Rediscovering our way - OWASP AppSec Ireland '12

OWASP AppSec Ireland  -  September 6th, 2012  -  Dublin, Ireland

 

 

As I sit on my flight back to London and reflect on the day at OWASP AppSec Ireland in Dublin where I got to catch up with some old friends (Jim Manico, Jeremiah Grossman, Michael Coates, and others) and a few first time handshakes with the likes of Brian Honan and Eoin (pronounced "Owen" by the way!) Keary whom I had only had the pleasure of talking on Twitter, I am happy with some of the points we've come to agree on. As the sun sets over the Irish Sea just outside my window, I feel hopeful that OWASP is finding its way and there is a bright future for security.

 

A few points then, and a clarification on that comment about OWASP finding its way.

 

First, Jim Manico who is one of the smartest AppSec people I can name, loves to teach people how to develop more securely and his genuine excitement over OWASP's push to return to teaching secure development was a beacon for me. I've watched the OWASP community start out looking to better the development community many years ago and then over time go off on a tangent as 'security testing' became the sexy thing people wanted to focus on. This isn't to say that having 'breaker' skills is a bad thing, but the whole community including OWASP has become unbalanced. With such a deep focus on breaking, who's going to be there to fix all the problems we find and shine a spotlight on? We can't expect the OWASP community to continue forward as a collection of application-security focused professionals without developer outreach, education, and more outreach. Today was summed up by this ... application (and software) security isn't about security people ... at all ... it's about developers. How does that strike you?

 

There was an announcement that the SecAppDev organization (http://SecAppDev.org) is expanding its courses to Dublin which got people like Jim (and me) excited. It was awesome to see such fantastic people like Eoin Keary, Jim Manico and HP's very own Jacob West willing to donate time to go out and hold week-long courses on secure development. This isn't penetration testing or hacking - this is how to write secure code. Folks we can't break our way to good security, and since software is incrementally making its way into our lives - the sooner we embrace this the better. If you're a developer and you're sick of arrogant security people telling you that your code sucks - take one of these relatively inexpensive courses, or find another alternative- and shut them up. Remember that you, the developer, are the only ones that can actually solve this rising epidemic. As someone rightly pointed out during my DevOps talk, very few "app security people" have the capacity to identify a bug and then sit down and actually fix the code. I know I don't, I make a terrible developer... but at least I can admit that and know for a fact that if I'm advising some developer on what the issue is, he or she will likely know better than me on how to actually fix the issue once (and only IF) I've correctly explained it.

 

Security and development *must* have a symbiotic relationship otherwise we'll just continue to complain about how dumb developers are, while they complain how clueless security people are - meanwhile software keeps getting worse as it powers more critical things in our lives.

 

I loved the great talk on HTML5 which gave some good ideas, examples and differences of what we can expect coming in the new, and ever-evolving, HTML5 development standard. I learned plenty I hadn't previously aware of, and even got a couple of the "spot the bug" questions right... I'm not totally out of practice after all!

 

I got to sit down at lunch time in what I can only describe as the Harry Potter lunch hall and talk shop with Jeremiah, and am happy to report that we're still largely in agreement on at least one big thing - security has a massive 'people' problem. There simply aren't enough of us to hire. If you've tried to hire someone with app security talent, you'll understand what I'm saying is true.  The other problem is that many organizations want to simply buy something to make the problem go away... software security testing tools, for example.  The problem is that unless they get the professional expertise, and allocate manpower (FTEs) and processes around this it'll never succeed.  Services aren't optional... they're practically desperately needed!

 

I gave my DevOps focused talk, and people seemed to like what I was suggesting.  Taking my queue from people like Gene Kim, James Wickett, and Jeff Sussna it can become quickly clear why security so desperately needs the adoption of a tribe mentality ... no joke this may be our once-in-a-lifetime chance to actually make security a built-in feature in software development.

 

My slides are attached to this post, for those who asked.  I hope to dedicate more time as I've promised to the OWASP organization to help in its effort to get back to helping developers, security people, and others see the problem in the same light and actually work together to solve some real world problems.  Because while breaking may be sexy, it's the defense that's the big hotness.

Comments
Tunn3lR47(anon) | ‎09-10-2012 10:14 AM

Spot on as always Raf.  I sit in the appsec space at my org. After 4 years of playing damage control from past ego-shattering appsec/dev shop interactions, I think I'm starting to finally make a breakthrough.  It took a long time for me to convince our devs that I didn't come to condemn or ridicule, but to provide a service which will help them deliver the best possible product to business units which had increasingly higher expectations.  Now we're actually getting somewhere.

 

It's amazing to me how little supposed "security people" seem to understand about risk-based action.  Most of the PR problem the appsec team had hung on a mountain of formalized risk assessments, all marked "HIGH" or "CRITICAL" even if they were not.  The dev community soon had us pegged for fear mongerers, and promptly gave us the silent treatment.

 

Now, the devs view me as a partner, picking up the phone to call me during development if they have questions about secure coding, rather than me having to find out later during a post-prod assurance review.  Partnering with people gets results - now if only I could teach my peers that so I could get off the phone for once!  Coffee++

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation