Reflection on Jeff Williams
On his reflection, Jeff shares with us how he got into web application security and his journey with OWASP and a little bit about his personal life and interests. In his own words
“I set out to be a user interface guy, but I got into security accidentally. I was working at TRW in 1992 on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user interface for a big Navy system that just happened to be highly secure – targeting B2 in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Orange Book. I took on an R&D project to port cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user interface to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new compartmented mode workstation (what became Trusted Solaris) and I found that I really liked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 challenge of securing such a complex system.
Then Java 1.0 came along and I got NIST and NRL funding to do security research. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, we thought cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Java sandbox was a good idea, but that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re were attacks that might bypass it. So I wrote a special classloader that modified cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bytecode to wrap security relevant method calls with a reference monitor. After that I spent several years developing a Java-based multilevel secure network guard on Trusted Solaris. That guard handled HTTP, FTP, TDS, and a number of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r protocols – sort of a very early application firewall. But unlike cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 modern WAFs, we took a whitelist approach where you would define exactly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data formats and rules for allowing messages.
In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mid-90’s, I chaired cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group that authored cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SSE-CMM, which is now ISO 21827. As it turns out, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processes involved in systems security engineering are quite similar to those necessary for secure software development. I’m very glad to see that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea of assurance arguments from my work is starting to be used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application security world.
Then in 1998, while I was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical director of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Global Security Practice at Exodus Communications, a Fortune 10 company approached us and said “We’d like to host our applications with you, but we have this rule – every line of code has to be reviewed before it goes on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.” So I started an application security practice and started providing application assessments, developer training, and help with security requirements and architecture. We built a successful practice securing some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest and most complex web applications in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world.
In April 2002, togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with Dave Wichers, Noelle Hardy, and some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r great folks, I started Aspect Security to focus exclusively on application security. I just feel so fortunate to get to work with such an amazing group of consultants and customers. I’m having cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most fun of my professional career.
I first heard of OWASP in 2001 from Chuck Pfleeger (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of Security in Computing). The idea of a free and open community for application security was an interesting idea. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, getting companies to focus on application security was difficult. In meetings with several government agencies, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y acknowledged that it was an issue, but that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were managing to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS Top 20. I came home and literally in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shower said to myself, “I wish we had an application security top ten…” So a small team of us at Aspect took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lead in drafting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first OWASP Top Ten.
Later, Aspect donated WebGoat, a hands-on training environment for application security issues that we had developed for our courses. A huge number of organizations, including Google, use WebGoat today to teach cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir developers about application security. We started to see that participation in OWASP allowed Aspect to demonstrate our skills in a very constructive way, and many of our customers have contacted us after seeing our participation in OWASP.
I was honored to take over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 leadership of OWASP in 2003. At that time, we had a number of great contributors, but OWASP itself was just a domain name and a few small projects. So I got us set up as a 501c3 nonprofit organization and put a management structure in place. I want cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Foundation to provide a free, open, supportive community infrastructure for application security projects. We’re making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 barriers to entry for contribution so low that security experts will be motivated to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effort and share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir expertise.
One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 key challenges has been to ensure that OWASP is not influenced by commercial interests. When I set up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AppSec conference and local chapter rules, I made sure that vendors are cannot use OWASP to market cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products. We’re also starting to ferret out abuse of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP brand by companies that claim cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir products “address cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OWASP Top Ten” or enable “OWASP Compliance.” The local chapters have been growing very quickly and starting to contribute back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rship. Our conferences have also been a great experience.
I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 switch to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MediaWiki platform in 2006 was a major step for OWASP. Prior to that, contributing content was a difficult and painful process. Now, anyone can create an account and contribute easily. We have a team set up to review all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contributions and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of abuses in our first year has been astoundingly low (less than 10 incidents). We’re to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point now where we get dozens of articles and contributions every day. I don’t see how a non-open approach to building an application security body of knowledge can possibly keep up with our productivity.
We’re still a long way from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point where a company can go to OWASP for everything cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y need in order to build, acquire, and operate secure applications… but we’ve got an incredible process and we’re working very hard to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.
I have a wonderful wife Jennifer and three kids, Chance (9), Zack (7), and Zoe (1). We live in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 woods and spend a lot of time outside with our four Labrador retrievers. I’m very much into sports – I rowed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crew team at U.Va. and still play basketball three times a week. For a while I was into extreme rollerblading and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I got into mountain bike trials – I broke a lot of equipment, but never had any serious injuries :)"
Based out of Ashton, MD, Jeff is 39 years old and is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CEO of Aspect Security. Below are his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community
Articles / Presentations:-
Opening cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Box: A Source Code Security Analysis Case Study
http://www.aspectsecurity.com/documents/Aspect_Opening_Black_Box.doc
Application Security Initiatives - The Best Defense Is a Good Offense
http://www.aspectsecurity.com/documents/Application_Security_Initiatives.htm
Let's Sue cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Idiots -- Security, Software, Contracts, and Lawyers -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/sscl.htm
How to Build an HTTP Request Validation Engine for Your J2EE Application -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/bld_HTTP_req_val_engine.htm
Access Control (aka Authorization) in Your J2EE Application -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/access_control.htm
Trustworthy Java - Are your apps bulletproof? -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/article/trust_java.htm
The Ten Most Critical Web Application Security Vulnerabilities -
White paper, The OWASP Foundation
http://www.aspectsecurity.com/owasp.htm
Security Code Review - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Best Way to Eliminate Vulnerabilities in Software" -
White paper, Aspect Security
http://www.aspectsecurity.com/documents/AspectCodeReviewWhitePaper.pdf
Can a 'Social Protocol' Help Protect Privacy?
http://www.aspectsecurity.com/documents/p3p.pdf
Jini and Mobile Agent Security -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Workshop on Agent Technologies (AT ‘98)
http://www.aspectsecurity.com/documents/jini.pdf
A Practical Approach to Improving and Communicating Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10th Canadian Information Technology Security Symposium (CITSS)
http://www.aspectsecurity.com/documents/Arguing.pdf
A Practical Approach to Measuring Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1998 Security Applications Conference (ACSAC)
http://www.aspectsecurity.com/documents/Measuring.pdf
System Security Engineering Capability Maturity Model (SSE-CMM) version 2.0 -
Released at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 21st Annual National Information System Security Conference (NISSC)
http://www.aspectsecurity.com/documents/SSECMMv2Final.pdf
Just Sick about Security -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 New Security Paradigms Workshop
http://www.aspectsecurity.com/documents/Sick.pdf
An Enterprise Assurance Framework -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 5th Workshop on Enabling Technologies
http://www.aspectsecurity.com/documents/WetIce.pdf
Pretty Good Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 New Security Paradigms Workshop
http://www.aspectsecurity.com/documents/Pretty.pdf
Need for a Framework for Reasoning about Assurance -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Workshop on IT Assurance and Trustworthiness (WITAT)
http://www.aspectsecurity.com/documents/Need.pdf
Assurance is an N-Space (Where N is Hopefully Small) -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Invitational Workshop on Developmental Assurance
http://www.aspectsecurity.com/documents/Nspace.pdf
A Capability Maturity Model For Security Engineering -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 6th Annual Canadian Computer Security Symposium
http://www.aspectsecurity.com/documents/CITSS94.doc
Unsafe at Any (CPU) Speed: Why We Keep Making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Same Mistakes -
NSA High Confidence Software and Systems Conference
Web Applications: The “Last Mile” of Internet Security -
White paper, Exodus Communications
A Constructionist Approach to Law and Society -
Law and Society Seminar, Georgetown University Law Center
Interpreting Anticircumvention (DMCA) -
Advanced International Copyright Law, Georgetown University Law Center
P3I – Protection Profile Process Improvement -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 22nd National Information System Security Conference (NISSC)
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10th Canadian Information Technology Security Symposium (CITSS)
Windows NT Security -
17th Annual National Computer Security Conference (NCSC)
Windows NT Client Security and Windows NTAS Security -
The Local Area Network Security Conference (LANSEC)
Reusing Existing C3I Systems in a Secure Environment -
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Application of COTS and Reusable Components Conference
A Framework for Reasoning about Assurance -
Published by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Computer Security Center of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSA
Proceedings of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 11th Annual Conference on Computer Assurance (COMPASS)
Interconnecting MLS Command Centers -
White paper for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Multilevel Security Initiative at Hanscomb AFB
Tools written:-
OWASP WebGoat
http://www.owasp.org/webgoat
I built cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first WebGoat back in 1998 as a controller servlet with a few simple lessons on SQL injection, cross-site scripting, and access control. Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, it’s grown to have dozens of lessons and has been revamped several times. Many people have contributed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project and it’s still quite active.
OWASP Stinger
http://www.owasp.org/stinger
Stinger was a simple idea that every part of every HTTP request should be validated with regular expressions. A mechanism for enforcing a positive security model for validation in an application. It uses a Java “filter” to ensure that all requests are validated and even developers can’t avoid it.
OWASP PDF XSS Attack Filter
https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE
This was a one-night project to build a little filter that generates a token to avoid a specific very dangerous flaw in Adobe Reader.
Contributions:-
OWASP Top Ten
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
OWASP Secure Software Contract Annex
http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
OWASP Testing Guide (Risk Rating Sections)
http://www.owasp.org/index.php/How_to_value_cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365_real_risk
OWASP Honeycomb Project (Work in progress)
http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project
Website:-
http://www.aspectsecurity.com
http://www.owasp.org
Memberships:-
OWASP Chair
Companies worked for:-
Aspect Security
Exodus Communications
Arca Systems
TRW
MITRE
Company working for:-
CEO of Aspect Security
Education:-
JD cum laude – Georgetown Law - Cyberlaw and Intellectual Property
MA – George Mason - Human Factors Engineering
BA – University of Virginia - Cognitive Psychology and Computer Science (Specialization in AI)
I am sure we will see a lot more contribution from him going forward. Though he doesn’t have a blog yet but you can find most of his work on OWASP.
Next Week – Chris Shiflett
Last Week – Robert Auger