- AJAX and Web App Security
- AJAX and Test Automation
- Vulnerability Examples: XSS, CSRF, & JavaScript Hijacking
- AJAX Best Security Practices
- Demo
- Q&A
What is AJAX?
- Asynchronous JavaScript And XML
- AJAX allows for a new generation of more dynamic, more interactive, faster Web 2.0 applications
- AJAX leverages existing technologies, such as DHTML, CSS< DOM, JSON, and the (a)synchronous XMLHTTPRequest (XHR)
- Not just a set of technologies, but a new Web application development approach and methodology
- XHR allows for (a)synchronous server requests without the need for a full page reload
- XHR "downstream" payload can be
- XML, JSON, HTML/JavaScript snippets, plain text, serialized data, basically pretty much anything...
- Responses often get further processed using JavaScript and result in dynamic web page content changes through DOM modifications
AJAX Code Example
xhr = new XMLHttprequest();
xhr.open("GET", AJAX_call?foo-bar, true);
xhr.onreadystatechange = processResponse;
xhr.send(null);
function processResponse() {
if (xhr.readyState == 4) {
if (request.status == 200) {
response = xhr.responseText;
...
}
}
}
XHR and the Same Origin Policy
- Same origin policy is a key browser security mechanism
- To prevent any cross-domain data leakage, etc
- With JavaScript it doesn't allow JavaScript from origin A to access content/data from origin B
- Origin refers to the domain name, port, and protocol
- In the case of XHR, the same origin policy does not allow for any cross-domain XHR requests
- Developers often don't like this at all!
Common Cross Domain Workarounds
Cross-domain access is often still implemented by various means, such as:
- Open / Application (server-based) proxies
- Flash & Java Applets (depending on crossdomain.xml)
- Ex: FlashXMLHttpRequest by Julien Couvreur
- RESTful web service with JavaScript callback and JSON response
- EX: JSONscriptRequest by Jason Levitt
AJAX Frameworks
- AJAX frameworks are often categorized as either "Client" or "Proxy/Server" framework
- "Proxy/Server" frameworks sometimes result in unintended method/functionality exposure
- Beware of any kind of "Debugging mode" (Ex: Direct Web Remoting (DWR) debug=true)
- Remember: Attackers can easily "fingerprint" AJAX frameworks
- Beware of JavaScript Hijacking
- Don't use HTTP GET for "upstream"
- Prefix "downstream" JavaScript with "while(1);"
AJAX and Web App Security
- AJAX potentially increases the attack surface
- More "hidden" calls mean more potential security holes
- AJAX developers sometimes pay less attention to security, due to it's "hidden" nature
- Basically the old mistake of security by obscurity
- AJAX developers sometimes tend to rely on client side validation
- An approach that is just as flawed with or without AJAX
- Mash-up calls/functionality are often less secure by design
- 3rd party APIs (Ex: feeds, blogs, search APIs, etc) are often designed with ease of use, not security in mind
- Mash-ups often lack clear security boundaries (who validates, who filters, who encodes/decodes, etc)
- Mash-ups often result in untrusted cross-domain access workarounds
- AJAX sometimes promotes dynamic code (JavaScript) execution of untrusted response data
AJAX / Web 2.0 and Test Automation
- Spidering is more complex than just processing ANCHOR HREF's; various events need to be simulated (Ex: mouseover, keydown, keyup, onclick, onfocus, onblur, etc)
- Timer events and dynamic DOM changes need to be observed
- Use of non-standard data formats for both requests and responses make injection and detection hard to automate
- Page changes after XHR requests can sometimes be delayed
- In short, you need to have browser like behavior (JavaScript engine, DOM & event management, etc)
Cross-Site Scripting (XSS)
- AJAX is changing the game a little bit since the script tag may already be there, just need to look for JSON or JavaScript snippets to inject yourself into
Cross-Site Request Forgery (CSRF)
- Want to send a token for AJAX requests as well
JavaScript Hijacking
- Attacker code (override Array constructor)
- Render the JavaScript on the wire useless to anyone who doesn't have access to the code itself
- The attacker cannot sanitize the JavaScript since they do not have access to the code
AJAX Best Security Practices
Pretty much all the usual Web app security best practices apply:
- Analyze and know your security boundaries and attack surfaces
- Beware of reliance on client-side security measures
- Assume the worst case scenario for all 3rd party interations
- 3rd parties can inherently not be trusted!
- Be extremely careful when circumventing same origin policy
- Avoid/limit the use of dynamic code/eval()
- Beware of JavaScript Hijacking
- Implement anti-CSRF defenses
Software Assurance Maturity Model (SAMM)
This presentation on the OWASP Software Assurance Maturity Model (SAMM) was by Pravir Chandra, the project lead. I was actually really excited in seeing this topic on the schedule as SAMM is something that I've been toying with for my organization for a while. It's actually a very simple and intuitive approach to how to assess where your organization is at as far as software maturity, where you want to get to, and how to get there. My notes on this presentation are below:
By the end of the presentation should be able to....
- Evaluate an organizations existing software security practices
- Build a balanced software security assurance program in well-defined iterations
- Demonstrate concrete improvements to a security assessment program
- Define and measure security-related activities throughout the organization
Lessons Learned
- Microsoft SDL
- Heavyweight, good for large ISVs
- Touchpoints
- High-level, not enough details to execute against
- CLASP
- Large collection of activities, but no priority ordering
- ALL: Good for experts to use as a guide, but hard for non-security folkds to use off the shelf
Drivers for a Maturity Model
- An organization's behavior changes slowly over time
- Changes must be iterative while working toward long-term goals
- There is no single recipe that works for all organizations
- A solution must enable risk-based choices tailored to the organization
- Guidance related to security activities must be prescriptive
- A solution must provide enough details for non-security-people
- Overall, must be simple, well-defined, and measurable
Therefore, a viable model must...
- Define building blocks for an assurance program
- Delineate all functions within an organization that could be improved over time
- Define how building blocks should be combined
- Make creating change in iterations a no-brainer
SAMM Business Functions (4 in total)
- Start with the core activities tied to any organization performing software development
- Named generically, but should resonate with any developer or manager
- Governance, Construction, Verification, Deployment
SAMM Security Practices (12 in total)
- From each of the Business Functions, 3 Security Practices are defined
- The Security Practices cover all areas relevant to software security assurance
- Each one is a 'silo' for improvement
- Governance: Strategy & Metrics, Education & Guidance, Policy & Compliance
- Construction: Threat Assessment, Security Requirements, Secure Architecture
- Verification: Design Review, Code Review, Security Testing
- Deployment: Vulnerability Management, Environment Hardening, Operational Enablement
What is "software"?
- Lots of different aspects of what software is
- Could be a tarball of source code, UML and specifications, or a server running the code
Under each Security Practice
- Three successive Objectives under each Practice define how it can be improved over time
- Level 1, Level 2, and Level 3
- "Going from crawling to walking to running"
- 72 different actives all about the size of a bread box
Per Level, SAMM defines...
- Objectives
- Activites
- Results
- Success Metrics (2-4 metrics for each objective)
- Costs (training, content, license, or buildout)
- Personnel (overhead on different roles because operating at this level)
Conducting Assessments
- SAMM includes assessment worksheets for each Security Practice
Assessment Process
- Supports both lightweight and detailed assessments
- Organizations may fall in between levels (+)
Creating Scorecards
- Gap Analysis
- Capturing scores from detailed assessments versus expected performance levels
- Demonstrating Improvement
- Capturing scores from before and after an iteration of assurance program buld-out
- Ongoing Measurement
- Capturing scores over consistent tiem frames for an assurance program that is already in place
Roadmap Templates
- To make the "building blocks" usable, SAMM defines Roadmaps templates for typical kinds of organizations
- Independent SW Vendors
- Online Service Providers
- Financial Services Organizations
- Government Organizations
- Organization types chose because
- They represent common use-cases
- Each organization has variations in typical software-induced risk
- Optimal creation of an assurance program is different for each
Expert Contributions
- Build based on collected experiences with 100's of organizations
- Including security experts, developers, architects, development managers, IT managers
Industry Support
- Several case studies already
- Several more case studies underway
The OpenSAMM Project
- http://www.opensamm.org
- Dedicated to defining, improving, and testing the SAMM framework
- Always vendor-neutral, but lots of industry participation
- Targeting new releases every ~18 months
- Change management process
Future Plans
- Mappings to existing standards and regulations
- Additional roadmaps where need is identified
- Additional case studies
Enterprise Application Security – GE’s Approach to Solving Root Cause
The first presentation of the day that I went to was by GE's Darren Challey and was about GE's application security program and how he took a holistic approach to securing the enterprise. My notes on this presentation are below:
Why is AppSec so hard?
- AppSec changes rapidly (look at difference between 2004, 2007, and 2010 Top 10)
- Changing landscape
- Increase skill and talen t pool of technically proficient individuals willing to break the law
- Growing volume of financially valuable data online
- Development of criminal markets (black markets) to facilitate conversion to money
- "Attackers now have effective skills, something to steal, and a place to sell it"
- Application Security is a complete one-sided game
- Need to become an enabler (not a barrier)
- Must inject application security earlier through Guidance, Education, and Tools
- Must understand the development and deployment process and integrate rather than mandate
- NIST study on cost to repair defects when found at different stages of software development (http://www.nist.gov/director/prog-ofc/report02-3.pdf)
- Solving the problem of the enterprise (Culture Change)
- Success factors
- Form a mission and strategy
- Develop policy (but not corporate "mandate")
- Gain executive buy-in (cost / benefit / risk)
- Understand the magnitude of problem (metrics)
- Asset inventory and vulnerability management
- Develop standards (what should I do and when?)
- Establish a formal program (strong leadership)
- Focus on education and training materials
- Develop in-house expertise, services and "COE"
- Continuous improvement, measurement, KPI
- Communicate!
- Drive a culture change (shared need, WIIFM)
- Communicate expectations with vendors
- Implement incentives (and penalties)
- Digitize after the process is solid (tools)
- AppSec program mission & structure
- AppSec program strategy
- Policy (guidance) -> Standards (Guidance) -> Training (Education) -> Metrics (tools) -> Security tools (tools) -> Inventory & tracking (tools) -> Monitor & Improve
Guidance
- "GE Application Security Working Group" (Talking to the businesses is critical! Meet every 2 weeks.)
- Secure Coding Guidelines
- Vulnerability Remediation Guide
- Secure Deployment
- Quick Reference Card
- Contractual Language
- Desk Calendars
- Metrics: AppSec calendars helped increase visitors to key Guidance materials (track hits to website docs when certain activities take place)
Education
- CBT1: Intro to AppSec at GE (60 min for any IT person) - why AppSec is important and what happens when you don't do it
- CBT2: GE Best Practices for Secure Coding (90 min)
- CBT3: Attack Profiles & Countermeasures (120 min for security people)
- Developer Awareness Assessment:
- 100's of internally-developed questions
- Randomized questions, timed completion
- Vendors track their own resutls
- Allows tailoring of training/awareness programs
Tools
- - COE AppSec assessment services
- Vendor framework & Metrics
- Compliance handbook
- Common objects repository
- GE Enterprise Application Security
- Scanning and Monitoring tools
- Automation is the way to go (but the tools are not quite there yet)
Metrics
- Measure Vendor AppSec Performance (Avg % Critical/High Vulnerabilities per Assessment vs % Assessments with Zero Critical/High Vulnerabilities)
- Is it making a difference (map avg of critical/high vulnerabilities per assessment)
Forming a Center of Excellence
- Combines the best available people, processes and tools
- Formal training & defined roles (Comprehensive training program for all auditors to ensure skills are kept current and that auditors can provide more than one type of service)
- COE Team structure (tools, research, operations, stakeholder management, queue management, application security auditors
- Application Assessment Types (black/grey box vs white box)
- Application assessment process (map of the workflow with "swim lanes" of who does each step)
- Measure number of vulnerabilities and severities
- Measure customer satisfaction (overall, ease of engagement, responsiveness)
All About OWASP
The second presentation of the morning was various members of the OWASP board speaking about the goals of OWASP for the upcoming year. My summary is below.
Jeff Williams
- Cross Site Scripting is an epidemic
- We need to view insecure software as a disgrace
- Everything OWASP is free and void of commercialism
- "When information comes with an agenda, people discount it"
Tom Brenan
Global Membership Committe 2010 Focus
- Global expansion
- 7x increase (2008)
- Vote your board members
Global Industry Committee 2010 Focus
- Building industry special interest groups
- Continuing to impact regulation (NIST, government, organizations, EU)
Dave Wichers
Global Conferences Committee 2010 Focus
- Support four global AppSec Conferences per year
- Support OWASP regional and local events worldwide
Sebastian Deleersnyder
Global Education Committee 2010 Focus
- Academic outreach
- OWASP bootcamp
- Roll out college OWASP education kits
Global Chapter Committee 2010 Focus
- Identify and reactive inactive chapters
- Actively support chapters with mentors and speakers
- College OWASP education kits
Dinis Cruz
Global Projects Committee 2010 Focus
- Apply assessment criteria version 2 to all projects
- Unified dashboard for OWASP projects
- Launch and manage 2010 season of code
Keynote: Collaboratively Advancing Strategies to Mitigate Software Supply Chain Risks
It's my second year at the OWASP AppSec Conference and this year it is in Washington, DC. The New York City Conference last year proved to be probably the best conference I've ever been to. Based on the agenda and the facilities, this year is looking very promising. Today's keynote is by Joe Jarzombeck, the Director for Software Assurance at the National Cyber Security Division for the Office of the Assistant Secretary of Cybersecurity and Communication. Man, is that a mouthful. My notes on the presentation are below:
DHS NCSD Software Assurance Program
- A public/private collaboration that promotes security and software resilence throughout the SDLC
- Reduce exploitable software weaknesses
- Address means to improve capabilities that routinely develop, acquire, and deploy resilent software products
- IT/Software Security risk landscape is a convergence between "defense in depth" and "defense in breadth"
- Applications now cut through the security perimeter
- Rather than attempt to break or defeat network or system security, hackers opt to target application software to circumvent security controls
- 75% of hacks are at the application level
- Most exploitable software vulnerabilities are attributed to non-secure coding practices
- Enable software supply chain transparency
- Acquisition managers and users factored risks posed by software supply chain as part of the trade-space in risk mitigation efforts
- DHS Software Assurance program scoped to address:
- Trustworthiness
- Dependability
- Survivability
- Conformity
- Standalone Common Body of Knowledge (CBK) drawing upon contributing companies/industries
Build Security In: https://buildsecurityin.us-cert.gov
- Focus on making software security a normal part of software engineering
- Process agnostic lifestyle
- There was an interesting slide on touchpoints and artifacts that I took a picture of with my phone and I will try to post here.
Resources to Check Out
"Software Security Engineering: A Guide for Project Managers"
"Enhancing the Development Lifecycle to Produce Secure Software"
Fundamental Practices for Secure Software Development
http://www.safecode.org/publications/SAFECode_Dev_Practices1008.pdf
The Software Assurance Pocket Guide Series
Software Assurance in Acquisition: Mitigating Risks to the Enterprise
- Check out Appendix D - Software Due Diligence Questionnaires
"Making the Business Case for Software Assurance"
"Measuring ... Assurance"
Common Weakness Enumeration (CWE)
- If you have this weakness, then it's not a matter of if, but when you'll be breached.
Dang, People Still Love Them Some IE6
We get a decent bit of Web traffic here on our site. I was looking at the browser and platform breakdowns and was surprised to see IE6 still in the lead! I'm not sure if these stats are representative of "the Internet in general" but I am willing to bet they are representative of enterprise-type users, and we get enough traffic that most statistical noise should be filtered out. I thought I'd share this; most of the browser market share research out there is more concerned with the IE vs Firefox (vs whoever) competition aspect and less about useful information like versions. Heck we had to do custom work to get the Firefox version numbers; our Web analytics vendor doesn't even provide that. In the age of more Flash and Silverlight and other fancy schmancy browser tricks, disregarding what versions and capabilites your users run is probably a bad idea.
- IE6 - 23.46%
- IE7 - 21.37%
- Firefox 3.5 - 17.28%
- IE8 - 14.62%
- Firefox 3 - 12.52%
- Chrome - 4.38%
- Opera 9 - 2.20%
- Safari - 1.95%
- Firefox 2 - 1.27%
- Mozilla - 0.48%
It's pretty interesting to see how many people are still using that old of a browser, probably the one their system came loaded with originally. On the Firefox users, you see the opposite trend - most are using the newest and it tails off from there, probably what people "expect" to see. The IE users start with the oldest and tail towards the newest! You'd think that more people's IT departments would have mandated newer versions at least. I wish we could see what percentage of our users are hitting "from work" vs. "from home" to see if this data is showing a wide disparity between business and consumer browser tech mix.
Bonus stats - Top OSes!
- Windows XP - 76.5%
- Windows Vista - 14.3%
- Mac - 2.7%
- Windows NT - 1.8%
- Linux - 1.8%
- Win2k - 1.5%
- Windows Server 2003 - 1.2%
Short form - "everyone uses XP." Helps explain the IE6 popularity because that's what XP shipped with.
Edit - maybe everyone but me knew this, but there's a pretty cool "Market Share" site that lets people see in depth stats from a large body of data... Their browser and OS numbers validate ours pretty closely.
Oracle + BEA Update
A year ago I wrote about Oracle's plan on how to combine BEA Weblogic and OAS. A long time went by before any more information appeared - we met with our Oracle reps last week to figure out what the deal is. The answer wasn't much more clear than it was way back last year. They do certainly want some kind of money to "upgrade" but it seems poorly thought through.
OAS came in various versions - Java, Standard, Standard One, Enterprise, and then the SOA Suite versions. The new BEA, now "Fusion Middleware 11g" comes in different versions as well.
- WLS Standard
- WLS Enterprise - adds clustering, costs double
- WLS Suite - adds Coherence, Enterprise Manager, and JRockit realtime, costs quadruple
But they can't tell us what OAS product maps to what FMW version.
There is also an oddly stripped down "Basic" edition which noted as being a free upgrade from OAS SE but it strips out a lot of JMS and WS stuff; there's an entire slide of stuff that gets stripped out and it's hard to say if this would be feasible for us.
As for SOA Suite, "We totally just don't know."
Come on Oracle, you've had a year to get this put together. It's pretty simple, there's not all that many older and newer products. I suspect they're being vague so they can feel out how much $$ they can get out of people for the upgrade. Hate to break it to you guys - the answer is $0. We didn't pay for OAS upgrades before this, we just paid you the generous 22% a year maintenance that got you your 51% profit margin this year. If you're retiring OAS for BEA in all but name, we expect to get the equivalent functionality for our continued 22%.
Oracle has two (well, three) clear to dos.
1. Figure out what BEA product bundles give functionality equivalent to old OAS bundles
2. Give those to support-paying customers
3. Profit. You're making plenty without trying to upcharge customers. Don't try it.
Velocity 2009 – Best Tidbits
Besides all the sessions, which were pretty good, a lot of the good info you get from conferences is by networking with other folks there and talking to vendors. Here are some of my top-value takeaways.
Aptimize is a New Zealand-based company that has developed software to automatically do the most high value front end optimizations (image spriting, CSS/JS combination and minification, etc.). We predict it'll be big. On a site like ours, going back and doing all this across hundreds of apps will never happen - we can engineer new ones and important ones better, but something like this which can benefit apps by the handful is great.
I got some good info from the MySpace people. We've been talking about whether to run our back end as Linux/Apache/Java or Windows/IIS/.NET for some of our newer stuff. In the first workshop, I was impressed when the guy asked who all runs .NET and only one guy raised his hand. MySpace is one of the big .NET sites, but when I talked with them about what they felt the advantage was, they looked at each other and said "Well... It was the most expeditious choice at the time..." That's damning with faint praise, so I asked about what they saw the main disadvantage being, and they cited remote administration - even with the new PowerShell stuff it's just still not as easy as remote admin/CM of Linux. That's top of my list too, but often Microsoft apologists will say "You just don't understand because you don't run it..." But apparently running it doesn't necessarily sell you either.
Our friends from Opnet were there. It was probably a tough show for them, as many of these shops are of the "I never pay for software" camp. However, you end up wasting far more in skilled personnel time if you don't have the right tools for the job. We use the heck out of their Panorama tool - it pulls metrics from all tiers of your system, including deep in the JVM, and does dynamic baselining, correlation and deviation. If all your programmers are 3l33t maybe you don't need it, but if you're unsurprised when one of them says "Uhhh... What's a thread leak?" then it's money.
ControlTier is nice, they're a commercial open source CM tool for app deploys - it works at a higher level than chef/puppet, more like capistrano.
EngineYard was a really nice cloud provisioning solution (sits on top of Amazon or whatever). The reality of cloud computing as provided by the base IaaS vendors isn't really the "machines dynamically spinning up and down and automatically scaling your app" they say it is without something like this (or lots of custom work). Their solution is, sadly, Rails only right now. But it is slick, very close to the blue-sky vision of what cloud computing can enable.
And also, I joined the EFF! Cyber rights now!
You can see most of the official proceedings from the conference (for free!):
Velocity 2009 – Monday Night
After a hearty trip to Gordon Biersch, Peco went to the Ignite battery of five minute presentations, which he said was very good. I went to two Birds of a Feather sessions, which were not. The first was a general cloud computing discussion which covered well-trod ground. The second was by a hapless Sun guy on Olio and Fabian. No, you don't need to know about them. It was kinda painful, but I want to commend that Asian guy from Google for diplomatically continuing to try to guide the discussion into something coherent without just rolling over the Sun guy. Props!
And then - we were lame and just turned in. I'm getting old, can't party every night like I used to. (I don't know what Peco's excuse is!)