http://www.bizjournals.com/industries/high_tech/networking/2004/06/21/sanantonio_story7.html Mike W. Thomas June 18, 2004 A new nonprofit organization for information security professionals is coming to San Antonio to spread its gospel about the need to address security from an application standpoint. The Open Web Application Security Project (OWASP) was created as an open source community where people can advance their knowledge about Web application and Web-services security issues. The Denim Group, a local information security start-up, is leading the charge to set up a San Antonio chapter of OWASP. Dan Cornell, a partner at Denim Group, is set to serve as president of the local chapter. "San Antonio is a really interesting town for a chapter for this organization because of its strong military presence ... ," Cornell says. "... I think we will see a lot of interest here in town from more traditional information security practitioners who are interested in expanding their skills so they can better understand how application development works." John Dickson, another partner at Denim Group, says OWASP serves as a forum for security people and software developers to cross-pollinate. "The security people are typically on one side of the house and the software developers speak another language," Dickson says. "So we are going to create a forum through this chapter where development people from the big companies like USAA, Valero and Clear Channel will be able to interact and trade war stories." Dickson says the information technology industry is starting to realize it is pretty much straightforward to secure most of the regular infrastructure in a computer network, but when people put custom software up on the Web, it opens up a backdoor for hackers. Cornell says when you look at traditional security practitioners compared to application security, there is both a training and a cultural difference. "Application security combines the paranoid mentality that says 'How can I break into something,' with software development," he explains. "Most information security folks are very strong at the network level, and they understand routers and firewalls and intrusion detection and patches and spam. "But they do not all have the more formal computer science background that gets you to the point where you can create software on your own." Meet the founder Cornell and Dickson will be attending an application security conference this week (June 19-20) in New York City where they will discuss setting up a local chapter of OWASP with the organization's founder, Mark Curphey. Curphey is a director of consulting at Foundstone, a leading global information security software, services and education provider based in Mission Viejo, Calif. Curphey says a few years ago, while working for a company in Atlanta that tested security systems, he found that often when he would break into an organization during a penetration test, it was through the application layer. Later, when he took a job at Charles Schwab in San Francisco heading up their application security program globally, he started communicating with other people in the financial services industry and realized they were struggling with the same set of problems. "We determined that there was a lack of good, unbiased information out there about the software security problem," Curphey says. "What was being portrayed at the time by a couple of small start-ups was a marketing campaign of fear, uncertainty and doubt with the aim of selling more of their products." But Curphey says these companies weren't addressing the real needs, so he got a group of people together to help get the word out about the real problems with application security. "We came up with a common lexicon with which we could discuss the issues and put it in the open, so we could all share the same common ground," he says. "... We set about creating a guide to building secure Web applications and then released it free on the Internet. "What we discovered was that there was a huge appetite for it. People just began coming out of the woodwork and that initial document got downloaded a million and a half times in that first year in 2000." Global expansion Curphey says from that initial interest, the organization moved ahead with developing more projects on an open source basis until they got to the point where they are at today. Today, OWASP has active participants from all over the world, including local chapters in Houston and Dallas. "This year we have been absolutely going through the roof with the level of interest," Curphey says. "We have been working to develop testing standards and criteria, and we are getting a lot of adoption." Curphey says when a number of the large financial institutions and the large telecoms began coming forward to give his group money to figure out ways to enhance their work, they decided to set up a non-profit foundation. "We now have an overarching foundation that controls what we are doing," he says. "We are staffed by volunteers and everything is non-profit and open source. Everything is always licensed so that it will always be free and nobody can make money from it." _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
This archive was generated by hypermail 2b30 : Mon Jun 21 2004 - 00:21:08 PDT