Archive | OWASP RSS feed for this section

OWASP : Time to Move On (For Good This Time)

31 Oct

Over the last few years I have dabbled in OWASP and in recent months even jumped back in feet first to start a project to define an architecture for Security Tools for Developers. As I jumped back in I have come to realize that OWASP as a whole has drifted so far away from what I initially envisaged and what I believe in, that it’s time to move on (an this time move on for good). There are some real areas of encouraging light but as I have tried to challenge the status quo it’s simply not constructive and personally very frustrating. Life is too short and so I wish the best of luck to those involved and I honestly hope they continue to thrive.

I have a lot of respect for a lot of people involved and it will always have a special place in my heart but I think that the project is overly beauraucratic (sadly in the wrong places and not where its needed), has lost it’s sense of direction & purpose and is trying to be everything to everyone. A project to store digests of files to detect malware was the straw that broke the camels back for me (but certainly not isolated).

At the AppSecUSA conference I spoke about communities being like gardens. Gardens and communities require planning and curation. Unless you regular tend to the garden and pull the weeds, the weeds will eventually take over and become dominant. Gardens can also take on a life of there own and are organic just like communities. When you accept that you can move on knowing that things grow and change, not always in the way you had expected and that is OK.

In my opinion OWASP is focusing on quantity over quality in an effort to see what sticks and as a result has a (growing) collection of random projects of varying degree of quality and completeness. When OWASP selected SourceForge as its project host, a company that is to developers what MySpace is to teenagers (and has a very questionable track record of security itself) I was incredibly disappointed and became a pivotal moment for me. It was an opportunity lost to engage with modern developers and align OWASP to have a bigger impact where it matters.

I do suspect that it maybe time for a different kind of open source software security project that focuses on a small number of high quality, high impact projects. In the meantime I am cranking on a proposal for a book called “Software Security for Teams : End to End Security for Software Developers” that I may (or may not) take on as a winter project and I think at this point has potential to have a big impact on developers.

So long OWASP, you were a fun ride and I wish you the very best for the future. Remember that a “Jack of all trades is a master of none”!


PS I will still run the OWASP Seattle Chapter meetings in November and December as planned and look for someone to take it over for the new year.

Accessibility is More Important Than Security

13 Oct

An interesting quote from a Google (ex Amazon) engineer on the relative importance of accessibility over security

“But I’ll argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.”

Curphey OWASP AppSec USA 2001 Slides

24 Sep

My OWASP AppSec USA 2011 slides are now online (slideshare below) and PDF (16.3 mb) here. The video of me delivering the talk can be found here.

Win an MSDN Ultimate Subscription when you run for charity at AppSecUSA!

12 Aug

We are raising money for inner city kids in Minneapolis at the OWASP AppSecUSA conference with a 10K charity run, “Strengthen”. We want (need) more people to join us for a great cause and to show that software geeks are fit & healthy, know how to have a good time and do great things for the community. It will be a “fun” run with costume & beers so any pace or level of fitness will be welcome!! Any money raised will be used to support science and arts for 360 kids in Minneapolis through the Bakken Museum.

If you need any more incentive to run than a great cause, I will be raffling an MSDN Ultimate Subscription.  Everyone that runs and raises or donates at least $100 will be entered into the draw and one lucky runner will get a boat load of software!

What are you waiting on? Sign up here

OWASP STD – Security Tools for Developers

17 Jul

I have decided to throw myself back into the software security fray and start a new OWASP project. I recently dabbled with getting involved in OWASP again through some current projects but for various reasons didn’t find a fit with my personal interests and thought that there maybe a way to have a bigger impact. I kept hearing that little voice from Dinis Cruz ‘if you don’t like what’s there today either change it or create your own’ so after some careful thought I decided to start a new project. I have always thought OWASP can be giant lab to try things and if an experiment fails no one gets hurt (well maybe your ego) so what do I have to loose!

For the last few years I have been more involved in building software than securing it albeit some of that software was indeed security software to help software security. I ran a team that built static code analysis tools (CAT.NET) and web protection libraries and for the last 18 months have run a team that builds a very highly volume web site that is not related to security. When security is no longer your sole focus you definitely view the world with a different lens and relate to security in a different way. It’s something you must (should) do rather than something you always want to do. Security will always be in my DNA so probably always have a higher order bit for me than the average software developer but at the end of the day it is just another attribute I need to think about much like performance, reliability, maintainability and code quality. Jon Willander has talked about in the context of complexity and I have often used a slide in talks showing:

security < performance < functionality

For some time I have mentally partitioned security tools as able to be divided on one dimension into two categories; those for security people and those for developers. In an ideal world I can imagine we could probably theorize that the tools should be one of the same but by way of example I think there are testing tools that a security researcher would want to look under the hood and into every nook and crevice and tools where a developer wants to know he’s done his due diligence. Developers need fast, repeatable, easy to use, low noise tools that produce actionable results and integrate seamlessly into their development process. That last point is key. For example tracking detailed security bugs in a separate tool maybe fine for security folks who want ultimate control of the data but for a development team it is essential they are managed in the development teams issue management system. If you want to add some form of automated security code review into a development process it is probably essential it can run as part of the integration testing or build verification testing etc. There are of course many security tool touch-points that a developer might hit and Andre Gironda provided some valuable food for thought when I was first thinking about this. I originally planned to call this project SIDE for Security IDE and look at better integration of security tools into IDE’s but the scope is and should be far wider. How do we integrate security into Continuos Integration (CI) environments, how do we integrate security into Agile management tools (Bryan Sullivan built an SDL Agile template for Team Foundation Server when he was at MSFT), behavior Driven Development and we need code quality tools to also be able to generate security quality reports. These are just a few early ideas (see backlog below) and I am still hoping we will be able to do some significant IDE integration / enhancement work as part of the project.

So here is my high level plan (of course subject to change)

1. Goal – Improve the adoption, efficiency and effectiveness of security tools in the end-to-end software development process.

2. Scope – Core project team to create an open source reference implementation of an end-to-end development environment that embeds security tools into the process. This may include developing or extending tools to fill gaps or configuring and adopting existing tools. Use only free open source tools in the reference implementation but show how commercial tools could be used. Probably settle on a P1 stack of Eclipse, Git, Jenkins, and an maybe ScrumDo (GPL) along with an open source issue management system.

3. How – Use Agile planning to build a backlog (of ideas). Run the project like any Agile software project (probably scrum) by grooming and prioritizing the backlog, creating a set of iterations and releases and running a set of sprints. If we can attract a set of developers to contribute we can operate daily stand-ups (I fancy using Google + hang-outs for this). Eat our own dog-food and be recursive in the way we adopt the reference model!

4. When – Paulo Coimbra will be setting up a mailing list and wiki page this week.

I will tweet @curphey and on Google + when the lists and pages are set up but all thoughts are welcome and of course if you are interested in participating do let me know.

By the way I know the acronym. You just can’t take life to seriously. Can you imagine T-shirts at a conference with “Got OWASP STD?”. Security Transmitted Disease of course!

Wanted : OWASP AppSecUSA Keynote Video Messages

2 May

On September 22nd I am doing the keynote speech at OWASP’s 10th anniversary conference. My talk will be called “Community : The Killer App” and it only seems right to ask the community to help me produce the material. I plan to open the talk with a sequence of video messages from OWASP supporters all around the world and want to put out a call for people to work with me to produce short videos over the next few months. While only the best will get selected for the introduction sequence I will put ALL videos on a web wall after the conference.

If you can help create, sponsor or get videos that fit in any of the following categories I want to hear from you ASAP (as it will take time to get this edited).

I am looking for video messages from :

1. Community Individuals –  Anyone who wants to share how OWASP has positively affected their life and or why you contribute to the project. Maybe you got a job because of OWASP? Maybe you got excited by web security and went on to do a degree? Maybe you earn a living as a result of OWASP? Maybe you just contribute because you think it’s important to humanity. For this category (in English only) the more compelling and emotional the story and the more geographically or culturally diverse (think small village in India or Africa) the more chance it will make the final cut (but I want to hear from everyone). No more than 15 seconds per video please.

2. OWASP Chapter leaders – I want messages from OWASP Chapter leaders and ideally a group message from their chapter meeting.  For this category local language is encouraged (I will ask you to supply textual sub-titles that will be added later). For this category the more members in attendance the better and interesting backdrops or compelling messages are encouraged.  No more than 15 seconds per video please.

3. Companies that sponsor or believe in OWASP – I want messages from companies that use OWASP material to deliver services, create products or whom believe that the web is just a better place because of the work of OWASP.  For this category high production quality and creative content is encouraged. No more than 15 seconds per video please.

4. Governments & Regulators – I want messages from senior government officials. The more senior the better and yes there will be more than a beer in it for anyone who can me a message from Obama! No more than 60 seconds per video (although no restrictions for any President or Prime Minister!)

5. Industry Leaders and Iconic Web Companies – By industry leaders I mean Tim Berners-Lee, Vint Cerf, James Gosling, Mark Zuckerberg type industry leaders and by iconic companies I mean Twitter, FaceBook, Google, Mozilla etc. Approximately 60 seconds per video.

Why do this? If you are part of the active community it’s a non-brainer, if you a commercial organization you  could get some exposure at the conference and on-line and if you are an industry leader you will help show your appreciation and importance for the thousands of volunteers hard work.

The best way to start is to send me an email letting me know you will be submitting a comment to this post so I can gauge the initial response. I will set a cut of date sometime in early August so you do have plenty of time but when great videos come in I will add them to the video so early submissions are recommended. The longer you leave it the better your submission will need to be to get selected. In a few weeks I will post instructions of how to submit your videos, probably using a YouTube channel.

If you want to ask any questions or just let me know you will be submitting a video,  the best way to contact me is by email using mark at curphey com and be sure to mark your mail subject [OWASP VIDEO]. I more than am happy to speak to anyone on the phone about this, just mail me for a number (I am PST). You can also Tweet me on Twitter @curphey

Fine Print (that I am sure I will add to):

  • I get to choose the best videos
  • I will edit length (but not modify message)
  • You may need to sign some copyright / disclaimer as this gets official

Any video format will do. I will be using Final Cut Express for video editing.