September 16, 2005
Tuesday night I went to the first meeting of the Twin Cities chapter of the Open Web Application Security Project (OWASP). We'll be meeting the second Tuesday of every month. It's too early to tell how successful the group will be, but the people there seem dedicated, so I am hopeful.
In attendance was Gunnar Peterson, whose articles on a collaborative secure development process (PDF: parts one, two, three) introduced me to misuse cases and, eventually, threat modeling. Interestingly, of the 10-12 people there, I was the only developer. Everyone else was a security analyst, architect, or consultant. This defied my expectations but not theirs. The developer blogs I read deal with security and build an impression that developers are more concerned with security than is generally the case. Of course, I seek out those blogs in part because they have interesting things to say about security, so that misleading impression is only natural. The developers I work with give consideration to security, but probably not as much as I'd like to think and certainly not enough to drag them out to the Golden Valley library on a Tuesday night. I think, then, that I need to evangelize the new OWASP chapter to the developer communities in which I participate. This will likely mean having meetings on topics of interest to them.
Gunnar brought up a good point, that so often security teams (which have historically been network-focused) point at developers for security problems, but we musn't forget the architects, who obviously need to consider security as part of the software architecture. This underscores a point that many of us have been saying for years: security needs to be incorporated throughout the development cycle of an app. That's what Microsoft's Security Development Lifecycle is all about, and from everything I've heard they're really taking it to heart.
I'd like to find ways to get involvement in OWASP from all sorts of different groups involved in software development, not only to emphasize the importance of security in those areas, but to learn about these other fields and make connections outside my immediate arena. Software development fascinates me, and not just programming. That's why I distinguish between "developer" and "programmer": to focus exclusively in one area is a death knell for my passion, my career, and perhaps my sanity. This is part of why I've started to be more active in local industry groups like the OWASP chapter. I'm a security-focused web application developer with a penchant for open source and open processes, so it's no surprise that OWASP appeals to me.
I volunteered to give a presentation about the OWASP Top Ten at our next meeting. It's a good introduction to the issues in web application security, of interest to developers, architects, analysts, testers… anyone involved in web application development and deployment. I've given this talk a couple times before, but this time I have some new ideas for presenting the material. So come on out! Tell your friends! We'll be at the Golden Valley Library a to-be-determined location on Tuesday, October 11, 6 - 8 p.m. Hope you can make it.
Update: I've been told that the library was already booked, so a new location for October's meeting is being sought. Check the OWASP Twin Cities page for updates.
Update, 8 October. Tuesday's meeting is at the Plymouth Public Library, 6 - 8 p.m.