Why government security pros must attend OWASP AppSec DC 2010

I go to many security conferences each year, but there’s one I keep missing: OWASP AppSec DC. It’s a shame, because I’ve gotten to know a lot of the folks involved with it and they have a lot to offer those trying to figure out the complicated art of application security.

A little history: The Open Web Application Security Project (OWASP) is an open community dedicated to “enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.” It advocates approaching application security as a people-process-technology problem because “the most effective improvements need to cover all of these areas.”

Last year I was there for a brief couple of hours, and the proceedings hadn’t really started yet. I was in town for another event and stopped by long enough to do a podcast about OWASP’s drive for better app security.

I’m going to miss it again next month because of other commitments, but that’s not going to stop me from getting some of you there. One of the big topics is Supply Chain Risk Management, according to Doug Wilson, principal consultant at Mandiant and a lead organizer of OWASP AppSec DC 2010, which takes place Nov. 8-11 at the Walter E. Washington Convention Center, 801 Mount Vernon Place, NW Washington:

“Software Assurance is a big, lacking area for SCRM,” Wilson told me in an e-mail last week. “A lot of physical products have good supply chain risk management practices, but software really has crappy ones.”

This year, the goal is for OWASP AppSec DC to blend the challenges of government and the private sector, Wilson said, adding that the private sector and organizations like OWASP are way ahead of where the government is at.

When I interviewed OWASP members last year, all agreed app security is half a decade behind where it should be, especially at the government level. For examples of why that is, read Web Application Security Today – Are We All Insane?

To help bring attention to the importance of such events, I’m repeating six useful tips OWASP member Matt Fisher shared with me last year regarding some of the key problems with app security today and how to turn things around:

1. Build a community. Large enterprises like the Federal government are particularly prone to the silo effect; a simple intranet site that’s well managed can work wonders to leverage the expertise throughout an entire department.

2. Spread the expertise. Right now the majority of what application security knowledge exists within security groups. This is a good start but ultimately the programs build and fix the applications; staff them with experts, too.

3. Think beyond tools. While tools can automate certain assessment tasks, realize that they only assist with a portion of your assessments. Even then, assessments are just one portion of an assurance program.

4. Provide guidance. Developers want to build secure, compliant software; they just don’t always know how. Make standards, requirements and reference models available to your programs.

5. Don’t wait to test. Late-cycle testing under release pressure is stressful on the program and testers alike. Start testing earlier in the cycles and involve your assessment team in the scheduling.

6. Zoom-in your continuous monitoring. A “minor” application change can fly through change control but create huge vulnerabilities. Scrutinize changes to applications carefully, particularly Internet-facing or other high-risk systems.

If you can’t make it to AppSec DC this year but are interested in the tools they have to offer, visit the OWASP wiki.