About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


I've been speaking at conferences since 2003, but I've never been as excited about a conference as I am about Webstock. I remember discussing it at the first Kiwi Foo Camp with Natasha Lampard and a few others. I liked the name — I love wordplay — and her enthusiasm was infectious; she wanted to make Webstock extraordinary.

The first Webstock took place just a year prior to that impromptu discussion, and it has quickly become the top web conference around. I first began to realize what a big deal Webstock was when Nat Torkington had this to say about it:

Back home safe, utterly exhausted after Webstock. Best. Conference. Evar.

For those who don't know Nat, he ran OSCON — usually my favorite conference each year — for a decade. He has also been heavily involved in lots of other O'Reilly conferences, including unconferences like Foo Camp and Kiwi Foo Camp. For him to call Webstock the best conference ever is really saying something.

Fast forward to today. I'm sitting in a Starbucks in Los Angeles. The new Vampire Weekend album is playing. 16 hours ago, I began my journey to Wellington, New Zealand, and in another 20 hours, I will land there. (This journey will take a full day and a half.) I've been busy with a really exciting Analog project lately, so I haven't blogged about Webstock yet. If you haven't registered, you should hurry. They were almost sold out a few days ago, so it might already be too late. If you're lucky enough to be going, I hope you'll say hello.

I'm giving a workshop called Evolution of Web Security that combines some of my previous talks with some new material, covering the security spectrum from old to new, technical to social:

This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

I'm also giving a talk called Security-Centered Design that focuses and expands on some of the material from the workshop:

Security is more than filtering input and escaping output (FIEO), and it's more than cross-site scripting (XSS) and cross-site request forgeries (CSRF). Security isn't even always black and white. In order to create a more secure user experience, we need to understand how people think. Perception is as important as reality, and meeting user expectations is a fundamental of good security. In this multifarious talk, I'll explore topics such as change blindness and ambient signifiers, and I'll show some real-world examples that demonstrate the profound impact human behavior can have on security.

I gave this talk a few times in 2009, and I have updated it for 2010. Although the technical-to-social shift of web security isn't a topic that's being talked about that much yet, the transition is evident in a lot of recent activity, including solutions like OAuth and Facebook Connect. We need more people thinking about how to solve evolving technical and social problems. I don't pretend to have all the answers, but I hope this talk can be a catalyst for more awareness and discussion.

Webstock, here I come!

About this post

Webstock was posted on Fri, 12 Feb 2010. If you liked it, follow me on Twitter or share:


1.Robin Gorry said:

Hi Chris,

I was wondering if you were going to post how Webstock went for you this year.

I live in New Zealand and desperately wanted to get to Wellington but I couldn't get the time of work.



Thu, 25 Feb 2010 at 02:04:18 GMT Link

2.Simon Mahony said:

Hi Chris,

I really enjoyed your workshop on the Evolution of Security at Webstock. I think I got enough value from those three hours to justify the entire conference fee. I'm just heading off to Amazon to buy the book. I've been programming in PHP for nearly a decade and was stunned by how little I really knew about security. Thanks for providing the answers.

And thanks for coming to Webstock. It is a great conference, and what's even more amazing is that it's put together by two guys and their wives working part time (they all have full time jobs) and is run by them and a very small group of volunteers. No professional, full-time organisation. Just pure heart.

I hope we'll see you at another Webstock event soon.



Sat, 27 Feb 2010 at 11:46:56 GMT Link

3.Chris Shiflett said:

Hi Robin,

I plan to post something about it, but it's going to be hard to express everything in writing.

The short summary is Webstock is the best conference I've ever been to, and I've been to a lot of conferences.

More soon, I hope!

Fri, 05 Mar 2010 at 16:49:53 GMT Link

4.Chris Shiflett said:

Thanks for the kind words, Simon.

I'm glad you liked the tutorial. In case it's helpful, here's a link to the slides on SlideShare:


Thanks again, and I agree with everything you said about Webstock. People love things that are made with love. :-)

Fri, 05 Mar 2010 at 16:55:02 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.