The State of OWASP

Michael Coates

Thu, 14th August 2014

Speaker Bio 1:
Michael Coates is the Director of Security Assurance at Mozilla, and serves as chairman of the board of OWASP. Michael holds a M.S. in Computer, Information and Network Security from DePaul University and a B.S in Computer Science from the University of Illinois.

Michael was featured as one of SC Magazine's 2012 Influential IT security minds, and is a frequent speaker at security events including OWASP conferences in the US and Europe, the Dept. of Homeland Security Assurance Forum, the ENISA Summer School and numerous developer and university events.

Michael is also the creator of OWASP AppSensor, a project to create attack-aware applications that leverage real-time detection and response capabilities.

Learning Objectives:

Michael will explain and outline:

  • An introduction to OWASP.
  • OWASP, as an open source organization that is in over 120 countries around the world, has a mission of promoting awareness regarding application security.
  • Learn about free resources and tools from OWASP and how to get involved in the community!

Questions and answers

Max, Concise Courses:
@47 minutes: Does OWASP endorse open source Web App Testing Frameworks?

Michael Coates:
OWASP has traditionally stayed away from doing certifications or endorsing other approaches, and the reason is because we don’t want to give a false sense of security to other approaches. We want people to recognize that there are always shades of grey on ‘how to do security’ and there are a variety of different ways to do it, but we never want to say that, ‘this is the one approach’ and the ‘end all and be all’.

Max, Concise Courses:
@48 minutes: Is OWASP’s primary goal now mobile? That’s where we are all heading, especially firming Android.

Michael Coates:
Yes, mobile is definitely interesting because application security is traditionally accessed via desktops, but just because we are changing the underlying platform and the way we access information, that doesn’t change the threats and risks we are facing, it just changes the device in the users hands. Now, with any architecture you can have a transition from a thin client to a thick client which is what you see in mobile so yes, we will continue being involved in mobile, you’ll see that there are project that we are working on like the OWASP Mobile Top Ten to make sure that we call out what those differences are.

Again, at the same time you see corporations and developers make incorrect assumptions that have plagued us for years; that age-old mindset that if a user can’t do this, or click this in the user UX, then they can’t do it. That fallacy of thinking has plagued us in web-apps for many years and is going to continue to plague us on mobile, so we need to be tackling all the fundamentals and understand what is changing in the mobile space.

Max, Concise Courses:
@49 minutes: What are your thoughts about the IAB (Interactive Advertising Board) being upset about the default Cookie Blocking of Firefox? My take is that it is a bold and welcome move by Mozilla – after all, especially now in the light of the NSA and PRISM Scandal – who likes being followed?

Michael Coates:
Regarding that question, Brendan Eich CTO of Mozilla, posted recently about what we are doing on cookies, and I think that in brief (since this is an item we can cover in more depth in other avenues since I don’t want to take the [discussion] away from OWASP), but to be brief we are looking for the best way to fight for users, users choice and users control and I think our history at Mozilla has shown that.