I'm shocked. Is this typical? Are people developing "web applications" without paying attention to Bugtraq and CERT notices, or even noticing that something they might be doing might be compromising their customer's security?
A few minutes later, I asked about cookie usage, wondering if the path of the cookie was being set properly, since he reported that sometimes you get "logged out" inconsistently. It took about six tries before he had a clue what I was asking.
And then he was talking about putting entire SQL queries into a cookie to provide paging access through the result set! As if by luck, he figured out that that "might be insecure", so instead he simply puts the parameters of the query into cookies!
Clues, people. Clues. These are all things that are basic security issues: the ignorance of which results in loss of revenue or privacy, possibly undetected.
And people wonder why I'm trying to sell my code review services. {grin}
As one person left the presentation, she commented quietly to me, "I like your brain." Which I'll presume to mean that I was asking the exactly right questions, and proved that this wasn't the guy that the rest of us should be learning from for strategy.
If you design for the web, remember that it's much better to have a non-functional secure site than a non-secure functional site.