OWASP‘s AppSec DC is right around the bend, which means that things are really starting to heat up. Here to tell us what’s going to be hot at this year’s AppSec DC is AppSec organizer Mark Bristow.

Mark was nice enough to do an interview with us to talk about the best AppSec tracks to attend, how you can get involved, and why developers, testers and quality assurance staff will be especially pleased by the presentations and workshops at AppSec this year. 

What is it the most important part of AppSec for you personally?

The most important aspect of AppSec is most definitely the opportunity one has to make a demonstrable impact improving the online safety and security of the public. There are 700 Million internet users in Asia, 74% of people in the united states are internet users, In the last 9 years there has been almost a 1400% increase in internet access in Africa. These users generate billions of transactions via the web, everything from sending an email to grandma to large funds transfers, all of which someone would benefit from intercepting or modifying these transactions. It’s great to know that working in the Application Security field, I am a part of helping to keep these transactions safe.

For those that aren’t already familiar with AppSec, what is it about, and who should attend?

Application security is a field that touches everyone’s lives, whether they are aware of it or not. AppSec DC is OWASP’s premier international event held in North America for 2009 that will bring together everyone from developers, managers, security personnel, Government, and C level executives from around the world to learn and discuss solutions to these challenges.

As for who should attend, Everyone. If you use the web, you can get something out of AppSec DC. Personally however, I’d really like to see more developers in attendance. Developers are critical to closing the loop on application security vulnerabilities as they are the only ones with access to the code! I think outreach to this group is critical and with some education, process and a bit of discipline, traditional IT Security and developers can work together to stamp out the root cause of application security issues. Another key group are the development managers. This year we have been trying to focus on secure development lifecycle tools and maturity models. These are critical to allowing managers to appropriately plan for security in their existing frameworks, and to show them that with proper planning, security does not have to be so expensive.

That said, there will be plenty of great material for “traditional” application security audiences as well.

On that note, you say in the press release for this year’s AppSec that the focus is on “really trying to reach out to developers, testers and quality assurance staff because they are pivotal to solving the root causes of application security problems.” Why do you feel that these people are key when it comes to heading off most application security problems?

When it comes down to it, developers, testers and QA staff are critical to solving the challenges of Web Application Security. You are only going to get as through a security review as the people who are testing/assessing your applications. This is why testers and QA personnel are critical to the success of an Application Security program. When you have people, well trained in Application Security issues performing your application testing and reviewing the application code, you’ll be well positioned to reduce your risk and your vulnerability.

That said, developers are, at the end of the day, the only people who can truly fix a web application security vulnerability. They are the only ones who can touch the codebase and actually make changes. Traditionally developers have not been part of the Application Security conversation, and that is definitely something that needs to change if we want to make headway on these important problems.

As technology continues to expand and people rely more on computers and other technological devices to process and hold personal information, what do you think the biggest challenge will be for those that develop or maintain critical technologies that depend on the web?

One of the quickest ways to monetize a web application attack is to steal Personally Identifiable Information (PII) for the purposes of identity theft, fraudulent credit card transactions, loans etcetera. For most organizations, keeping this information secure is of the highest priority. In order to adequately protect PII web developers must ensure that the traditional Web Application Security vulnerabilities such as SQL injection, Cross Site Scripting and others from the OWASP TOP 10 are detected and remediated early on in the development lifecycle. When this foundation is laid for the technical vulnerabilities, privilege escalation and information leakage testing needs to be preformed on the application to ensure that a user can’t misuse their access to the application to steal this data. There is no one solution to solving this issue but having a mature Security Development Life Cycle, well trained developers, skilled application security professionals and a variety of tools at hand are a must.

Why do you think there is currently a lack of knowledge in the general security community when it comes to application security? How does AppSec address this?

If this were 2003 or even 2005 I’d absolutely agree that there was a lack of knowledge in the general security community about application security. However, due to the outreach programs of OWASP and other organizations like WASC this knowledge gap is steadily shrinking. More security professionals are at least aware of the challenges in the Web Application space and are cognizant of where to find resources to fix them. The biggest education challenge that we face in the AppSec space today is with developers. Many developers out there are simply unaware or only vaguely aware of these issues. It is via developer programming templates, habits and developer focused tools that we can best bridge the gap in knowledge. In kind, development managers are frequently less informed than their development staff. This results in inadequate time and budgets being afforded to secure development practices. It is only through developer training and management support that we will solve the challenges in the AppSec space. At AppSecDC we have several tracks (Tools, Attack/Defend, SDLC) that will help developers learn technical defenses to AppSec issues. For managers we have three tracks (Process, Metrics, and SDLC) that will demonstrate the value of an Application Security program as well as how to effectively implement such a program with as minimal an impact as possible.

In the press release for this year’s AppSec you mention the secure development track, saying that it is specifically designed for developers, testers, and quality assurance staff. What can attendees expect from the secure development track?

The SDLC or Secure Development Life Cycle track will have something for each of these core groups. The first talk, Development Issues Within AJAX Applications: How to Divert Threats by Lars Ewe will be a boon for developers who are struggling with implementing security countermeasures in AJAX applications. Fpr QA staff Darren Challey’s talk Enterprise Application Security – GE’s approach to solving root cause is a can’t miss. He’s going to be describing GE’s lessons for establishing a “holistic application security program that seeks to detect, correct and prevent security defects throughout the application lifecycle”. Managers at AppSecDC are going to have a veritable cornucopia of presentations to attend. Dan Cornell’s Vulnerability Management in an Application Security World and the SDLC Panel will be two presentations that a manager trying to set up or run an application security program shouldn’t miss.

And lastly, is AppSec still looking for volunteers? If so, what do you need the most help with, and how should people go about getting involved?

The most important characteristic we’re looking for in our volunteers is dedication and the ability to follow-through. We have a bunch of areas that we still need help in from Security, to Registration to Speaker liaisons. We have an opportunity for anyone willing to participate. If your interested, just mail info[at]appsecdc.org and one of the organizers will get back to you!

Mark’s Bio: Mr. Bristow is a Senior Security Engineer for Securicon, LLC where he performs penetration testing, vulnerability analysis, and compliance auditing services for Securicon’s federal and private sector consulting business for a variety of critical infrastructure and commercial and government clients.  Mark is an active member of the Open Web Application Security Project as a Global Conference Committee member, Washington DC Chapter leader and an OWASP AppSecDC 2009 conference organizer.  Prior to working for Securicon Mr. Bristow worked as a Information Assurance engineer at SRA international where he provided strategic application security consulting services as well as conducting vulnerability assessments and certification and accreditation support activities for a variety of government clients.  Mark has a bachelor’s degree in computer engineering from The Pennsylvania State University.

o o o o o

A special thanks to Mark, Doug Wilson, and Rex Booth for agreeing to interview with us. Also be sure to check out the interviews we did with Doug and Rex.

Where do you want to be this week? Now you’ll always know with our “Where You Want to Be This Week” feature, which will tell you about infosec meetups happening in your local area as of Sunday night.

• Monday – HacDC Infosec Meetup Monday, 09-28: Microcontroller Mondays (Washington, DC)
• Tuesday – Baltimore Node Meetup Tuesday, 09-29: Normal Meeting (Baltimore, MD)
• Wednesday – CapSecDC Infosec Meetup Event – Wednesday, 09-30: Normal Meeting (Washington, DC)
• Wednesday – InfraGard IMMA Infosec Meetup Event – Wednesday, 09-30: State of Maryland Homeland Security Department (Annapolis Junction, MD)
• Thursday – DojoSec Infosec Meetup Event – Thursday, 10-01: TBD (Laurel, MD)
• Friday – 2600 Group – Baltimore Infosec Meetup Event – Friday, 10-02: Normal Meeting (Baltimore, MD)
• Friday – 2600 Group – Arlington Infosec Meetup Event – Friday, 10-02: Normal Meeting (Arlington, VA)

Be sure to subscribe to our RSS Feed to be alerted about any last-minute events, or to receive updates on the events listed above.

Check out our Calendar for more upcoming events, and follow us @grecs if you’re interested in hearing more security-related babble.

The first Friday of October is coming up fast, which means that it’s time for the 2600 Group – Arlington meetup.

A laid-back group of local security professionals, the Arlington chapter of the 2600 Group offers a great chance for you to hang out with some of your peers and chat about what’s going on in the field.

To learn more about this meetup, continue reading below.

• Who: 2600 Group – Arlington
• What: Normal Meeting
• When: 10-02, 6:00 PM EST
• Where: Pentagon City Mall (1100 South Hayes Street; Arlington, VA 22202; in the food court near Panda Express)

For those of you who live or work in the Baltimore area, the 2600 Group – Baltimore meetup on October 2nd might be something you’d like to check out.

Taking place on the first Friday of every month, the 2600 Group – Baltimore meetups allow you to hang out with other professionals in the security field without the formality of traditional security meetups.

If you’d like to learn more about the 2600 Group – Baltimore meetup on October 2nd, continue reading below.

• Who: 2600 Group – Baltimore
• What: Normal Meeting
• When: 10-02, 6:00 PM EST
• Where: Barnes & Noble, Inner Harbor (601 East Pratt Street; Baltimore, MD 21202; in the cafe area)

For more information on the 2600 Group – Baltimore, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area.

o o o o o

Be our guest—guest blogger, that is. Contact us to learn how you can get your ideas on NovaInfosecportal.

With less than two months to go until AppSec DC is here, AppSec organizer and OWASP chapter lead and international committee member Rex Booth was nice enough to do an interview with us about all things AppSec.

In this interview, Rex tells us who should attend AppSec this year, why he got involved with AppSec in the first place, and why application security is one of the most important areas of the security field.

Why did you originally get involved in AppSec, and how have you seen AppSec grow since you first got involved?

Following undergrad, I immediately started working as a web application developer.  In college, I had a professor who had the foresight to emphasize the importance of security within applications, and I took it to heart – first as a developer and later as a consultant.  In the years since I started professionally, AppSec has matured and grown significantly to the point where the field is almost becoming crowded – which is a great thing – but we still haven’t fully penetrated the most important market: developers.

In your own words, what is the theme of AppSec this year, and which part of AppSec are you looking forward to the most?

From an OWASP perspective, I think the theme could easily be maturity; meaning that as an organization, we’re growing numerically, we’re growing in terms of recognition, and our products – our tools, documentation, and methodologies – have truly come into their own.  Personally, I’m looking forward to November 14th, the day after the conference, when I can look back and admire the completion of a successful event that brought together so many talented people under one roof.

For those that aren’t already familiar with AppSec, who should attend, and which tracks would you recommend for those that don’t have a technical background?

In an ideal world, everybody would attend, since application security is the responsibility of everybody from the end user, to the developer, to executive leadership. I think the ultimately unsatisfying answer is that it depends on your background and your role in your organization.  As a manager, I’d personally probably gravitate to the SDLC and Compliance tracks, but we’ve received so many quality presentations, I think each individual will have to make some tough decisions on what to attend.

On that note, this year’s AppSec will hold hands-on training before the conference; what kind of training will be offered, and how does it tie into the conference as a whole?

We’re fortunate to offer a wide variety of training from very qualified firms and individuals.  Our training selection will cover topics ranging from hands-on testing to threat modeling to secure development.  These trainings also include various technologies, so if you focus on Java or .Net or PHP, we have classes that focus on those technologies.  We made a concerted effort to provide training that reflects the diverse audience we expect at the conference; security professionals, developers, managers and everyone in-between – there’s truly something for everyone.

The goal of OWASP is to make application security more visible; why do you feel that application security is one of the most important areas of the security field?

Other facets of security have become something of a science over time.  Application security very much remains an art.  Accordingly, we as a community and as individual users aren’t able to apply a patch or deploy a device and call it a day.  We have to remain vigilant and continue to actively seek and develop advances in our field.  It’s not that application security is inherently more important than other aspects of security – it’s that application security is currently the weakest link in the chain and needs the most attention.

AppSec is still looking for volunteers; what kind of people are you looking for, and what kind of time commitment should they be able to give?

The most important characteristic we’re looking for in our volunteers is dedication and the ability to follow-through.  Even if you only have 10 hours to give, we likely have an opportunity for you to participate.

Lastly, if people walk away with only one thing from AppSec this year, what do you hope it is?

I hope that everyone who attends walks away feeling that they, as individuals, as professionals, and as members of our community, can make a difference in application security.

Rex’s Bio: Rex Booth is a Senior Manager with Grant Thornton’s Global Public Sector practice in Alexandria, VA.  He has over nine years of professional experience in application development and information security services for government agencies, private industry, and financial institutions.  During his tenure at previous employers, he designed and developed complex distributed web-based applications.  As a member of a managed security services team, he co-architected and implemented a scalable information detection and prevention information aggregation solution for use in a real-time 24/7 information security monitoring system, correlating and reporting on hundreds of devices.  Since joining Grant Thornton, Rex has managed and assisted with multiple information security and risk management engagements auditing IT system controls including FISMA, IV&V, SOX, and OMB A-123 engagements as well as identity management and system certification and accreditation efforts.  Rex has presented on the topic of information security and assessment methodologies to various institutions and is currently a chapter lead and international committee member for the Open Web Application Security Project (OWASP).

o o o o o

A special thanks to Rex, Doug Wilson, and Mark Bristow for agreeing to interview with us. Doug’s interview is already available, and Mark’s interview will be published soon, so keep an eye out!

Looking for a low-key way to connect with local security professionals? If so, the CapSecDC meetup this upcoming Wednesday, September 30th, might be just the meetup for you.

An informal event where you can meet other security professionals without the pressure of traditional security meetups, the CapSecDC meetup is accessible by car and by metro.

For those of you who have attended CapSecDC in the past, note the earlier meeting time; it is now starting at 5pm instead of 7pm.

If you’d like to learn more about the CapSecDC meetup, continue reading below.

• Who: CapSecDC
• What: Normal Meeting
• When: 09-30, 5:00 PM EST
• Where: Stetson’s Famous Bar & Grill (1610 U St NW; Washington, DC 20009)

For more information on CapSecDC, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information about this meetup.

o o o o o

If you’re unable to make it to CapSecDC, why not check out some of the other great infosec meetup groups in the area?

Open to the public, HacDC will be hosting their usual “Microcontroller Mondays” meetup this upcoming Monday, September 28th.

HacDC ecourages people to stop by with their microcontroller project to either “learn, teach or just hang out with other microcontroller enthusiasts.”

If this sounds like a meetup you’d be interested in attending, continue reading below.

• Who: HacDC
• What: “Microcontroller Mondays”
• When: 09-28, 7:00 – 8:00 PM EST
• Where: HacDC (1525 Newton St NW, Washington DC 20010; near the corner of 16th and Newton NW)

For more information about HacDC, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area.

o o o o o

Get your own Microcontroller Kit if you don’t have one already.

Recently moved into what they call the “the Load Of Fun building,” Baltimore Node has its weekly meetings on Tuesdays at 7:30pm.

These meetings take place at the Load of Fun building (also known as a hackerspace), and are for members or prospective members only.

While the membership fee to belong to Baltimore Node is currently $50 per month, they do their best to work with those that are unable to pay the full amount. You can read more about that here.

For additional details about the weekly Baltimore Node meeting, continue reading below.

• Who: Baltimore Node
• What: Normal Meeting
• When: 09-29, 7:30 PM EST
• Where: The Load of Fun Building (120 W North Ave Baltimore, MD 21201)

For more information about Baltimore Node, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Check out the Baltimore Node page for even more hacker goodness.

o o o o o

Be our guest—guest blogger, that is. Contact us to learn how you can get your ideas on NovaInfosecportal.

If you haven’t had a chance to already, be sure to check out the CharmSec meetup this upcoming Thursday, September 24th.

Taking place over dinner and drinks, the CharmSec meetups are a relaxed way to meet local security professionals.

If you’d like more details about this meetup, continue reading below.

• Who: CharmSec
• What: Normal Meeting
• When: 09-24, 7:00 PM EST
• Where: Slainte (1700 Thames St. Baltimore, MD 21231)

For more information on CharmSec, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Also be sure to check out the CharmSec meetup page.

o o o o o

Be our guest—guest blogger, that is. Contact us to learn how you can get your ideas on NovaInfosecportal.

The location of the OWASP – VA meetup for today, September 17th, has changed. Check out the full details below.

• Who: Erik Klein of Fortify Software and Eric Dalci of Cigital
• What: Fortify 360 
• When: 09-17, 6:00 – 9:00 PM EST
• Where: (22260 Pacific blvd, Sterling, VA. 20166)