Friday, February 3, 2012

Security for a Greater Good

I'm very excited to be helping Ushahidi build a security group to enhance the security of their software.  Ushahidi describes itself as the following:

We are a non-profit tech company that develops free and open source software for information collection, visualization and interactive mapping.
However, this organization is far more than just a tool for information mapping.  If you talk with anyone involved, or just read their about page, you'll quickly find out that this organization is developing tools that can be used to bridge the gap between technology and human crisis reporting.

Working with Ushahidi is a rare opportunity to use our technology and security skills to protect the well-being of individuals that are attempting to report oppression or violence against their fellow citizens. 

If you're part of the Mozilla or OWASP community then keep an ear out.  As we formalize our approach we'll be reaching out to these technology and security communities looking other volunteers that are interested in contributing their security skills to this project.

-Michael Coates - @_mwc

Security & Health Care Startups

Two weeks ago I had the opportunity to speak at Rockhealth's Health Innovation Summit held here in San Francisco.  This was a great conference that brought together many developers and health care tech startups that are looking to revolutionize the way health care is managed throughout the US and the world.

I led an application security workshop where participants where able to setup a virtual testing environment on their laptop and understand critical web application security vulnerabilities through hands-on hacking exercises.  We covered topics such as cross site scripting, access control, cross site request forgery and sql injection.  We had a few minutes left over and even jumped into clickjacking too.

The lab used the OWASP BWA virtual machine and we focused on the OWASP Webgoat security learning software.  My slides are currently built with screenshots using burp proxy, but I'll be updating those soon to switch over to OWASP ZAP Proxy.

The event was fantastic and there was a lot of positive feedback and great questions during and after the workshop.  I'm working with representatives from rock health to identify other ways that OWASP can continue to participate in their developer meetings in the future.

Slides and instructions for setting up the lab are online here.

-Michael Coates - @_mwc