Skip the navigation

Why gov't security pros must attend OWASP AppSec DC

By Bill Brenner
October 12, 2010 12:19 PM ET

CSO - I go to many security conferences each year, but there's one I keep missing: OWASP AppSec DC. It's a shame, because I've gotten to know a lot of the folks involved with it and they have a lot to offer those trying to figure out the complicated art of application security.

A little history: The Open Web Application Security Project (OWASP) is an open community dedicated to "enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security." It advocates approaching application security as a people-process-technology problem because "the most effective improvements need to cover all of these areas."

Last year I was there for a brief couple of hours, and the proceedings hadn't really started yet. I was in town for another event and stopped by long enough to do a podcast about OWASP's drive for better app security.

I'm going to miss it again next month because of other commitments, but that's not going to stop me from getting some of you there. One of the big topics is Supply Chain Risk Management, according to Doug Wilson, principal consultant at Mandiant and a lead organizer of OWASP AppSec DC 2010, which takes place Nov. 8-11 at the Walter E. Washington Convention Center, 801 Mount Vernon Place, NW Washington:

"Software Assurance is a big, lacking area for SCRM," Wilson told me in an e-mail last week. "A lot of physical products have good supply chain risk management practices, but software really has crappy ones."

This year, the goal is for OWASP AppSec DC to blend the challenges of government and the private sector, Wilson said, adding that the private sector and organizations like OWASP are way ahead of where the government is at.

When I interviewed OWASP members last year, all agreed app security is half a decade behind where it should be, especially at the government level. For examples of why that is, read Web Application Security Today - Are We All Insane?

To help bring attention to the importance of such events, I'm repeating six useful tips OWASP member Matt Fisher shared with me last year regarding some of the key problems with app security today and how to turn things around:

1. Build a community. Large enterprises like the Federal government are particularly prone to the silo effect; a simple intranet site that's well managed can work wonders to leverage the expertise throughout an entire department.

2. Spread the expertise. Right now the majority of what application security knowledge exists within security groups. This is a good start but ultimately the programs build and fix the applications; staff them with experts, too.

Originally published on www.csoonline.com. Click here to read the original story.
This story is reprinted from CSO Online.com, an online resource for information executives. Story Copyright CXO Media Inc., 2006. All rights reserved.
Our Commenting Policies