Friday, March 30, 2007

Reflection on Jeff Williams

This week on reflection need no introduction. Jeff Williams, is one of the major contributors in webappsec community. He has written many whitepapers, spoken at many conferences including Secure Software Summit, OWASP conferences, ISSA InfoSec Conference, NSA High Confidence Software and Systems Conference (HCSS), JavaOne, National Computer Security Conference (NCSC), etc, written many tools available at OWASP and also chairs OWASP foundation. Jeff Williams has done a lot of work in promoting awareness of web application security.

On his reflection, Jeff shares with us how he got into web application security and his journey with OWASP and a little bit about his personal life and interests. In his own words

“I set out to be a user interface guy, but I got into security accidentally. I was working at TRW in 1992 on the user interface for a big Navy system that just happened to be highly secure – targeting B2 in the Orange Book. I took on an R&D project to port the user interface to the new compartmented mode workstation (what became Trusted Solaris) and I found that I really liked the challenge of securing such a complex system.

Then Java 1.0 came along and I got NIST and NRL funding to do security research. At the time, we thought the Java sandbox was a good idea, but that there were attacks that might bypass it. So I wrote a special classloader that modified the bytecode to wrap security relevant method calls with a reference monitor. After that I spent several years developing a Java-based multilevel secure network guard on Trusted Solaris. That guard handled HTTP, FTP, TDS, and a number of other protocols – sort of a very early application firewall. But unlike the modern WAFs, we took a whitelist approach where you would define exactly the data formats and rules for allowing messages.

In the mid-90’s, I chaired the group that authored the SSE-CMM, which is now ISO 21827. As it turns out, the processes involved in systems security engineering are quite similar to those necessary for secure software development. I’m very glad to see that the idea of assurance arguments from my work is starting to be used in the application security world.

Then in 1998, while I was the technical director of the Global Security Practice at Exodus Communications, a Fortune 10 company approached us and said “We’d like to host our applications with you, but we have this rule – every line of code has to be reviewed before it goes on the Internet.” So I started an application security practice and started providing application assessments, developer training, and help with security requirements and architecture. We built a successful practice securing some of the biggest and most complex web applications in the world.

In April 2002, together with Dave Wichers, Noelle Hardy, and some other great folks, I started Aspect Security to focus exclusively on application security. I just feel so fortunate to get to work with such an amazing group of consultants and customers. I’m having the most fun of my professional career.

I first heard of OWASP in 2001 from Chuck Pfleeger (the author of Security in Computing). The idea of a free and open community for application security was an interesting idea. At the time, getting companies to focus on application security was difficult. In meetings with several government agencies, they acknowledged that it was an issue, but that they were managing to the SANS Top 20. I came home and literally in the shower said to myself, “I wish we had an application security top ten…” So a small team of us at Aspect took the lead in drafting the first OWASP Top Ten.

Later, Aspect donated WebGoat, a hands-on training environment for application security issues that we had developed for our courses. A huge number of organizations, including Google, use WebGoat today to teach their developers about application security. We started to see that participation in OWASP allowed Aspect to demonstrate our skills in a very constructive way, and many of our customers have contacted us after seeing our participation in OWASP.

I was honored to take over the leadership of OWASP in 2003. At that time, we had a number of great contributors, but OWASP itself was just a domain name and a few small projects. So I got us set up as a 501c3 nonprofit organization and put a management structure in place. I want the OWASP Foundation to provide a free, open, supportive community infrastructure for application security projects. We’re making the barriers to entry for contribution so low that security experts will be motivated to make the effort and share their expertise.

One of the key challenges has been to ensure that OWASP is not influenced by commercial interests. When I set up the AppSec conference and local chapter rules, I made sure that vendors are cannot use OWASP to market their products. We’re also starting to ferret out abuse of the OWASP brand by companies that claim their products “address the OWASP Top Ten” or enable “OWASP Compliance.” The local chapters have been growing very quickly and starting to contribute back to the mothership. Our conferences have also been a great experience.

I think the switch to the MediaWiki platform in 2006 was a major step for OWASP. Prior to that, contributing content was a difficult and painful process. Now, anyone can create an account and contribute easily. We have a team set up to review all the contributions and the number of abuses in our first year has been astoundingly low (less than 10 incidents). We’re to the point now where we get dozens of articles and contributions every day. I don’t see how a non-open approach to building an application security body of knowledge can possibly keep up with our productivity.

We’re still a long way from the point where a company can go to OWASP for everything they need in order to build, acquire, and operate secure applications… but we’ve got an incredible process and we’re working very hard to get there.

I have a wonderful wife Jennifer and three kids, Chance (9), Zack (7), and Zoe (1). We live in the woods and spend a lot of time outside with our four Labrador retrievers. I’m very much into sports – I rowed on the crew team at U.Va. and still play basketball three times a week. For a while I was into extreme rollerblading and then I got into mountain bike trials – I broke a lot of equipment, but never had any serious injuries :)"

Based out of Ashton, MD, Jeff is 39 years old and is the CEO of Aspect Security. Below are his contributions to the webappsec community

Articles / Presentations:-

Opening the Black Box: A Source Code Security Analysis Case Study

Application Security Initiatives - The Best Defense Is a Good Offense

Let's Sue the Idiots -- Security, Software, Contracts, and Lawyers -
White paper, The OWASP Foundation

How to Build an HTTP Request Validation Engine for Your J2EE Application -
White paper, The OWASP Foundation

Access Control (aka Authorization) in Your J2EE Application -
White paper, The OWASP Foundation

Trustworthy Java - Are your apps bulletproof? -
White paper, The OWASP Foundation

The Ten Most Critical Web Application Security Vulnerabilities -
White paper, The OWASP Foundation

Security Code Review - the Best Way to Eliminate Vulnerabilities in Software" -
White paper, Aspect Security

Can a 'Social Protocol' Help Protect Privacy?

Jini and Mobile Agent Security -
Proceedings of the Workshop on Agent Technologies (AT ‘98)

A Practical Approach to Improving and Communicating Assurance -
Proceedings of the 10th Canadian Information Technology Security Symposium (CITSS)

A Practical Approach to Measuring Assurance -
Proceedings of the 1998 Security Applications Conference (ACSAC)

System Security Engineering Capability Maturity Model (SSE-CMM) version 2.0 -
Released at the 21st Annual National Information System Security Conference (NISSC)

Just Sick about Security -
Proceedings of the New Security Paradigms Workshop

An Enterprise Assurance Framework -
Proceedings of the 5th Workshop on Enabling Technologies

Pretty Good Assurance -
Proceedings of the New Security Paradigms Workshop

Need for a Framework for Reasoning about Assurance -
Proceedings of the International Workshop on IT Assurance and Trustworthiness (WITAT)

Assurance is an N-Space (Where N is Hopefully Small) -
Proceedings of the International Invitational Workshop on Developmental Assurance

A Capability Maturity Model For Security Engineering -
Proceedings of the 6th Annual Canadian Computer Security Symposium

Unsafe at Any (CPU) Speed: Why We Keep Making the Same Mistakes -
NSA High Confidence Software and Systems Conference

Web Applications: The “Last Mile” of Internet Security -
White paper, Exodus Communications

A Constructionist Approach to Law and Society -
Law and Society Seminar, Georgetown University Law Center

Interpreting Anticircumvention (DMCA) -
Advanced International Copyright Law, Georgetown University Law Center

P3I – Protection Profile Process Improvement -
Proceedings of the 22nd National Information System Security Conference (NISSC)
Proceedings of the 10th Canadian Information Technology Security Symposium (CITSS)

Windows NT Security -
17th Annual National Computer Security Conference (NCSC)

Windows NT Client Security and Windows NTAS Security -
The Local Area Network Security Conference (LANSEC)

Reusing Existing C3I Systems in a Secure Environment -
Proceedings of the Application of COTS and Reusable Components Conference

A Framework for Reasoning about Assurance -
Published by the National Computer Security Center of the NSA
Proceedings of the 11th Annual Conference on Computer Assurance (COMPASS)

Interconnecting MLS Command Centers -
White paper for the Multilevel Security Initiative at Hanscomb AFB

Tools written:-

I built the first WebGoat back in 1998 as a controller servlet with a few simple lessons on SQL injection, cross-site scripting, and access control. Since then, it’s grown to have dozens of lessons and has been revamped several times. Many people have contributed to the project and it’s still quite active.

OWASP Stinger
Stinger was a simple idea that every part of every HTTP request should be validated with regular expressions. A mechanism for enforcing a positive security model for validation in an application. It uses a Java “filter” to ensure that all requests are validated and even developers can’t avoid it.

OWASP PDF XSS Attack Filter
This was a one-night project to build a little filter that generates a token to avoid a specific very dangerous flaw in Adobe Reader.



OWASP Secure Software Contract Annex

OWASP Testing Guide (Risk Rating Sections)

OWASP Honeycomb Project (Work in progress)




Companies worked for:-

Aspect Security
Exodus Communications
Arca Systems

Company working for:-

CEO of Aspect Security


JD cum laude – Georgetown Law - Cyberlaw and Intellectual Property
MA – George Mason - Human Factors Engineering
BA – University of Virginia - Cognitive Psychology and Computer Science (Specialization in AI)

I am sure we will see a lot more contribution from him going forward. Though he doesn’t have a blog yet but you can find most of his work on OWASP.

Next Week – Chris Shiflett

Last Week – Robert Auger

No comments: