OWASP AppSec Ireland - September 6th, 2012 - Dublin, Ireland
As I sit on my flight back to London and reflect on the day at OWASP AppSec Ireland in Dublin where I got to catch up with some old friends (Jim Manico, Jeremiah Grossman, Michael Coates, and others) and a few first time handshakes with the likes of Brian Honan and Eoin (pronounced "Owen" by the way!) Keary whom I had only had the pleasure of talking on Twitter, I am happy with some of the points we've come to agree on. As the sun sets over the Irish Sea just outside my window, I feel hopeful that OWASP is finding its way and there is a bright future for security.
A few points then, and a clarification on that comment about OWASP finding its way.
First, Jim Manico who is one of the smartest AppSec people I can name, loves to teach people how to develop more securely and his genuine excitement over OWASP's push to return to teaching secure development was a beacon for me. I've watched the OWASP community start out looking to better the development community many years ago and then over time go off on a tangent as 'security testing' became the sexy thing people wanted to focus on. This isn't to say that having 'breaker' skills is a bad thing, but the whole community including OWASP has become unbalanced. With such a deep focus on breaking, who's going to be there to fix all the problems we find and shine a spotlight on? We can't expect the OWASP community to continue forward as a collection of application-security focused professionals without developer outreach, education, and more outreach. Today was summed up by this ... application (and software) security isn't about security people ... at all ... it's about developers. How does that strike you?
There was an announcement that the SecAppDev organization (http://SecAppDev.org) is expanding its courses to Dublin which got people like Jim (and me) excited. It was awesome to see such fantastic people like Eoin Keary, Jim Manico and HP's very own Jacob West willing to donate time to go out and hold week-long courses on secure development. This isn't penetration testing or hacking - this is how to write secure code. Folks we can't break our way to good security, and since software is incrementally making its way into our lives - the sooner we embrace this the better. If you're a developer and you're sick of arrogant security people telling you that your code sucks - take one of these relatively inexpensive courses, or find another alternative- and shut them up. Remember that you, the developer, are the only ones that can actually solve this rising epidemic. As someone rightly pointed out during my DevOps talk, very few "app security people" have the capacity to identify a bug and then sit down and actually fix the code. I know I don't, I make a terrible developer... but at least I can admit that and know for a fact that if I'm advising some developer on what the issue is, he or she will likely know better than me on how to actually fix the issue once (and only IF) I've correctly explained it.
Security and development *must* have a symbiotic relationship otherwise we'll just continue to complain about how dumb developers are, while they complain how clueless security people are - meanwhile software keeps getting worse as it powers more critical things in our lives.
I loved the great talk on HTML5 which gave some good ideas, examples and differences of what we can expect coming in the new, and ever-evolving, HTML5 development standard. I learned plenty I hadn't previously aware of, and even got a couple of the "spot the bug" questions right... I'm not totally out of practice after all!
I got to sit down at lunch time in what I can only describe as the Harry Potter lunch hall and talk shop with Jeremiah, and am happy to report that we're still largely in agreement on at least one big thing - security has a massive 'people' problem. There simply aren't enough of us to hire. If you've tried to hire someone with app security talent, you'll understand what I'm saying is true. The other problem is that many organizations want to simply buy something to make the problem go away... software security testing tools, for example. The problem is that unless they get the professional expertise, and allocate manpower (FTEs) and processes around this it'll never succeed. Services aren't optional... they're practically desperately needed!
I gave my DevOps focused talk, and people seemed to like what I was suggesting. Taking my queue from people like Gene Kim, James Wickett, and Jeff Sussna it can become quickly clear why security so desperately needs the adoption of a tribe mentality ... no joke this may be our once-in-a-lifetime chance to actually make security a built-in feature in software development.
My slides are attached to this post, for those who asked. I hope to dedicate more time as I've promised to the OWASP organization to help in its effort to get back to helping developers, security people, and others see the problem in the same light and actually work together to solve some real world problems. Because while breaking may be sexy, it's the defense that's the big hotness.