[Owasp-leaders] OWASP in the News

Michael Coates michael.coates at owasp.org
Fri Jun 13 17:43:04 UTC 2014

Great article about OWASP interviewing Justin Clarke (OWASP London Chapter

Nice job!


Boards need to get behind application security, says Owasp

Chief information security officers (CISOs) are more concerned about web
application security than in the past, but this area of security is still
immature, says the Open Web Application Security Project
<https://www.owasp.org/index.php/Main_Page> (Owasp).

“Application security as a concept has been around for little over 10 years
and still has a long way to go,” said Justin Clarke, Owasp London Chapter
leader and director at Gotham Digital Science.

“CISOs are becoming more aware, and Owasp is focusing on providing guidance
for them, but application security still needs to be understood and tackled
at the board level,” he told Computer Weekly.

While network security is well-understood and well-funded, information
security professionals struggle to make a business case for web application
security because it is difficult to quantify the risk.

However, Owasp and a growing number of security industry specialists
recognise that web application exploits are relatively easy with readily
available tools, making them a popular entry point for attackers.

 Information security professionals struggle to make a business case for
web application security because it is difficult to quantify the risk

Owasp is a non-profit, volunteer organisation that was set up in 2001 to
help make web applications secure by educating users, developers,
governments and business leaders.

“Our mission is to make as many people as possible aware that there are
tools and techniques businesses can use to ensure they avoid common
security pitfalls in web applications,” said Clarke.
Security must race to keep up with technology advances

However, despite Owasp’s efforts, web application security remains a
challenge in many organisations for several reasons.

“The main problem is the fact that technology is moving so fast that most
developers and organisations struggle to keep up,” said Clarke.

“Since 2001, the web application market has grown exponentially and the
security challenges have been further increased with the move to mobile
platforms and the advent of the cloud,” he said.

Clarke said an increasing number of web applications need to be able to
accept HTML5 or rich content, and to do that securely is “really difficult”
which is why even large organisations struggle to get it right.

Added to that is the constant commercial pressure to be first to market
with new types of web-based products and services.

Consequently, key performance indicators tend to be based on speed of
innovation, with little or no incentives linked to data security.

“Most organisations have also abandoned traditional waterfall models of
software development for agile approaches, but this makes involving
security teams much more difficult,” said Clarke.
 More about web application security

   - Web application firewalls may not fix Web application security issues
   - Verizon data breach report: Web application attacks a growing concern
   - Tackling Web application security through secure software development
   - Cloud-based application security: Preventing security breaches

 While the largest of organisations typically have enough security experts
to draw upon, smaller organisations struggle to get the required expertise
within their agile development teams.

“If bridges were built the way a lot of software is built, an awful lot of
them would fall down,” said Clarke.

“This is often because IT systems evolve over time and end up being made up
of half a dozen things cobbled together as requirements change and
functionality is added,” he said.

Although Owasp is aimed at educating developers on web application
security, Clarke believes one way forward is application development
frameworks that prevent developers from creating insecure code.

Ideally, he said, frameworks should take care of the difficult things so
that developers are not tempted to take the easier, faster route to get
things done, which is also often the riskier way of doing things.

“Already, there are a few islands of progress where organisations or
communities have standardised on custom-built or open source platforms like
Microsoft’s LINQ to SQL
and Hibernate <http://en.wikipedia.org/wiki/Hibernate_%28Java%29>,” said

Such platforms make it difficult to write code that is vulnerable to things
like SQL injection or cross-site scripting (XSS) attacks, which
feature in Owasp’s
top 10 most critical web application security risks

“The problem is that use of such frameworks is in isolated pockets and
there is no central way of pushing them out or driving adoption,” said
Share information across teams

Owasp believes another way of tackling the problem is to ensure that the
security practitioners and developers learn to communicate with each other
more regularly.

“Owasp’s AppSec conferences are the only ones that engage both security
professionals and those who build software, and is aimed at getting
together those who should be talking to each other,” said Clarke.

In 2014, AppSec Europe <https://2014.appsec.eu/appsec-europe/> is to be
held in the UK for the first time in seven years and is scheduled to take
place at Anglia Ruskin University, Cambridge, from 23-26 June.

Speakers include Steven Murdoch of the University of Cambridge Computer
Laboratory, Wendy Seltzer of the World Wide Web Consortium and Lorenzo
Cavallaro of Royal Holloway, University of London.

“The AppSec conferences have become the focus for the industry to hear from
the world’s leading experts, harness expert knowledge and stay abreast of
the latest technology developments,” said Clarke.

Some of the presentations will discuss the vulnerabilities highlighted in
Owasp's recently compiled list of the top 10 methods
<https://www.owasp.org/index.php/Top_10_2013-Top_10> of breaking into web

These include SQL injection, used by hackers to target Vodafone Iceland;
cross-site scripting (XSS), which left Microsoft Office 365 open to attack;
open redirects, which presents issues for Facebook; and insecure direct
object references, which saw Yahoo's servers open to root access.

“Like the government’s recently launched Cyber Essentials Scheme
the Owasp Top 10 document is aimed at encouraging organisations to take the
first step,” said Clarke.

“Those organisations that are getting their arms around this issue are
managing and reducing the risk, but my main concern is about those who have
yet to take the first step,” he said.

Michael Coates
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140613/6bfb9871/attachment.html>

More information about the OWASP-Leaders mailing list