Tuesday, May 24, 2011

OWASP Survey on Preferred Communication Methods

I'm curious to find out how people are learning about OWASP news and events. There are a variety of technologies available (RSS feed, twitter account, leaders list, OWASP home page, etc)

I've create a google survey with 9 questions to try and capture some of this information. You can complete the survey at the following link. This survey is open to anyone and no sign-in is required.

Survey link:

-Michael Coates - @_mwc

Sunday, May 22, 2011

Running for OWASP Board

OWASP Board Elections: Michael Coates

I'd like to announce that I'll be running for one of the three seats available in the 2011 OWASP board election

My candidacy is now listed on the OWASP elections page and includes a link to my bio and vision for OWASP.   I've been involved with OWASP for years as a project owner, global committee member, corporate supporter representative and speaker at many OWASP conferences.  I strongly believe in the mission and the OWASP organization. 

Vision For OWASP

Technology is changing at a rapid pace and security plays a vital role in the technology ecosystem.  Security should not be seen as a blockade to innovation; instead, security can be leveraged to allow our technology to do more than we ever realized.  OWASP is well poised to provide the advanced security knowledge, tools and training to empower companies to integrate security as a product differentiator and impetus for technology advancement.

My vision for OWASP includes a board that creates opportunities and acts as a catalyst for OWASP projects and the advancement of the OWASP mission.  OWASP is powerful because of the massive expertise that we contain from all of our contributors around the world.  I believe that the OWASP board should provide the necessary resources, technologies, funding and support for OWASP contributors to be successful in growing security technology, addressing security challenges and sharing these skills with the world. 

In addition, I feel the OWASP board should work to help OWASP identify key challenges that should be focused upon in a planned period of time.  The combination of addressing an identified security challenge and continued support for individual project growth will allow OWASP to both leverages our collective expertise and also support organic individual project growth. I believe this two-pronged approach will allow OWASP to continue to grow and create world-class security resources.

The following areas are key positions that I hold and represent the direction I wish to pursue on the OWASP board:

* Breaking out of the Echo Chamber: OWASP should focus on working with people that have never heard of OWASP before. I plan to build the necessary presentations, tools and funding to get OWASP members at college campuses and developer conferences to teach OWASP materials.

* Funding: OWASP is a non-profit and is powered by our mission and our volunteers. However, we can do more if we have the necessary resources to dream big.  I plan to pursue grants and funding that enable OWASP to do more to spread our knowledge and advance our mission.

* Integration with Enterprises: As a security professional employed at a major technology company I wish to further expand OWASP's involvement with corporate entities to address the core risks and challenges they are facing.

* Community and Open: I strongly believe in the O in OWASP. Like the web, security should be open and available to all. The power of OWASP lies in the individuals that donate their time and skills.  I plan to grow  our community and identify ways we can further strengthen the worldwide community.

-Michael Coates - @_mwc

Wednesday, May 18, 2011

Network Provider Modifying Application Traffic En Route To Users?

To keep up with a growing demand for wireless internet service some providers are adding clauses that allow them to optimize traffic by the real time modification of large media files such as video and image.
These techniques include caching less data, using less capacity, and sizing the video more appropriately for the device. The optimization process is agnostic to the content itself and to the website that provides it. [Services Terms and Conditions - Verizon]
More info on their network optimization.

Perhaps you've fallen under the thinking that your site doesn't need SSL/TLS because you are not transferring or accepting any sensitive user data. Besides this being flawed logic, you may want to reconsider your position given this information.  This new policy may cause a portion of your users to receive images and videos in a format or quality different than you have specified.

To ensure your delivered traffic is received as intended you need to use SSL/TLS.  A site delivered via SSL/TLS cannot be tampered with anyone between the website and the user.  Any attempts to modify or intercept this traffic will result in a certificate failure and alert to the user[1].

As the move to wireless internet continues to grow so will the strain on the network and the number of users visiting your application via a wireless provider.  If you want to ensure that your images and video are delivered in the quality and format that you've specified, and not the decision of the network provider, then you need to move to HTTPS for your sites now.

Note: Please take a look at the OWASP Transport Layer Protection Cheat Sheet to avoid common vulnerabilities in design and deployment of SSL/TLS

[1] - There are exceptions if the certificate is issued by a CA that has been added to the end user's browser root certificate store e.g. corporate adds SSL proxy CA to all issued machines.

-Michael Coates - @_mwc

Tuesday, May 10, 2011

Attack Aware Applications - Presentations Around The World

Several years ago I started the OWASP AppSensor project to build a strategy for equipping applications with real time attack detection and response.  The project has really grown since its inception and has many excellent contributors actively growing the project.

Here is a list of the currently planned 2011 presentations on Attack Aware Applications, aka AppSensor.  I hope you have the opportunity to attend one and learn more.
  • 10th February, OWASP World Summit - Portugal
  • 23rd March, OWASP San Antonio Chapter Meeting
  • 18th April, OWASP Minneapolis Chapter Meeting
The following presentations will be lead by long time contributor Colin Watson.  More information can be found at this link.
  • 12th May, ISSA UK application security training day at National Codes and Cipher Centre, Bletchley Park, UK — a high-level overview of application defence with a focus on how this can contribute to a reduction in operational risk (free to ISSA members, registration required).
  • 19th May, 2nd International Secure Systems Development Conference, London, UK — an introduction to OWASP AppSensor (chargeable).
  • 25th May, OWASP Greece chapter Training Day, Athens, Greece — introduction and walk-through on how to identify and select attacker detection points (free to OWASP members, registration required). Colin will also be presenting Software Assurance Maturity Model at this event.
  • 9th June, AppSec EU 2011, Dublin, Ireland — an update on the OWASP AppSensor project including how to build the concepts into your own software projects (chargeable, discount to OWASP members, registration required).
  • 16th June, OWASP Belgium chapter meeting, Brussels, Belgium — a repeat of the AppSec EU presentation (free, registration required).
  • 21st September, OWASP USA, Minneapolis, Minnesota USA — Application Attack Detection & Response - A Hands-on Planning Workshop
-Michael Coates - @_mwc

Monday, May 9, 2011

Have Presentation - Will Virtually Travel

Over the past two months I've had the opportunity to remotely present at two different OWASP chapter meetings - OWASP San Antonio and OWASP Minneapolis.  I had been talking with Dan Cornell (San Antonio) and Adam Baso (Minneapolis) for quite some time about getting out to each location for a presentation.  Unfortunately, the travel just didn't line up. At this point we looked at other options and the idea of a virtual presentation to the chapter was born.


For the San Antonio presentation we used Skype for video and audio and the slides were manually advanced on a local projector at the San Antonio chapter meeting.  This setup allowed the audience to see me and I could also see most of the room via the chapter meeting's Skype camera. This setup worked pretty well, but it would have been better if I was able to control the slides.

At Minneapolis we used WebEx. With this setup I was still able to see and hear the room, but I also had full control of the slide deck and the ability to remotely share my browser for live demos.  This worked really well and is the setup I'd advise for future remote presentations.  In addition to the local chapter attendees, the WebEx meeting link was also sent out to the full OWASP mailing list and many other people were able to remotely join in.

In both setups the biggest problem was the ability to clearly hear the audience's questions.  I could hear questions from attendees sitting close to the chapter's WebEx machine.  However, for those that were sitting further away, I needed the local chapter leader to repeat the question closer to the microphone.  In the future, I'd recommend that the local chapter obtain a wireless microphone that could be connect to their WebEx computer.

Audience Feedback

I received good feedback from the presentations. Although it’s always ideal to have a speaker present in person, I feel like two-way video created a great environment for a remote presentation.  Based upon the two virtual presentations I've conducted so far, I'd definitely recommend that other chapters explore virtual presentations to compliment their normal speaker schedule.

Please feel free to ping me with additional questions or to coordinate a virtual presentation for your chapter.

-Michael Coates - @_mwc