[ISN] Web-security group seeks to plant its flag in San Antonio

From: InfoSec News (isn@private)
Date: Sun Jun 20 2004 - 23:17:58 PDT

  • Next message: InfoSec News: "[ISN] Hackers Strike Six State Agencies"

    Mike W. Thomas
    June 18, 2004 
    A new nonprofit organization for information security professionals is
    coming to San Antonio to spread its gospel about the need to address
    security from an application standpoint.
    The Open Web Application Security Project (OWASP) was created as an
    open source community where people can advance their knowledge about
    Web application and Web-services security issues.
    The Denim Group, a local information security start-up, is leading the
    charge to set up a San Antonio chapter of OWASP. Dan Cornell, a
    partner at Denim Group, is set to serve as president of the local
    "San Antonio is a really interesting town for a chapter for this
    organization because of its strong military presence ... ," Cornell
    says. "... I think we will see a lot of interest here in town from
    more traditional information security practitioners who are interested
    in expanding their skills so they can better understand how
    application development works."
    John Dickson, another partner at Denim Group, says OWASP serves as a
    forum for security people and software developers to cross-pollinate.
    "The security people are typically on one side of the house and the
    software developers speak another language," Dickson says. "So we are
    going to create a forum through this chapter where development people
    from the big companies like USAA, Valero and Clear Channel will be
    able to interact and trade war stories."
    Dickson says the information technology industry is starting to
    realize it is pretty much straightforward to secure most of the
    regular infrastructure in a computer network, but when people put
    custom software up on the Web, it opens up a backdoor for hackers.
    Cornell says when you look at traditional security practitioners
    compared to application security, there is both a training and a
    cultural difference.
    "Application security combines the paranoid mentality that says 'How
    can I break into something,' with software development," he explains.  
    "Most information security folks are very strong at the network level,
    and they understand routers and firewalls and intrusion detection and
    patches and spam.
    "But they do not all have the more formal computer science background
    that gets you to the point where you can create software on your own."
    Meet the founder
    Cornell and Dickson will be attending an application security
    conference this week (June 19-20) in New York City where they will
    discuss setting up a local chapter of OWASP with the organization's
    founder, Mark Curphey.
    Curphey is a director of consulting at Foundstone, a leading global
    information security software, services and education provider based
    in Mission Viejo, Calif.
    Curphey says a few years ago, while working for a company in Atlanta
    that tested security systems, he found that often when he would break
    into an organization during a penetration test, it was through the
    application layer.
    Later, when he took a job at Charles Schwab in San Francisco heading
    up their application security program globally, he started
    communicating with other people in the financial services industry and
    realized they were struggling with the same set of problems.
    "We determined that there was a lack of good, unbiased information out
    there about the software security problem," Curphey says. "What was
    being portrayed at the time by a couple of small start-ups was a
    marketing campaign of fear, uncertainty and doubt with the aim of
    selling more of their products."
    But Curphey says these companies weren't addressing the real needs, so
    he got a group of people together to help get the word out about the
    real problems with application security.
    "We came up with a common lexicon with which we could discuss the
    issues and put it in the open, so we could all share the same common
    ground," he says. "... We set about creating a guide to building
    secure Web applications and then released it free on the Internet.
    "What we discovered was that there was a huge appetite for it. People
    just began coming out of the woodwork and that initial document got
    downloaded a million and a half times in that first year in 2000."
    Global expansion
    Curphey says from that initial interest, the organization moved ahead
    with developing more projects on an open source basis until they got
    to the point where they are at today.
    Today, OWASP has active participants from all over the world,
    including local chapters in Houston and Dallas.
    "This year we have been absolutely going through the roof with the
    level of interest," Curphey says. "We have been working to develop
    testing standards and criteria, and we are getting a lot of adoption."
    Curphey says when a number of the large financial institutions and the
    large telecoms began coming forward to give his group money to figure
    out ways to enhance their work, they decided to set up a non-profit
    "We now have an overarching foundation that controls what we are
    doing," he says. "We are staffed by volunteers and everything is
    non-profit and open source. Everything is always licensed so that it
    will always be free and nobody can make money from it."
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Mon Jun 21 2004 - 00:21:08 PDT