Transform your organization with a Security Champion

Chris Sienko: Hello and welcome to another episode of CyberSpeak with InfoSec Institute. Today, we're talking to Jeff Williams, co-founder of the Open-source Web Application Security Project or OWASP. In addition to the now famous top 10 list, OWASP has created the concept of security champions, a concept that has originally started in DevOps but with a wider application throughout organizations.

One of our previous guests, Ty Sbano of Periscope Data, talked to us about security champions within the DevOps framework. Today, Jeff is going to talk with us about the broader concept of security champions and the ways that having a security champion in your company can steer thinking and action toward safer practices.

A pioneer in application security, Jeff Williams has more than 20 years of experience in software development and security. He is the co-founder and CTO of Contrast Security, a revolutionary application security product that enhances software, with the power to defend itself, check itself for vulnerabilities, and join a security command and control infrastructure. Williams is also the founder and major contributor to OWASP where he served as the chair of the OWASP Board for eight years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP application security verification standard, XSS Prevention Cheat Sheet, and many other widely adapted free and open projects. Jeff holds a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Jeff, thank you for being with us today.

Jeff Williams: Well, thanks a lot. Thanks for having me.

Chris: Great. Well, thank you. Let's start out by talking a little bit about your security journey. How old were you when you first got interested in tech, computers, and/or security?

Jeff: It was 1983, so I guess I was about 15 or so, and I got a Radio Shack Color Computer. There wasn't so much to do on those things back then. I got a magazine once a month and I put in those programs. But I spent a lot of time reverse engineering the operating system and hacking. I started hacking games, initially. Hacking the copy protection on games was a good hobby for a while and hacking it to get extra men and things like that. I learned assembly language. Those days, it really had 16k of memory. Everything was extremely tight so we had to be super about things. Yeah, that's kind of how I got started.

Chris: Yeah. That's interesting. A lot of people, I think, were happy to just run the code and watch the little man jump up and down or whatever, but you were already thinking about ways that you could sort of work around the sort of existing system.

Jeff: Yeah, for sure. I mean, at the end of the day, it's all just software, so you can make or do whatever you want it to do.

Chris: How did you get into the security industry and how has it changed, do you think, since you started?

Jeff: I set out to be a developer and work on user interfaces. But my first job was at a classified military project and it was a B2 level in the orange book, I don't know if that's familiar to you. But in the late '80s and early '90s, we classified systems by sort of the level of security and B2 is super-high level security. It means that security is formally modeled with mathematical languages and then there's strong traceability from that model to the implementation. We had multi-level security, so we had to keep data separate at confidential, and secret, and top secret, and so on.

I was really attracted to sort of the beauty of that model. It wasn't till later that I figured out that security's a lot more complicated than the model and that's where a lot of issues tend to creep in. But I got into security there and became an expert in it and then that sort of led to my next job, and so on.

Chris: How did you come to found OWASP?

Jeff: That was interesting. In the early 2000s, there was really not much awareness of application security, but we were building web applications. People, they're starting to bet their businesses on these web apps. I started consulting and ... Actually, a part of GE came to the company that I was working at and said, "Hey, we really like your data centers, but we want every line of code reviewed before it goes on the internet." My company fell over themselves to say yes, but they had no idea how to do it. They were looking for somebody who had really strong software background and knew a lot about security. I got the call to go start that program and run it.

I built one of the world's first application security teams to do that work and then we grew a whole bunch of customers inside, this was an exodus communications, if you remember them. During the dot-com boom, we got to look at how people were doing security in all the top properties of that, before the dot-com crash. We grew a great set of services with threat modeling, and architecture review and training, and code review, and penetration testing, and things like that, to help companies try to get it right.

That's kind of what led to the OWASP Top 10. People were working on the Sans Top 20 at that time. When I talked to them about app sec they were like, "Well, yeah, maybe after I finished the 20," and that they would never do that. So, I said, "We really need a top 10 of our own." I drafted the first one and we got it out pretty quickly there. It was an amazing time in app sec.

Chris: You were really kind of in new territory there, like you said, there was the SANS 20, but no one was really thinking about app sec in those sort of complex ways in terms of security then, right?

Jeff: Very few people had the idea of a program around app sec. They did app spec here and there on certain projects, but not any kind of structured program. Coming from my background of very high assurance, I tried to mix some of that into what I brought into this very fast-paced, dynamic web app security world.

Chris: Right.

Jeff: That's still the challenge.

Chris: Yeah. I'm sure that's always the challenge. Speaking of that challenge and the top 10 list, what was the original process of compiling the risks, and has that changed at all? Obviously, it doesn't modify every year, so it's only when you feel like things have sufficiently changed that you need to modify. How did you come to that original 10 list? What data were you using to sort of order it and so forth?

Jeff: Well, at that point, we've been doing app sec services for three or four years for some of the largest companies in the world and we had just our perception of what was important. The first version was really, I wrote down my top 10 and then brought it into work, and we argued about it for a few days, and then wrote it up and put it out there.

Really it's not that complicated. The top vulnerabilities and risks have always been pretty obvious and they haven't really changed in the last 15 years dramatically. It's all basic blocking and tackling kind of stuff. Security today is really messy, people are barely doing what I consider just north of negligent. It's really not good, in fact, it's a failure of OWASP. Right? If we had succeeded ...

My original vision was we'd put the top 10 out there and then we get those under control, help people fix those, and then we'd add, move higher in security. But it's still the same stuff. It's still injection and cross-site scripting. It's the same kind of things, authentication, access control. It's unfortunate, but we're not making progress.

Chris: Why do you think that is? Is it a money issue? Is it a time issue? Is it just a negligence issue, people not being aware?

Jeff: Well, really it's the app sec market is broken. In fact, the software market is broken when it comes to security. I'm sure you bank online somewhere, do you have any idea what security goes into the software that you trust your life savings to?

Chris: I probably should, but I don't.

Jeff: Yeah. It would be nice, wouldn't it? You ought to know that this company, you ought to know how do they do their software development? Do they test their software for security? What tools do they use? Are they using open-source libraries? Are they keeping them up-to-date? Do they penetration test? There's a whole rash of questions that would be interesting and valuable for people to know, but it's all invisible.

In markets where that kind of information is not visible, consumers can't make informed decisions about the kinds of products that they use. That means that sellers would be foolish to invest in those things because consumers can't make decisions on them. You end up with this, the economics term would be a market for lemons where everything in the market is just a lemon because of the asymmetric information between buyers and sellers.

Chris: Do you think that there's anything on your top 10 list, I mean, in your regular appearance that if the entire industry made a concerted effort to snuff this out, that it could be snuffed out the way, that certain diseases can be sort of blanket, immunized against and they eventually go away in 50 years or whatever? Is there anything on the top 10 list that you think is conceivable, that it could eventually go away?

Jeff: Yeah. Almost all of it could go away if we set our mind to it. What's ironic is that it would probably be cheaper to build software that way, because we spend so much time running around and chasing these edge cases and doing things the hard way that there's tons of efficiencies available there.

If people could push software into production without having to slow down for security every time, I mean, think how much more productive they could be, they will be able to innovate faster and do more interesting things. But we're not doing our job in security. It's really a failure of the security industry to make that problem, something that people have latched onto and show them how to do it the right way.

Chris: Earlier this week, I talked to Ty Sbano of Periscope Data about one OWASP created concept, security champions, but specifically as it applies to sort of DevOps and secure coding, which is where I believe the original term was created. But today, I wanted to talk to you a little bit about another definition of security champions with a more universal applicability to business overall, not just coding departments.

We've seen in the last year or two under this definition: a security champion, being someone who works as a sort of security enthusiast for their company, who spends part of their job absorbing the latest security news, finding opportunities to implement new safety measures into the whole company, and so forth. How did this interpretation of the security champions come about? Was this OWASP created?

Jeff: I think it's an interesting question. I mean, I don't really think that OWASP created the concept of the security champion. They may have adopted the name and put up a project for that.

But I think that's something that smart application security projects have been doing for a long time. You start with a small set of experts and you have to have some force multipliers there. On the one hand, you can force multiply with great technology that automates some things in app sec. The other option is to force multiply with security champions, which were maybe not 100% experts, but they're folks that work with developments, sort of the original definition you're talking about.

I think expanding it to the higher level to talk about sort of global security champion is interesting. It's not really the seesaw role, I think the seesaw is more like run the program kind of management kind of role. Whereas, I think of this broader definition as more like a security evangelist or an internal security expert that runs around and inspires people and make sure that the culture is aligned on building secure software.

For me, it's a great role and something that can really help influence culture. But I don't think it's something that OWASP created, I think it's something that a lot of companies are doing. And that's not bad. Even if OWASP latches onto that and writes down "here's what people are really doing" and makes that something that's reproducible by lots of companies, then that's a fantastic role for a lot of us in the ecosystem.

Chris: For someone who is seeing this video and wants to add a Security Champion in this general way to their organization, how do you sort of initiate the process, how do you hire and train someone to be a security champion within your company?

Jeff: Yeah, that's really tricky. It's easy to find people that are interested in security, it's harder to find people that are good at security. Then, to find somebody as good as security and who can also inspire others, which is I think kind of the role, is really tricky.

You need to find those rare people that eat, breathe security, and get other people wound up. They need that reality distortion field where they can get people to see beyond just the work in front of them and understand that this is really critical to the future of the company and, in a larger sense, to the internet and the world.

Chris: You need good communicators, in addition to just sort of well-researched people?

Jeff: Yeah. It's more like connectors though. It's those people that are community builders. It's not just about good talkers because it shouldn't be a one-way conversation, it should be people going around and finding out what people are doing, what struggles they're having, how do we solve those as an enterprise. Getting all the flywheels turn in the same direction is a tricky job. I don't know more than a handful of people in the world that are really good at that.

Chris: What, in your opinion, would be the sort of day-to-day operations of someone who's a security champion? Do they do just security championing? Is there something they do apart from the rest of their job? What is a day in the life look like, I suppose in your opinion?

Jeff: Well, the small definition of security champion, which is I think what the OWASP project has focused on, is people that live with developers, they're probably development team members, and they just have a dotted line responsibility for security. I love that role. It's a great way to advance your career as a developer, say, "Hey, you know what? I'm also going to take on this security responsibility," and then they just become the touch point within each project for security.

That's a great role. I think anybody can do it. Frankly, the stuff in the OWASP top 10 is not complicated, it's basic blocking and tackling. We know about these problems, we've known how to identify them and solve them for over a decade. OWASP top 10 has been around for 16, 15 years now, so that's not hard. The other role I think is really hard. You'd probably be best to focus on the community builder first and worry about how much they know about security later.

Chris: Yeah. You were saying getting people to look past their immediate deadlines, how does the security champion work to carve out that time for people when most jobs are over booked and don't have a minute to spare? How do you get them to sort of think beyond tomorrow's deadline?

Jeff: Yeah. Well, the traditional way to do that is to get people to really understand the risk. Probably you need some actual data about what the risks are in that enterprise. Typically, that involves, you know, let's figure out what applications we have, what libraries we are using, what software are we running? Until you understand that you don't have any idea how big the problem is. Step one is get your arms around the problem, and then get some actual data about, how many vulnerabilities do we have per app, how much money we're spending per year, per app on security?

Look at ways of gathering that data and making a compelling argument. But you don't have to analyze everything, but what if you analyze 5% and extrapolate it and say, "Look, we've got a ton of SQL injection vulnerabilities and when we look at the attack data we are currently being attacked every day with SQL injection attacks."? You can start to build a really compelling case that you're gonna have a serious breach within the next three months, six months, 12 months, whatever. I think that's very compelling.

Then, to respond, I think you need to start to assemble a program. For me, that looks like, at the highest level, you have to understand the threat. First, you have to understand your portfolio, then you have to understand your threat. You have to start to build an enterprise approach to dealing with those threats. I started the ESAPI project at OWASP along these lines, but you should standardize on defenses.

Then, there's the assurance piece, how do you make sure that those defenses are correct, that they're in use in all the right places, that you verified that they're working? All those programs feed together.

Then, the last kind of piece for me is, understanding who's attacking you, what techniques are they using, and what systems are they targeting? When you pull together that threat intelligence right up to your defenses and your assurance data, you can really start to get a compelling picture of what needs to happen next.

For me, that's all app sec is. It's like, let's do the next thing, then solve the next biggest risk, and we'll keep working down that list until we get to a place where we're comfortable.

Chris: Assuming you're at your job, or you're watching this video at your job, and you decide that you want to become your company's security champion, where would you start? How would you make your case of a worthy candidate? Where would you start gathering knowledge? What accomplishments should you highlight, things like that? What should you even learn?

Jeff: Yeah. Well, if we're talking about sort of the development team version of security champion, I think the best place to start is to just stand up and say, "I think we need to do better job on security and I'd like to take a leading role in making that happen." Then, connect to your internal security folks and say, "Hey, I'm here to help you." They're not gonna turn it down, they love that.

You become the point person for security on whatever your project is. Start understanding the vulnerabilities, start figuring out what your defenses are, start helping your team learn, maybe you do some events every month, and you can build a really compelling job out of those responsibilities.

Anyone can do it. You don't have to be an expert. Like I said, app sec is not that difficult to learn. There's a lot of materials out there to help you, a lot of them are at OWASP. OWASP Top 10 is not a bad place to start. I recently wrote a guideline for folks just starting out in security on what to look at in terms of resources and experience, so that might help. That's a post on LinkedIn, I'll send you a link after we talk.

Chris: Great.

Jeff: I think that's very doable. The other role though, if you wanted to be a security evangelist either for your company or also get out in the world a little bit, that's a trickier job. But if you relish the idea of building community and creating knowledge sharing, I think OWASP is a good place to get some experience doing that. You can start a chapter, you can start a project at OWASP. You can also start it within your company. Hopefully, you have some relationships with the security team already, but you want to build connections to the business units, the folks that are building the apps, be that outreach person.

I don't know, holding an event isn't a bad idea, if you've got a big enough company. Maybe you have a security event. I just attended one of those over in Rockville, Maryland here for a very large financial institution. They get everybody together and they say, "Hey, look, we're going to do red team event and a bunch of other security events just to help build awareness and get things going." It's all about getting community started on security. It shows everyone that you, as a company, really care about security.

Chris: This sounds like you could almost conceivably imagine a security champion role, not even be on your development team, not just within your own company, but sort of within your community sort of amongst interconnected, like businesses or government agencies or social organizations things like that, so you're really thinking globally in this particular incarnation.

Jeff: Well, I think if you're going to be effective, then you've got to have a lot of connections to the outside world. It's gonna make you much more effective. If you just try to do it internally, I think you'd be closing yourself off to a lot really great resources.

Chris: As you said, there aren't that many people in the world who can do the sort of general security champion/security evangelist type roles. Have you heard of any cool or interesting case studies of companies that have hired these types of security champions and fundamentally changed how their companies do their security business?

Jeff: Well, I'll tell you one that I think is inspiring is a guy named ... Well, there's a few, even Microsoft has hired a number of folks. In fact, starting in 2002, about the time that OWASP was taking off, they did their trustworthy computing initiative. I think that was a revolutionary project to take Windows from being the platform that everyone reviled as the worst of the worst in terms of security to something that's actually quite compelling. That was a great turnaround and it was a lot because of the people that they had leading that.

But even small companies do this. There's a guy, we started OWASP together, his name is Dinis Cruz. He's one of the leading evangelists for app sec in the world, incredibly vocal, he's done a ton for OWASP and a ton for app sec. But he went to a company that he decided to take the lead on security there. He's been doing some really revolutionary stuff. He's being very open about the way that they do security. He's building it into their culture. Ultimately, the thing is you need somebody who's going to be really able to affect the culture of your organization.

Chris: Like you said, it makes it sound like it's definitely more than a couple hours a week or whatever. I mean, it almost sounds like a complete change of life's purpose almost.

Jeff: Yeah, for sure. I mean, it's not like the risk doesn't justify the position, right?

Chris: Right.

Jeff: Changing your direction from a company that's just barely getting by on app sec and struggling with compliance and just barely doing the minimum to a company that's aligned on security and its importance to the mission, why it's a strategic advantage for you in the market, why it's going to help you innovate and move faster, that transition is worth everything. That's what's going to differentiate you from all the other companies that are never going to really transform themselves into software.

If you've got security on your side, you may make the jump. You might be that next Uber or that next company that turned an industry into software and then dominated it.

Chris: Yes.

Jeff: I talk to companies all the time. They say, "We're not insurance company. We're a software company that sells insurance," "We're not a drug company. We're a software company that sells drugs," and on and on. I mean, those are the companies that get it, they're doing the digital transformations and they are trying to make security part of this.

If you're out there in one of those industries and you don't see the writing on the wall, software really is eating the world and your industry is gonna get devoured. Even industries that people don't even think about, I mean, just a simple example, Blockbuster got eaten by Netflix. I'm sure they didn't see it coming.

Chris: Nope.

Jeff: But there's a ton of industries out there that are still left to go that haven't turned themselves into software, and they're going to and security can be a massive leverage in making that happen.

Chris: Okay. What are the next steps for OWASP? What are some programs and projects that you'll be unveiling in the future to help sort of steer the path of app sec?

Jeff: Yeah. First of all, I'm not associated with OWASP on a day-to-day basis anymore like when I was chair six years ago or something, but they've continued to pursue a program around training and conferences, which I think is cool, it builds some community. The downside is that it's never going to be able to reach enough people. That's my concern, is that they're not really focused on the revolutionary project that's going to really change something.

You look over the last 20 years there have been major changes to the way software is built. Agile came along, that was a huge change; even earlier there was object-oriented programming, massive change; more recently DevOps I think is probably the most transformational movement software. Security app sec hasn't made that jump yet. It's not at the forefront of every developers mind. It's not what they want to do with their day.

We've got to do something big. There's almost 20 million developers in the world and only a tiny fraction of them will ever encounter anything that OWASP ever did, if they're on their current trajectory. OWASP's big goal for this year, or next year? I can't remember. But they set a big goal, it was to have four training events with 500 people each. I was like, "Okay. Well, that's 2,000 people you're gonna touch out of 19 or 20 million in the world. It's not going to make a dent?"

I really believe that they have to get back to the mission. Mission statement at OWASP, which we created in the very early days, was make application security visible so that companies and individuals can make informed decisions about software risk. It comes back to that point I made earlier, when app sec is visible people can make those informed choices, market forces can start working for us instead of working against us.

To me, that's the only way this changes, if we fix the fundamental market failures that are causing software to be acceptable to most people with no assurance.

Chris: Do you want to tell me a little bit about your current projects? You're CTO at Contract Security, is that your return endeavor?

Jeff: Yeah. I actually stepped down from OWASP to found Contrast because we invented a new way of doing application security, a new way of thinking about it. Traditionally, people use scanners and firewalls, whether they're source code scanners or dynamic scanners or web app firewalls. That's how they're trying to protect applications and it's all kind of external to the app itself. What we said is, "Hey, let's take advantage of instrumentation technology to get inside the application that's closer to the data, it's closer to the vulnerabilities, it has much more context for understanding app sec and so we can do a much better job of finding vulnerabilities, protecting against attacks, and making vulnerabilities unexploitable.

We work much more like a new relic or an app dynamics. But not for performance, but for security.

Chris: Well, thank you very much for explaining that. Jeff, thank you for being here.

Jeff: Thanks, it's my pleasure. Thanks for having me.

Chris: Okay. Thank you all for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to YouTube and type in InfoSec Institute to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your work day, all of our videos are available as audio podcasts. Please visit infosecinstitute.com/cyberspeak for the full list of episodes.

If you'd like to qualify for a free pair of headphones or the class sign up, podcast listeners can go to infosecinstitute.com/podcast for a free offer.

If you'd like to try our free security IQ package, which includes phishing simulators, you can use to fake phish and then educate your colleagues and friends in the ways of security awareness, please visit infosecinstitute.com/securityiq.

Thanks once again to Jeff Williams. Thank you all for watching and listening. We'll speak to you next week.