[ISN] Web-security group seeks to plant its flag in San Antonio
InfoSec News
isn at c4i.org
Mon Jun 21 02:17:58 EDT 2004
http://www.bizjournals.com/industries/high_tech/networking/2004/06/21/sanantonio_story7.html
Mike W. Thomas
June 18, 2004
A new nonprofit organization for information security professionals is
coming to San Antonio to spread its gospel about the need to address
security from an application standpoint.
The Open Web Application Security Project (OWASP) was created as an
open source community where people can advance their knowledge about
Web application and Web-services security issues.
The Denim Group, a local information security start-up, is leading the
charge to set up a San Antonio chapter of OWASP. Dan Cornell, a
partner at Denim Group, is set to serve as president of the local
chapter.
"San Antonio is a really interesting town for a chapter for this
organization because of its strong military presence ... ," Cornell
says. "... I think we will see a lot of interest here in town from
more traditional information security practitioners who are interested
in expanding their skills so they can better understand how
application development works."
John Dickson, another partner at Denim Group, says OWASP serves as a
forum for security people and software developers to cross-pollinate.
"The security people are typically on one side of the house and the
software developers speak another language," Dickson says. "So we are
going to create a forum through this chapter where development people
from the big companies like USAA, Valero and Clear Channel will be
able to interact and trade war stories."
Dickson says the information technology industry is starting to
realize it is pretty much straightforward to secure most of the
regular infrastructure in a computer network, but when people put
custom software up on the Web, it opens up a backdoor for hackers.
Cornell says when you look at traditional security practitioners
compared to application security, there is both a training and a
cultural difference.
"Application security combines the paranoid mentality that says 'How
can I break into something,' with software development," he explains.
"Most information security folks are very strong at the network level,
and they understand routers and firewalls and intrusion detection and
patches and spam.
"But they do not all have the more formal computer science background
that gets you to the point where you can create software on your own."
Meet the founder
Cornell and Dickson will be attending an application security
conference this week (June 19-20) in New York City where they will
discuss setting up a local chapter of OWASP with the organization's
founder, Mark Curphey.
Curphey is a director of consulting at Foundstone, a leading global
information security software, services and education provider based
in Mission Viejo, Calif.
Curphey says a few years ago, while working for a company in Atlanta
that tested security systems, he found that often when he would break
into an organization during a penetration test, it was through the
application layer.
Later, when he took a job at Charles Schwab in San Francisco heading
up their application security program globally, he started
communicating with other people in the financial services industry and
realized they were struggling with the same set of problems.
"We determined that there was a lack of good, unbiased information out
there about the software security problem," Curphey says. "What was
being portrayed at the time by a couple of small start-ups was a
marketing campaign of fear, uncertainty and doubt with the aim of
selling more of their products."
But Curphey says these companies weren't addressing the real needs, so
he got a group of people together to help get the word out about the
real problems with application security.
"We came up with a common lexicon with which we could discuss the
issues and put it in the open, so we could all share the same common
ground," he says. "... We set about creating a guide to building
secure Web applications and then released it free on the Internet.
"What we discovered was that there was a huge appetite for it. People
just began coming out of the woodwork and that initial document got
downloaded a million and a half times in that first year in 2000."
Global expansion
Curphey says from that initial interest, the organization moved ahead
with developing more projects on an open source basis until they got
to the point where they are at today.
Today, OWASP has active participants from all over the world,
including local chapters in Houston and Dallas.
"This year we have been absolutely going through the roof with the
level of interest," Curphey says. "We have been working to develop
testing standards and criteria, and we are getting a lot of adoption."
Curphey says when a number of the large financial institutions and the
large telecoms began coming forward to give his group money to figure
out ways to enhance their work, they decided to set up a non-profit
foundation.
"We now have an overarching foundation that controls what we are
doing," he says. "We are staffed by volunteers and everything is
non-profit and open source. Everything is always licensed so that it
will always be free and nobody can make money from it."
More information about the ISN
mailing list