Dinis Cruz is not only an outstanding drummer: he is also an active OWASP contributor.
He is focused on creating Application Security teams and providing Application Security assurance across the SDL (from development, to operations, to business processes, to board-level decisions). His work concerns the alignment of the business’s risk appetite with the reality created by Applications developed internally, outsourced or purchased. He is also an active Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on ‘Automating Application Security Knowledge and Workflows’ which is the main concept behind the OWASP O2 Platform.
We have had the pleasure to attend Dinis’ Keynote at Codemotion Rome.
My presentation (“New Era of Software with modern Application Security”) is about a very interesting convergence that is happening between the techniques used by Application Security teams and how Software is developed (for example, techniques like: TDD, Docker, e2e Test Automation, Static/Dynamic/Interactive Analysis, JIRA Risk Workflows, Kanban for Security fixes, Web-Services Visualization, etc…)
My main thesis is that “Application Security can be used to define and measure Software Quality” (since not all quality issues are security issues, but all security issues are quality issues)
The idea is that Application Security is all about: a) the non-functional requirements of software, b) the unintended side effects of coding and c) really understanding HOW the software works (not just how it behaves),
Most companies (and teams) don’t have a software security problem, they have a development, testing and workflow problem.
Since Application Security is just a subset of quality and testing, the path to create Secure Applications is to improve the quality and testability of code and their SDL (Software Development Lifecycle)
I think it is because we still have not found a good way to embed security and secure coding practices into the developer’s IDE and into day-to-day IT activities. Most ‘security’ tools and recommendations have negative impact/value, and are really like a tax that needs to be paid before/during/after development.
The other factor is that until recently, Security was a very niche problem which was addressed by ‘those guys over there’. Now that the threat and attack landscape has changed, we really need to start working together, and I believe that Application Security, can be a bridge between the multiple development, operational and business teams.
For attacking: Hacking Exposed Web Applications
For defending: Iron-Clad Java: Building Secure Web Applications by OWASP’s Jim Manico.
I think we need more women in technology and tech conferences. There is still far too much bravado and let’s just do it! approach in software development (which always has the side effect of creating tons of vulnerabilities).
How we are OK with not understanding how applications/software that we use every day really works (and more importantly, their side effects). As we increase the interconnectivity, complexity and power of our applications, we are sleepwalking into a massive digital disaster.
The good news is that we have time to do something about it. At the moment, the risk for an person or company to be attacked, is still quite low (unless they happen to be targeted)
The bottom line is that for most companies, their main ‘defence capability’ is the ‘lack of focused attackers’ (namely the commercially focused ones, which are the really dangerous ones). Unfortunately, most companies still believe that the reason they have not been (properly) attacked is because they are secure.
Gilberto Gil (and my Spotify list)
Thanks a lot Dinis, see you soon again at one of the next Codemotion events!