Why gov't security pros must attend OWASP AppSec DC
CSO - I go to many security conferences each year, but there's one I keep missing: OWASP AppSec DC. It's a shame, because I've gotten to know a lot of the folks involved with it and they have a lot to offer those trying to figure out the complicated art of application security.
A little history: The Open Web Application Security Project (OWASP) is an open community dedicated to "enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security." It advocates approaching application security as a people-process-technology problem because "the most effective improvements need to cover all of these areas."
Last year I was there for a brief couple of hours, and the proceedings hadn't really started yet. I was in town for another event and stopped by long enough to do a podcast about OWASP's drive for better app security.
I'm going to miss it again next month because of other commitments, but that's not going to stop me from getting some of you there. One of the big topics is Supply Chain Risk Management, according to Doug Wilson, principal consultant at Mandiant and a lead organizer of OWASP AppSec DC 2010, which takes place Nov. 8-11 at the Walter E. Washington Convention Center, 801 Mount Vernon Place, NW Washington:
"Software Assurance is a big, lacking area for SCRM," Wilson told me in an e-mail last week. "A lot of physical products have good supply chain risk management practices, but software really has crappy ones."
This year, the goal is for OWASP AppSec DC to blend the challenges of government and the private sector, Wilson said, adding that the private sector and organizations like OWASP are way ahead of where the government is at.
When I interviewed OWASP members last year, all agreed app security is half a decade behind where it should be, especially at the government level. For examples of why that is, read Web Application Security Today - Are We All Insane?
To help bring attention to the importance of such events, I'm repeating six useful tips OWASP member Matt Fisher shared with me last year regarding some of the key problems with app security today and how to turn things around:
1. Build a community. Large enterprises like the Federal government are particularly prone to the silo effect; a simple intranet site that's well managed can work wonders to leverage the expertise throughout an entire department.
2. Spread the expertise. Right now the majority of what application security knowledge exists within security groups. This is a good start but ultimately the programs build and fix the applications; staff them with experts, too.
- Learn More About Peer 1 Hosting's Mission Critical Cloud Mission Critical Cloud from Peer 1 Hosting is enterprise-ready, creating a perfect point of adoption whether you need an off-premise solution for development
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- IPv6 Fundamentals IPv6 is needed to sustain the growth of the Internet. The transition from IPv4 will require planning and likely some degree of support...
- Optimize IT Performance & Availability: Four Steps to Establish Effective IT Management Baselines More than ever before, your company's ability to grow hinges on IT performance and availability. Download this how-to report on establishing IT baselines,...
- Live Webcast Master the Changing SAP Landscape with Performance Management SAP landscapes are not getting simpler. Gradually, business processes that used to be contained on a single SAP system now involve a range...
- Data Breaches - Don't Be a Headline Whether it's a HIPAA/HITECH, Sarbanes Oxley, Gramm-Leach-Bliley violation, or a State breach notification law, a data breach can have substantial legal and financial...
- Accelerate your innovation with IBM Bluemix™ Join us for a webcast introducing the new IBM BluemixTM. IBM Bluemix (www.bluemix.net) is a developer oriented Platform as a Service (PaaS) environment... All Applications White Papers | Webcasts