“Building Security into Application Development”�Web Application Security Mini Conference��28^th February 2012, 4 – 8 pm

Adrian Winckles, Senior Lecturer in Computer Science

Department of Computing & Technology

Anglia Ruskin University

​

Dinis Cruz, Fabio Cerullo & Colin Watson

Open Web Application Security Project (OWASP)

Agenda

• 4.30pm – 4.45pm Welcome and introductions, Adrian Winckles, Senior Lecturer, Information Security
• 4.45pm - 5.15pm Dinis Cruz, Introduction to OWASP and Application Security 02 Project Framework
• 5.15pm – 5.30pm Comfort Break
• 5.30pm – 6.30pm Fabio Cerullo, Open Software Assurance Maturity Model and Enterprise Security API
• 6.30pm - 7.00pm Colin Watson, AppSensor Project – Intrusion Detection
• 7.00pm – 8.00pm Informal drinks/refreshments and networking

​

Notices

• Fire Exits/Fire Alarms
• Refreshments are LAB006 at 7pm.
• Please sign the register just outside the main door.
• Literature for both the Department & OWASP available on the way in
• For those interested in becoming involved in a local OWASP Chapter & Security Group, please complete your details on the forms on the table as you came in
• For those interested in becoming involved in a Student Information Security Society, please complete your details on the forms on the table as you came in.

​

Myself

• Adrian Winckles MSc CEng CITP MBCS
• Senior Lecturer in Computer Science
• (Forensic Computing & Information Security)
• Department of Computing & Technology,
• Anglia Ruskin University

​

• Email: A.Winckles@anglia.ac.uk
• Phone: 0845 196 2440

Guest Speakers

• Dinis Cruz:

​

• Leader of 'OWASP O2 Platform' project at OWASP
• OWASP Board Member, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee
• Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development.
• Active trainer on .Net security, having written and delivered courses for Ounce Labs, IOActive, Foundstone, Intense School and KPMG.

​

Guest Speakers (continued)

• Fabio Cerullo:

​

• Information Security Specialist at AIB Bank (Dublin, Ireland), specialising in assessing the security of web applications developed internally or purchased from third parties and defining policies and standards on secure coding. as well as providing training on web application security to developers, auditors, executives and security professionals.
• Member of the OWASP Global Education Committee whose mission is to provide training and educational services to businesses, governments and educational institutions on application security.
• Coordinates international conferences around this topic of application security and since early 2010 has been appointed chairman of OWASP Chapter in Ireland.
• Granted the CISSP certificate by (ISC) 2 back in 2006.

Guest Speakers (continued)

• Colin Watson:

​

• Technical Director for Watson Hall Ltd, an application security consultancy providing services such as application defence, web application risk management, secure software development lifecycle, online and web project security & privacy policies.
• Technical blog author, aimed at website designers, developers and owners called Web Security, Usability and Design and tweets occasionally as Clerkendweller.
• Global Industry Committee Member for the OWASP Foundation.

Aims/Objectives

• First of many such events to promote the importance of all aspects of information security with web developers, IT professionals and students.
• Establishment of a professional networking group affiliated as an OWASP Chapter for East Anglia & Cambridge for Application Security.
• Establishment of a local student society focusing on both application & information security with an emphasis on helping to determine the skills and attributes that employers need from graduates in this key area.

The Problem

• Tackling today's security challenges now far exceeds the “we’ve got a firewall connected to the Internet so we’re covered” fallacy. Increasingly the most critical areas of vulnerability and weakness have become the web application server and client.
• Protecting corporate and personal data has never been more crucial with the increasing trend towards mandatory public disclosure of “lost” data and the ever increasing loss of reputation, regulatory penalties and litigation from victims.
• Developing secure code is the most effective method of securing an organisation’s web applications which results in a more stable and robust application and assists in protecting an organisations brand.
• However the ability to develop this code takes additional skill and know-how which traditionally has not commonly formed part of many computer science curricula and most organizations have not focused on.

To put things in a little focus…..

• In an article published by SearchSecurity.co.uk

​

• “Web application vulnerabilities indicate security is losing ground” by Ron Condon, UK Bureau Chief, Context Information Security

​

• A survey of almost 600 custom-built Web applications revealed developers are still failing to eliminate the most commonly exploited vulnerabilities from their code, allowing attacks such as SQL injection and cross-site scripting (XSS) to occur.

​

• Based on web application vulnerability statistics released earlier this month by London-based security services provider Context Information Security.

​

• The firm carried out penetration tests against Web applications for mainly UK organisations in both the public and private sector during 2011. It conducted a similar analysis in 2010, and said the 2011 figures show the problem of Web application security is getting worse.

Condon (2012), “Web application vulnerabilities indicate security is losing ground”, SearchSecurity.co.uk. Available from:

http://searchsecurity.techtarget.co.uk/news/2240114927/Web-application-vulnerability-statistics-show-security-losing-ground?asrc=EM_NLN_16422623&track=NL-988&ad=861920&

[Citied on 27th February 2012]

​

OWASP - Open Web Application Security Project

• Solution is would seem to involve educating developers to utilise a variety of structured approaches in conjunction with a formal software development life cycle
• OWASP (Open Web Application Security Project),
• not-for-profit worldwide charitable organization focused on improving the security of application software.
• mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.

OWASP Top 10

• Historically most well known of OWASP project outputs
• Some copies available on the way in…..

Solutions?

• A selection of OWASP’s latest project’s and methodologies are being presented during the session tonight….

​