John Wilander is the chapter leader for OWASP Sweden and expert consultant at Omegapoint AB. He’s working professionally in the intersection between software development and IT security, specializing in web application security. In this interview he discusses OWASP AppSec Research, a major event dedicated to web application security.
Based on your experience, what are the biggest misconceptions when it comes to web application security?
Three years back the big misconception was that local security is all about features and functions. You buy another pizza box (i e firewall), put it the rack and you’re done. Global security on the other hand was up to the big vendors of operating systems and core applications such as email clients and web browsers.
Since then developers and software customers have started to realize that security is both function and quality — security features and secure features if you will. And since everybody’s developing their own applications, software security has become an issue at everyone’s own office.
But who’s going to do the job? Who’s going to be responsible for the security of our applications? Traditionally that would be the network and operations guy along with the info security guy. But they don’t deal with code and it all boils down to code, custom-made code. So the answer is that developers have to learn application security and put it into practice in their daily work.
The responsibility of security experts is to make application security as sexy to learn as the latest and greatest language features, frameworks, and web standards.
How would you introduce OWASP AppSec Research to someone who hasn’t attended yet?
First of all, OWASP is all about openness. All the material, tools, presentations, and documentation is open and free for members and non-members the like. This builds up a very friendly and welcoming atmosphere at the AppSec conferences. You can talk to anyone and you’re welcome even if application security is not your field of expertise.
Secondly, OWASP tends to lean towards innovative security solutions rather than security problems. We always have some really interesting talks on upcoming problems but the OWASP crowd likes to hear what we as professionals can and should do about it. This is the key to attracting the right mix of people. It’s 50/50 geeky and business.
Who are the keynote speakers this year and what topics are they discussing?
On our first day we have invited Chris Evans and Ian Fette from Google to talk about cross-domain theft and the future of browser security. Chris is working as “troublemaker” for Google security and is one the guy who’ll read your bug report if you send it to firstname.lastname@example.org. He has released a ton of security bug reports himself and is the author of vsftpd. Ian Fette is product manager for Chrome security and Google’s anti-malware initiative. It’ll be great to hear what these guys have to say about the future of web security.
The second day we invite Steve Lipner, senior director of security engineering strategy at Microsoft, and he enters the stage to talk about the Security Development Lifecycle. Steve is one of two authors of the famous SDL book and he will talk about the evolution of the SDL from its origins in the Microsoft “security pushes” of 2002-3 through its current status and application in 2010. Specifically he will discuss the aspects of change and change management as well as recent changes and additions to the SDL such as adaptation to agile development processes.
What tracks would you highlight?
We have some tremendously interesting talks and demos on cross-domain issues and the same-origin policy. That’s something I will not miss myself. Also, Dave Wichers of the OWASP board will present the OWASP Top 10 2010 that was released April 19th this year.
There are quite a few security conferences covering a variety of topics, including Web application security. What do you see as your strengths?
OWASP is the de facto reference for web application security almost everywhere I go. This conference is an awesome opportunity to join the community and get to know the people behind all the OWASP guides, tools, and books. OWASP AppSec is not a conference where you’ll wander around feeling isolated and anonymous, unless you want. We’re a welcoming crowd, there to help you.
Finally, I have to mention our gala dinner at Stockholm City Hall. A sponsored dinner party for all attendees in the place where the annual Nobel Prize Banqet is held. No other security conference offers that!