Amrit Williams, BigFix CTO concludes his interview with Doug Wilson co-chair of Open Web Application Security Project Washington DC chapter, focusing on what enterprises can do to include security into the product development life-cycle.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This Amrit Williams, your host on Beyond the Perimeter and I am back with Doug Wilson from OWASP. Doug, thanks for coming back and joining me today. We’ve been talking a little bit about OWASP’s origins and what they provide and a little bit about the AppSec Conference you guys have, coming up, in November in DC. I wanted to ask you, and switch gears a little bit, and talk to you a little bit about what are some of the things that organizations can do and what are the top threats? I know the web application security community moves very quickly, there’s things coming out rather rapidly, it’s a very dynamic environment, whether you are on the development side or the security research side.

How does a large organization, how a does a large enterprise approach this, because it is different in terms of the people and the process and the technologies that they would use to do traditional, either software development or traditional patch or configuration management on the back end?

So can you step the audience through, a little bit about, at a high level, how they would approach web application security if they are new to it, what are some of the first initial things they need to do, how do they gain a grasp on this, and how do they start evolving their security programs around it?

Doug Wilson: The first thing to do is to start working on your education, I mean just go out and read a lot of the stuff. There’s a lot of it that’s available out there on the Internet. It’s one of the things — it’s available for anyone who wants to reach out and grab it. I mentioned previously the OWASP Top Ten but it’s a very good place to start. It’s not a complete solution, but it shows you some of the basic issues that are out there. A lot of cases, these are things where people have heard of it; they’ve heard of it in the media — I mean these are no longer some sort of esoteric knowledge that’s hidden away in some hacker’s laptop and that’s it. This is stuff that is in the mainstream press.

A lot of the people hear about it, though they just don’t really realize what it is and what it can do. I mean these are things like cross-site scripting, SQL injection, and malicious file injection. There’s more obscure things like cross-site request forgery, which — when you initially explain it to people, they are like, “What the heck is that?” And when they get it, they are like, “Oh! Yeah, that’s a problem; that may be happening in our application right now.” And then there are things which have always existed in security, such as problems with not having your cryptography set up right or not protecting access and controlling access on authentication, and things like that which are standard security problems, but they move through the web just like everything else has and people in moving through the web forget about them.

We also have a wide variety of other things, once you dig in more. We have projects like OpenSAMM, which is Software Assurance Maturity Model. Where you sort of look at where your process is and model where you want to go to it. There’s a lot of things where people have “Our website tested hacker safe by this company” that’s kind of a running joke in web application security standard circles, because there aren’t really any standards for that.

OWASP has been developing a thing called an Application Security Verification Standard, which is again, sort of, a way to focus your efforts into looking at your process and figure out where the holes are and then say to the world, “Here’s how we verified, that we are really trying to fix our code, and we are really trying to pay attention to it.” We have a bunch of guides on how to review code, on how to develop code, and there are specific projects out there.

A big one that I know, especially in the Java community, is the ESAPI project, the Enterprise Security API, which takes the idea that — for years, security people have, sort of, said, “Well, developers don’t care about security” and developers have said, “Security people are no fun, they don’t want us to do anything.”

You have different priority sets between security people and developers. ESAPI, kind of, adheres to the same rules of cryptography, which is don’t have people who don’t know anything about security, suddenly try and do security. It takes and vets libraries. The initial version of the ESAPI was for Java, but it’s being developed for other languages such as .NET and PHP where established security people do peer review, much like it’s done for cryptography and say, “Okay, this function is potentially insecure, let’s find a way to fix it,” and then what you can do is you can have a bunch of libraries that you just hand to your developers and say, “Hey, use this set of code instead of the old set of code you used, and 95% of your security problems are fixed.” That’s a project that’s really grown in the past year or two at OWASP and that’s the, sort of, thing where it’s the combination of ideology plus code base that could be adapted by organizations.

Also, get involved. I mean if you are near a major city in the United States, there’s probably an OWASP Chapter in it somewhere. If you are outside the United States, there are many, many dozens of places that have OWASP Chapters and some of them are very unlikely, you wouldn’t think of it there, but there’s somebody there who works on web applications and is interested in security. Corporations can become corporate members of OWASP. Individuals can become individual members of OWASP.

OWASP stuff is pretty much old, free to use for whatever you want, but the membership is a way of supporting the organization. We do ask that if corporations are planning on heavily using OWASP products, they consider becoming a corporate member and a helping sponsor. In that way, they also get recognition for what they are doing in helping out and there are also discounts for things like the conferences we do.

If you are an OWASP member, the money you paid for your membership, you pretty much get back the first conference you attend, because of the discounts we give to members. So those are ways that we offer to get involved in resources to try and make a difference, but I think the biggest thing is education and realizing the potential impact that this can have.

As you’ve said, also, the process is very different. You have companies that are already mature for desktop software, they are already mature for their network security, but there’s this rush to get into these new web technologies where you really reinvent the same problems you’ve already solved over and over again in the rush to get online to do the newest cool thing.

By all means, I am not saying, “Don’t innovate,” I am saying, “Innovate, but if you have a mature process that’s working at one of your other areas, consider carrying that over to your web stuff.” Don’t just hand it off to a developer and say, “Hey, get us a website in the next two days on your spare time.” Put it through a vetting process because your company’s reputation and financial assets may be hanging out there on the Internet and if you don’t take the same due-diligence you do with other parts of your organization, you open yourself up to a huge amount of liability and risk.

Amrit Williams: In terms of the participation, the population of those who participate in OWASP, are they primarily security professionals, are they primarily developers with a security focus?

Doug Wilson: That’s one of the interesting things is OWASP is different. In fact, I think web application security groups including OWASP and WASC are different than the stereotypical security background, because it’s not all just about the security guys sitting there and going, “Ha, ha, we hacked you, we published our latest exploit, you all are clean.”

It has a much bigger focus that would appeal to people outside of security circles. That being said, the large majority of people who you see at OWASP events do have some sort of security focus in their task, but most of the founders of OWASP who are not security people are what call themselves secure developers and the people at Aspect Security has been very heavily involved in OWASP since the beginning and they would called themselves developers.

First and foremost, they have been doing development for years; they just excel at secure development and secure development practices. So, I think, probably you do have a large component of OWASP that is security focused, but you have a much, much larger component at OWASP that is developers and developer-focused and writing interesting secure code than you would in almost any other security group on the planet.

Amrit Williams: That’s very encouraging, I know that it was many moons ago when I would try to talk to web developers about software development life-cycles and adding security into the software development life-cycle and for the most part, most of them had no idea what I was talking about and it just wasn’t something that was part of their DNA and it wasn’t about trying to change their mindset, but just trying to make them aware of what the issues were, so that they could look for ways so they could try to avoid those later on when that stuff was publicly available.

So it’s certainly encouraging to see that the population is changing there and has changed and that you have a large set of developers that are part of that and participating and helping to drive it. I definitely think that’s fantastic.

Doug Wilson: You still have no battle. I mean if you go to a mainstream developer conference, you are not going to see a whole lot on security, but you are going to see something and that’s a change that’s happened. I mean I have been going to — I go to a lot of design and development conferences as well as just security conferences based on personal interests in some of the circles I travel. A couple of years ago, we’d go to some things like South By Southwest where, like, the cutting edge of Web 2.0 was being born, and get boot off the stage so to speak for bringing up security in a discussion.

Now you are starting to see that — and again, it’s not all developers, it’s not even a majority of developers, but there’s a very vocal, dynamic, and talented majority who are really embracing the idea of writing secure code and they are starting to talk at conferences. They are starting to talk at mainstream developer conferences, some of OWASP people like Jeff Williams, who is the CEO of Aspect and the Chair of the OWASP Board right now, not only spoke at BlackHat this year but he also spoke at a Java developers conference and he had one of the best received topic of the conference. We have situations where, based on some of the work he has done, Sun and the Java team are actually changing how some of the Java application servers out there work in the next version.

I mean it’s slowly crossing over, but it’s still not so bad, and most developers still are ignorant of this and it’s not any faults of theirs, it hasn’t been brought to their attention, it’s not a priority, and that’s one of the things that we’re trying to do, is make them aware. We routinely have people from the development community in DC, attending our meetings and we get more and more crossover as time goes on, which I think is a very positive thing.

Amrit Williams: Oh! absolutely, and I think the work you guys are doing is really wonderful and the fact that you are making it open in the way that OWASP is being constructed is very powerful, because it makes information available to those who might not otherwise have it and that’s incredibly important.

Doug, I really appreciate you joining me today. I wish you guys the best at the AppSec Conference that’s coming up, November 10 through the 12, and folks can find out more information on that at www.appsecdc.org. If those folks who are interested in finding out more about web application security or OWASP, they can find that at owasp.org as well. Doug, thank you very much.

Doug Wilson: No problem, thank you for having me on the show.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix. Thanks for listening.