A Journey in Security: August 2011

Thursday, August 18, 2011

Joining OWASP Board

The 2011 OWASP elections have concluded. I'm thrilled to have the support and backing of the OWASP community as they've voted me to one of the three board positions.

For readers of my blog that aren't already aware of OWASP, this is a worldwide non-profit & open source organization with the mission of improving the state of application security. This translates to an incredibly talented group of security experts all working towards a common good.

Open source, free from corporate control, free to the world - what more could you ask for?

I've been a long time OWASP supporter, have led and contributed to several projects, spoken at numerous conferences in the US and Europe and now I am excited to continue advancing the mission of OWASP through my efforts on the board.

I'd love to hear people's goals and ideas for OWASP. But as a volunteer community that empowers everyone, I'd more like to see you take those ideas and run with them! OWASP is a community of action and on the OWASP board I will work to empower individuals around the world with the resources, audience, and tools that are needed to continue producing top notch security materials.

Take a moment and help contribute to the OWASP mission.

How can you help?

Start or join an OWASP project
Expand the OWASP wiki
Become a member
Attend the next OWASP Conference
Stop by at your local chapter meeting
Participate on the email lists or the community site

-Michael Coates - @_mwc

Friday, August 12, 2011

Hiring Response to Recent Attacks Is Misguided

Sadly the response to security compromises in the news seems to be a push to buy more firewalls. Firewalls provide no defense against application security attacks. The article below reminds me of a great chart by Gunnar Peterson

According to the barclay interim report which is also being referenced in stories on CSOonline.com

The increase in electronic attacks has had a direct impact on the demand for network security professionals. Companies are now strengthening their network security infrastructure. There is an increase in demand for firewall experts with qualifications in Juniper and Checkpoint and for security practitioners with experience of configuring IDS/IPS systems. As the year progresses those who have specialised in network security will be more highly sought after which will increase rates for permanent and contract candidates alike.

If you read through the barclay report you'll notice they are specifically referring to the following high profile events:

Attacks against:

Visa, Amazon, MasterCard and PayPal
The multiple Sony compromises
Nintendo, RSA SecurID, Gmail and CitiBank

Some of these were distributed denial of service attacks, but many were application specific attacks that resulted in the compromise and data disclosure. If the concern is SQL injection and application security, then invest in your SDLC and look for application security experts. No amount of firewalls will help this issue.

Now, don't get me wrong. We still need firewalls and many network security experts. They provide invaluable security services. Just make sure your strategy is actually addressing the problem you are attempting to solve.

-Michael Coates - @_mwc

Monday, August 8, 2011

OWASP 2011 Elections - Vote Now

The voting is now open for the OWASP 2011 elections. I've been a passionate supporter of OWASP for years, a leader of multiple OWASP projects, a speaker at the conferences and am excited about the possibility of joining the OWASP board.

Please read more about my background and my vision for OWASP. You can also listen to the board candidate interviews. Here is the link to the OWASP 2011 elections wiki page with all the info.

Watch your email for the voting link and thanks for your support.

My Vision For OWASP

Technology is changing at a rapid pace and security plays a vital role in the technology ecosystem. Security should not be seen as a blockade to innovation; instead, security can be leveraged to allow our technology to do more than we ever realized. OWASP is well poised to provide the advanced security knowledge, tools and training to empower companies to integrate security as a product differentiator and impetus for technology advancement.
My vision for OWASP includes a board that creates opportunities and acts as a catalyst for OWASP projects and the advancement of the OWASP mission. OWASP is powerful because of the massive expertise that we contain from all of our contributors around the world. I believe that the OWASP board should provide the necessary resources, technologies, funding and support for OWASP contributors to be successful in growing security technology, addressing security challenges and sharing these skills with the world.
In addition, I feel the OWASP board should work to help OWASP identify key challenges that should be focused upon in a planned period of time. The combination of addressing an identified security challenge and continued support for individual project growth will allow OWASP to both leverages our collective expertise and also support organic individual project growth. I believe this two-pronged approach will allow OWASP to continue to grow and create world-class security resources.
The following areas are key positions that I hold and represent the direction I wish to pursue on the OWASP board:

Breaking out of the Echo Chamber: OWASP should focus on working with people that have never heard of OWASP before. I plan to build the necessary presentations, tools and funding to get OWASP members at college campuses and developer conferences to teach OWASP materials.

Funding: OWASP is a non-profit and is powered by our mission and our volunteers. However, we can do more if we have the necessary resources to dream big. I plan to pursue grants and funding that enable OWASP to do more to spread our knowledge and advance our mission.

Integration with Enterprises: As a security professional employed at a major technology company I wish to further expand OWASP's involvement with corporate entities to address the core risks and challenges they are facing. This involves sitting down with these industries through our global committees and identifying their needs and how we can help meet them.

Community and Open: I strongly believe in the O in OWASP. Like the web, security should be open and available to all. The power of OWASP lies in the individuals that donate their time and skills. I plan to grow our community and identify ways we can further strengthen the worldwide community.