Patrick Laverty, leader of the Rhode Island chapter of the Open Web Application Security Project, talks to Providence Business News about Web security, OWASP’s new Ocean State chapter and common security problems for businesses.
The group holds monthly meetings on various topics in Web application security, including database hacking, smartphone spying and online encryption.
By day, Patrick is a web programmer at Brown University.
PBN: Can you describe the OWASP program, how many chapters there are, etc.?
LAVERTY: The Open Web Application Security Project is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. There are currently 77 chapters in the U.S., and 180 worldwide.
The way I usually describe the OWASP program is that it is a group focused specifically on Web application security, where everything is free and open-source, no financial commitment is required by anyone. The focus is on the “open.”
PBN: Why did the group decide it was time for a Providence chapter?
LAVERTY: The board of directors responds to requests for chapters. When I became interested in Web application security, I found out about OWASP and saw the group had meetings in Boston once a month. I went up to a few and thought they were great and exactly what I was looking for, but the ride up there after work for a 7 p.m. meeting wasn’t fun.
I started asking around about any kind of Web application security presence in Rhode Island and couldn’t find anything.
I remember one day mentioning to my boss that I wish someone would start having security meetings in Providence and he said “Why not you?” So I did. We had our first meeting in April 2011 and six people showed up.
We’ve been building on that ever since. After about a year and getting a little bit of traction, I decided to apply for an official chapter and it was granted on April 25 of this year. We have our whole speaker list available HERE.
PBN: Who are your meetings targeting and what kind of attendance do you get?
LAVERTY: We target anyone interested in Web application security, whether that is a programmer, Webmaster or computer security expert. Our focus is specific to Web application security, which is different from network security or physical security.
Our attendance has ranged from a low of four, held too close to Christmas, to a high of 32 for a hands-on tutorial of how to break into and then how to properly secure databases.
Our meetings are for anyone along the learning spectrum from the complete beginner to the experts in the field. We do have the experts attend meetings but they are more often the presenter.
The attendees are from all over the area, from many of the local businesses and even some have come down from southern Massachusetts.
PBN: What are the biggest Web security problems you see people dealing with?
LAVERTY: Unfortunately, the biggest problems still seem to be the simplest.
It’s still the same things as it has been for many years. Many of the recent break-ins that we read about are due to mistakes in the code, including not sanitizing the user’s input on Web pages.
This often leads to malicious users being able to break in to otherwise protected databases or add their own code to a site that will then allow for things such as password collection.
However, much of this is because security isn’t often a primary focus. The priority is to get applications done and delivered to the client and often security is an afterthought.
We say that we want to “bake in” the security into web applications, not try to glue it on later. Baking it in really puts the security into the code's DNA and is often much stronger.
If we can get management to care as much about security as they do about getting the application delivered and get the programmers properly trained and educated on the needs, we’ll be in a much better place.
PBN: What advice do you have for business owners regarding software security?
LAVERTY: First, care about it. Put a priority on it.
Security can be a hassle. Be willing to invest in it not just through “stuff” but also through your people.
Studies have shown that fixing security issues later is exponentially more expensive than to have invested the time and resources up front.
Plus, business owners need to focus on all aspects of security from the physical level of protecting their offices and hardware, to the code itself and even being aware of how people themselves can be security problems.
While many of the long-standing methods of hacking still exist, they do take time and effort.
Where hacking a Web site can take a while, it can also be possible to get the same necessary information out of people by simply asking the right questions, and doing the research. So be careful about what you divulge and what you make available.