AppSec EU Open Web Application Security Project (OWASP) chairman Martin Knobloch wants security people and businesses to give developers respect and love rather than slating their work.
The affable and knowledgeable German also wants to refocus the industry to talking about risk – a concept already embraced in other areas, such as insurance – instead of being fixated on exploits and vulnerabilities.
OWASP's list of top 10 web vulnerabilities has been both a blessing and a curse, Knobloch told El Reg. It was a blessing when credit card compliance organisation PCI picked it up, and recommended it as a guide for secure coding for websites, because it gave OWASP a higher profile. The curse was when it started to be abused as a simple checklist, he said.
Open Web Application Security Project issues new secure coding bibleREAD MORE
Published in 2003 and regularly updated, the list aims to raise awareness of common website application security blunders – the kind of mistakes people make when they're inexperienced, or don't know better. It's a list of security weaknesses you should be aware of when writing your own code, or auditing other's. SQL injection bugs, and cross-site scripting vulnerabilities, regularly come top, and there's no sign of that changing.
What's wrong with using OWASP's Top 10 as a checklist, we asked. Knobloch said it should be used to understand how to write good code in the first place, and not a tick box exercise after the source is written out and ready to roll. "A guide on how to validate is not a guide on how to build in security," he said. "You need to make security explicit."
Meanwhile, OWASP, a nonprofit, is pushing the development of its security knowledge framework. OWASP Software Assurance Maturity Model covers governance, compliance, development and how to maintain software. The 1.5 version has been released, and the 2.0 is closing on completion, according to Knobloch.
In the past, talking up threats of elite hackers coming to get you, and spreading fear, uncertainty and doubt, has been the way to sell security software. In effect, vendors tell IT executives and admins that their developers can't be trusted to write secure code, and that's why a business needs their network defense products.
OWASP chairman Martin Knobloch at AppSec Europe
"It's the wrong approach," Knobloch said. "It's like going up to a parent and saying that their child is ugly and then expecting to have a conversation."
Software developers need to be respected and even loved for the work they do by their management, we're told. The attitude that programmers are "too slow" and "too expensive" so we should outsource the whole process of secure coding to outside products and teams needs to shift, said Knobloch.
What's required instead is building up knowledge about how to write secure software at the early stage, while they are still at universities and colleges. OWASP is working with educators to develop training materials. ®