Security message trapped in "echo chamber", Aussie OWASP board member warns

Software developers are making fewer obvious security mistakes in their coding but the persistence of simple mistakes like SQL injection vulnerabilities shows that many are still failing to take even basic precautions in their coding, the newest member of the board of open-security effort OWASP (Open Web Application Security Project) has warned.

"If your application has an SQL injection bug in 2014, you are negligent," Andrew van der Stock, principal security consultant with Australian security practice Threat Intelligence, told CSO Australia, noting that the vulnerability had been on the top 10 list of developer-generated security issues since 2004.

Van der Stock was elected to the organisation's International Board of Directors this month and – noting that application security design still leaves a lot to be desired 12 years after he started with OWASP – plans to waste no time promoting the need to raise the security bar across the board.

"Our original mission was to work with developers and to try to help them become more secure," he told CSO Australia on news of his new role. "But over the last 5 to 8 years we have become more about software verification. That has resulted in a lot of people still making these basic security errors."

Despite good work all round on the OWASP effort, van der Stock warned that the security community often compromised its opportunity to effect real change by becoming an "echo chamber" in which security practitioners find themselves preaching to the proverbial converted.

"It's a lot easier to work with the security community because they understand what they're talking about," he explained. "But outside, it's much different."

Having worked closely with other OWASP members in the creation of the PCI DSS security standard used to protect sensitive credit-card data, van der Stock said the establishment of such security standards provided an important boost to efforts to raise overall security performance.

WIth bodies such as the World Wide Web Consortium (W3C) and Internet Engineering Task Force (IETF) moving to require security by default in any new protocols, van der Stock said an important hurdle had been crossed – and without it, nothing less than the future of online commerce had potentially been preserved.

The key is for developers to understand just how important security is to consumers that use their products – and how significant an impact this can have on trust if that security is violated.

"These bodies' stakeholders are users, and without trust you cannot do Internet commerce," van der Stock said. "If it is possible to break these protocols, and if it is possible to intercept these communications at a metadata level then that erodes trust. And if people don't trust the Internet, it will reduce the activities that are occurring online."

Van der Stock joins OWASP's international board with a mission "to get back to our original roots", he said, and is keen to improve relationships and collaboration between the many, often isolated communities of interest around the world. Among other things, he hopes to help draw out best practices and use OWASP's strong profile to improve outreach to end users

"We need to make sure that the average person doesn't get caught out," he said. "The best way to do this is through developer and business education. That will stop people doing things like online questions and answers, which are a terrible way of identifying individuals."

"It's up to us to work out a better scheme, and to change common industry practice to be a secure common industry practice."

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt @simplenomad Register today

Join the CSO newsletter!

Error: Please check your email address.

Tags Enex TestLabecho chamberInternet Engineering Task Force (IETF)Security message OWASPOWASPsecurity mistakesVan der StockCSO AustraliaSQL injection vulnerabilities

More about CSOEnex TestLabIETFInternet Engineering Task ForceThreat IntelligenceW3CWorld Wide Web Consortium

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts