Security message trapped in "echo chamber", Aussie OWASP board member warns

Software developers are making fewer obvious security mistakes in their coding but the persistence of simple mistakes like SQL injection vulnerabilities shows that many are still failing to take even basic precautions in their coding, the newest member of the board of open-security effort OWASP (Open Web Application Security Project) has warned.

"If your application has an SQL injection bug in 2014, you are negligent," Andrew van der Stock, principal security consultant with Australian security practice Threat Intelligence, told CSO Australia, noting that the vulnerability had been on the top 10 list of developer-generated security issues since 2004.

Van der Stock was elected to the organisation's International Board of Directors this month and – noting that application security design still leaves a lot to be desired 12 years after he started with OWASP – plans to waste no time promoting the need to raise the security bar across the board.

"Our original mission was to work with developers and to try to help them become more secure," he told CSO Australia on news of his new role. "But over the last 5 to 8 years we have become more about software verification. That has resulted in a lot of people still making these basic security errors."

Despite good work all round on the OWASP effort, van der Stock warned that the security community often compromised its opportunity to effect real change by becoming an "echo chamber" in which security practitioners find themselves preaching to the proverbial converted.

"It's a lot easier to work with the security community because they understand what they're talking about," he explained. "But outside, it's much different."

Having worked closely with other OWASP members in the creation of the PCI DSS security standard used to protect sensitive credit-card data, van der Stock said the establishment of such security standards provided an important boost to efforts to raise overall security performance.

WIth bodies such as the World Wide Web Consortium (W3C) and Internet Engineering Task Force (IETF) moving to require security by default in any new protocols, van der Stock said an important hurdle had been crossed – and without it, nothing less than the future of online commerce had potentially been preserved.

The key is for developers to understand just how important security is to consumers that use their products – and how significant an impact this can have on trust if that security is violated.

"These bodies' stakeholders are users, and without trust you cannot do Internet commerce," van der Stock said. "If it is possible to break these protocols, and if it is possible to intercept these communications at a metadata level then that erodes trust. And if people don't trust the Internet, it will reduce the activities that are occurring online."

Van der Stock joins OWASP's international board with a mission "to get back to our original roots", he said, and is keen to improve relationships and collaboration between the many, often isolated communities of interest around the world. Among other things, he hopes to help draw out best practices and use OWASP's strong profile to improve outreach to end users

"We need to make sure that the average person doesn't get caught out," he said. "The best way to do this is through developer and business education. That will stop people doing things like online questions and answers, which are a terrible way of identifying individuals."

"It's up to us to work out a better scheme, and to change common industry practice to be a secure common industry practice."

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt @simplenomad Register today