In addition to his duties as the chief technology officer at Sela Group, Sasha Goldshtein does a lot to further enterprise software quality in general. Specifically, he promotes secure application development, he speaks and writes about application security topics, and he contributes to open source projects that help developers debug their code faster and more effectively.
Goldshtein will present a workshop at O'Reilly's Fluent Conference in San Francisco. Goldshtein's session, dubbed Attacking Web Applications, will review common attack vectors like SQL injection and cross-site scripting. Goldshtein believes it's important to think like an attacker in order to shore up application security. Explaining how the attacks work helps him prepare project managers to thwart malicious hackers.
We caught up with Goldshtein ahead of the event to ask him about his past, the Fluent Conference, and the future of application security.
What's your story so far?
Sasha Goldshtein: I've been professionally writing software for the last 12 years. I started out in C++, MFC and COM, doing Windows desktop development in a typical client-server environment. Then, I discovered .NET and fell in love with it ever since. I very much enjoy writing C# code, and have developed several large systems in it.
A few years ago I added another area to my portfolio, namely mobile application development. I wrote a couple of Android and iOS apps, and experimented with cross-platform solutions such as Xamarin and PhoneGap. For the last decade or so, I have been training developers all over the world in mobile development, debugging, performance optimization, cloud and security.
Apart from your day job, what do you do to promote better software?
Goldshtein: I try to contribute back to the community by writing blog posts and online articles, by giving user group presentations, and by writing open source tools. For example, I contributed numerous articles to "Digital Whisper," a monthly security-focused Hebrew-language magazine that strives to improve developers' understanding of software and systems security. I also developed multiple debugging extensions and scripts that help developers debug their applications more easily.
You're presenting a workshop, Attacking Web Applications, at Fluent this year. Is it the same basic talk you gave at Software Architect 2013 and the SELA Developer Practice?
Goldshtein: It is based on the same materials, but I have changed the demos slightly and the slightly longer time format will allow me to touch on more topics. I also intend to show a Wi-Fi-related security demo, which I will keep as a surprise for now [smiles].
What brings you to Fluent? What makes this conference stand out from some of the others you've participated in?
Goldshtein: It's my first time at Fluent; I'm really honored to be included. I was pretty excited about the idea of a conference focused on open source technologies, because most of my experience is with Microsoft-oriented shows, such as Build, TechEd, Visual Studio Live and others.
I also love San Francisco in any season, so I'm looking forward to visiting the city and meeting friends, old and new. Conferences are also a great opportunity to meet other developers and establish business connections, and I think Fluent has very broad topic coverage and a great speaker roster.
What's your favorite part of speaking at these conferences?
Goldshtein: Sharing my experience and knowledge with other developers and listening back to what they have to say. On the one hand, a conference talk really means you have to distill everything you have to say into crystal clear form and a very short timeframe. You have to prepare very well and know your topic like the palm of your hand. So it takes a lot of work.
On the other hand, people always have new and interesting questions and ways of looking at existing problems that will surprise you. One of my favorite things is hearing feedback from people after they have seen one of my talks, or after we sat in another speaker's talk together, sharing our insights from what we heard.
Who's the most interesting person you've met at a conference?
Goldshtein: I'd probably say Mark Russinovich. Several years ago he was kind enough to write the foreword for our book, Introducing Windows 7 for Developers. Since then he became a very popular 'cyber-action-thriller' author, and his books, Trojan Horse and Zero Day went on to become Amazon bestsellers. Mark is a software and security legend at Microsoft and in the industry in general, and it was pretty amazing to see him make the shift to a pop fiction author.