Mark was nice enough to do an interview with us to talk about the best AppSec tracks to attend, how you can get involved, and why developers, testers and quality assurance staff will be especially pleased by the presentations and workshops at AppSec this year.
What is it the most important part of AppSec for you personally?
The most important aspect of AppSec is most definitely the opportunity one has to make a demonstrable impact improving the online safety and security of the public. There are 700 Million internet users in Asia, 74% of people in the united states are internet users, In the last 9 years there has been almost a 1400% increase in internet access in Africa. These users generate billions of transactions via the web, everything from sending an email to grandma to large funds transfers, all of which someone would benefit from intercepting or modifying these transactions. It’s great to know that working in the Application Security field, I am a part of helping to keep these transactions safe.
For those that aren’t already familiar with AppSec, what is it about, and who should attend?
Application security is a field that touches everyone’s lives, whether they are aware of it or not. AppSec DC is OWASP’s premier international event held in North America for 2009 that will bring together everyone from developers, managers, security personnel, Government, and C level executives from around the world to learn and discuss solutions to these challenges.
As for who should attend, Everyone. If you use the web, you can get something out of AppSec DC. Personally however, I’d really like to see more developers in attendance. Developers are critical to closing the loop on application security vulnerabilities as they are the only ones with access to the code! I think outreach to this group is critical and with some education, process and a bit of discipline, traditional IT Security and developers can work together to stamp out the root cause of application security issues. Another key group are the development managers. This year we have been trying to focus on secure development lifecycle tools and maturity models. These are critical to allowing managers to appropriately plan for security in their existing frameworks, and to show them that with proper planning, security does not have to be so expensive.
That said, there will be plenty of great material for “traditional” application security audiences as well.
On that note, you say in the press release for this year’s AppSec that the focus is on “really trying to reach out to developers, testers and quality assurance staff because they are pivotal to solving the root causes of application security problems.” Why do you feel that these people are key when it comes to heading off most application security problems?
When it comes down to it, developers, testers and QA staff are critical to solving the challenges of Web Application Security. You are only going to get as through a security review as the people who are testing/assessing your applications. This is why testers and QA personnel are critical to the success of an Application Security program. When you have people, well trained in Application Security issues performing your application testing and reviewing the application code, you’ll be well positioned to reduce your risk and your vulnerability.
That said, developers are, at the end of the day, the only people who can truly fix a web application security vulnerability. They are the only ones who can touch the codebase and actually make changes. Traditionally developers have not been part of the Application Security conversation, and that is definitely something that needs to change if we want to make headway on these important problems.
As technology continues to expand and people rely more on computers and other technological devices to process and hold personal information, what do you think the biggest challenge will be for those that develop or maintain critical technologies that depend on the web?
One of the quickest ways to monetize a web application attack is to steal Personally Identifiable Information (PII) for the purposes of identity theft, fraudulent credit card transactions, loans etcetera. For most organizations, keeping this information secure is of the highest priority. In order to adequately protect PII web developers must ensure that the traditional Web Application Security vulnerabilities such as SQL injection, Cross Site Scripting and others from the OWASP TOP 10 are detected and remediated early on in the development lifecycle. When this foundation is laid for the technical vulnerabilities, privilege escalation and information leakage testing needs to be preformed on the application to ensure that a user can’t misuse their access to the application to steal this data. There is no one solution to solving this issue but having a mature Security Development Life Cycle, well trained developers, skilled application security professionals and a variety of tools at hand are a must.
Why do you think there is currently a lack of knowledge in the general security community when it comes to application security? How does AppSec address this?
If this were 2003 or even 2005 I’d absolutely agree that there was a lack of knowledge in the general security community about application security. However, due to the outreach programs of OWASP and other organizations like WASC this knowledge gap is steadily shrinking. More security professionals are at least aware of the challenges in the Web Application space and are cognizant of where to find resources to fix them. The biggest education challenge that we face in the AppSec space today is with developers. Many developers out there are simply unaware or only vaguely aware of these issues. It is via developer programming templates, habits and developer focused tools that we can best bridge the gap in knowledge. In kind, development managers are frequently less informed than their development staff. This results in inadequate time and budgets being afforded to secure development practices. It is only through developer training and management support that we will solve the challenges in the AppSec space. At AppSecDC we have several tracks (Tools, Attack/Defend, SDLC) that will help developers learn technical defenses to AppSec issues. For managers we have three tracks (Process, Metrics, and SDLC) that will demonstrate the value of an Application Security program as well as how to effectively implement such a program with as minimal an impact as possible.
In the press release for this year’s AppSec you mention the secure development track, saying that it is specifically designed for developers, testers, and quality assurance staff. What can attendees expect from the secure development track?
The SDLC or Secure Development Life Cycle track will have something for each of these core groups. The first talk, Development Issues Within AJAX Applications: How to Divert Threats by Lars Ewe will be a boon for developers who are struggling with implementing security countermeasures in AJAX applications. Fpr QA staff Darren Challey’s talk Enterprise Application Security – GE’s approach to solving root cause is a can’t miss. He’s going to be describing GE’s lessons for establishing a “holistic application security program that seeks to detect, correct and prevent security defects throughout the application lifecycle”. Managers at AppSecDC are going to have a veritable cornucopia of presentations to attend. Dan Cornell’s Vulnerability Management in an Application Security World and the SDLC Panel will be two presentations that a manager trying to set up or run an application security program shouldn’t miss.
And lastly, is AppSec still looking for volunteers? If so, what do you need the most help with, and how should people go about getting involved?
The most important characteristic we’re looking for in our volunteers is dedication and the ability to follow-through. We have a bunch of areas that we still need help in from Security, to Registration to Speaker liaisons. We have an opportunity for anyone willing to participate. If your interested, just mail info[at]appsecdc.org and one of the organizers will get back to you!
Mark’s Bio: Mr. Bristow is a Senior Security Engineer for Securicon, LLC where he performs penetration testing, vulnerability analysis, and compliance auditing services for Securicon’s federal and private sector consulting business for a variety of critical infrastructure and commercial and government clients. Mark is an active member of the Open Web Application Security Project as a Global Conference Committee member, Washington DC Chapter leader and an OWASP AppSecDC 2009 conference organizer. Prior to working for Securicon Mr. Bristow worked as a Information Assurance engineer at SRA international where he provided strategic application security consulting services as well as conducting vulnerability assessments and certification and accreditation support activities for a variety of government clients. Mark has a bachelor’s degree in computer engineering from The Pennsylvania State University.
o o o o o