We all have things we consider “the best”.
Things we look to.
What happens when one of those old reliable, gold standard things that have been our go-to for so long winds up being #2, instead of #1?
Andrew van der Stock, Senior Application Security Leader at OWASP Foundation stops by to dispel some industry myths about The OWASP Top 10.
What we talked about:
- Is The OWASP Top 10 really the gold standard?
- Next level considerations to take on as you progress on your journey
- Risk assessment and threat modeling is just a game
Check out these resources we mentioned during the podcast:
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Speaker 1 (00:06):
You’re listening to the virtual CISO podcast. A frank discussion providing the best information security advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed, and proactive, welcome to the show.
John Verry (00:25):
Hey there, and welcome to another episode of the virtual CISO podcast. As always, I’m your host, John Verry, and with me as always the Butthead to my Beavis, Jeremy Sporn. Hey, Jeremy.
Jeremy Sporn (00:36):
Butthead maybe the kindest way you have addressed me all week. So I’ll take this as a victory so far.
John Verry (00:43):
As they say if the shoe fits.
Jeremy Sporn (00:45):
John Verry (00:46):
Did you get a chance to catch my conversation with Andrew? I don’t know why I always ask you that because I always knew you did. But either way, let’s go with it.
Jeremy Sporn (00:54):
One of these days I’ll just say no, and we’ll have nothing else to talk about. Yes, and despite the fact he struggled to remember to record yet another conversation, you and Andrew did cover some really good ground.
Jeremy Sporn (01:07):
Andrew is an absolute beast in the application, and security industry. Yeah, he’s contributed to a number of OWASP projects, OWASP Top 10, ASVS, and even the IoT Top 10. He, like everyone at OWASP, it seems, is just a phenomenal communicator. His explanation of the OWASP Top 10, that it’s an awareness document, not a standard. The first time I’ve ever heard it explained that way really makes a lot of sense now that I’ve heard it put just in those words.
John Verry (01:37):
Yeah it’s funny, I’ve used the OWASP Top 10 for 15 years probably, and my favorite part of the conversation is when he referred to it, the OWASP Top 10, as being about the “not to do”, and the ASVS is about the “what to do”. Which I thought was just such a very simple, but very powerful, perspective. Anything else you want to highlight before we get to the conversation?
Jeremy Sporn (02:00):
Yes, and I’ll always say yes to that question as well, John. Expect to walk away with a very clear understanding of how to use the OWASP Top 10, especially versus the ASVS. If you’re that business or technology leader who really needs to speak that application security language to your development team, this episode will really help you get on that same page with them.
John Verry (02:24):
Yeah, absolutely agreed. No further ado, let’s get to the show.
John Verry (02:30):
Andrew, thank you for joining me again, for the second recording of the podcast, unfortunately the first recording I never hit record. How are you today?
Andrew Van Der Stock (02:40):
I’m really good. I’m glad the first one wasn’t recorded, I slammed so many people. I’m joking.
John Verry (02:46):
I won’t tell any of the other members of the OWASP Top 10, or even the other [inaudible 00:02:51], what bad things you said about their projects. So, this is going to give you a chance to clean that all up. You can’t make things up. So, let’s start easy, and you should be good at this, because you’ve already had the opportunity to answer this question. Can you tell us a little bit about who you are, and what you do?
Andrew Van Der Stock (03:08):
I’m Andrew Van Der Stock, I’ve been participating in OWASP since 2002. I wasn’t there at the very beginning, but I do know who was there. So, that’s always an interesting conversation on who will claimed to be there. I’ve been doing the OWASP development guide back in the middle 2000s, the application security verification since 2009, and, of course, the OWASP Top 10. Did the 2007 version, and the 2017 version, and we’re working on the 2020 version right now.
John Verry (03:34):
Gotcha, I’ve had Daniel on to talk about the ASVS. You know from our preliminary conversation I’m a huge OWASP fan. I really love the effort, and thank you for coming on, and thank you for your work on the OWASP Top 10. I think it’s one of the best forms of guidance in the world on any topic around information security.
Andrew Van Der Stock (03:55):
[inaudible 00:03:55] Thank you.
John Verry (03:55):
So before we get serious, before we get down to business, we have a tradition here at ask what’s your drink of choice?
Andrew Van Der Stock (04:01):
Well, in the mornings it’s espresso. I’m a bit of a coffee snob. I come from Australia, so our coffee culture comes from Italy and, therefore, I only consider coffee from Italy, and from other places and Australia to be of the sufficient quality. So, I do it myself.
Andrew Van Der Stock (04:19):
But after hours it’s beer. My favorite tipple is actually IPAs, but I’ve always drunk pale ales. My first drink was actually Copper’s Pale Ale which is brewed in bottles so the yeast is actually in there so it’s actually a cloudy beer, and it’s delicious, I love it.
John Verry (04:37):
So it’s almost like an IPA Weiss, you get the Weiss beers that also have the yeast that’s still in there. Same thing with a pale ale?
Andrew Van Der Stock (04:45):
I must admit I’ve never had a wheat beer-
John Verry (04:50):
You know how the Belgians tend to have a lot of yeast in the bottle?
Andrew Van Der Stock (04:53):
John Verry (04:53):
The same concept.
Andrew Van Der Stock (04:53):
John Verry (04:55):
Yeah. Just out of curiosity, this Cooper’s, I thought being from Australia I thought you were going to say Foster’s, but you already corrected me in our last podcast.
Andrew Van Der Stock (05:02):
No, we don’t drink that.
John Verry (05:05):
That’s just marketing.
Andrew Van Der Stock (05:06):
John Verry (05:06):
That’s just Crocodile Dundee stuff?
Andrew Van Der Stock (05:09):
Yeah. It’s barely brewed in Australia. It’s mostly brewed overseas. I don’t know anyone who actually drinks it in Australia. It’s difficult to get in many of the bottle shops. You can get it, but it’s not popular. Each state in Australia actually has its own beer culture, and they prefer their own things.
Andrew Van Der Stock (05:24):
So, it’s sort of surprising to some of my friends that I’ve gone to Cooper’s, because it’s South Australian beer. Most people in your own state get on things like, in my state, Victoria, it would have been Victoria bitter. That’s the beer you buy, and put in the bath in parties that no one drinks. It’s cheap, it’s actually not bad, but it’s also the beer that no one really wants, because they want the fancier beers. I personally prefer the Cooper’s. In America, I go for the craft beers.
Andrew Van Der Stock (05:53):
This one’s [inaudible 00:05:56] it’s actually very hoppy, and that’s what I like, I don’t really like wheat beers, I like the hopiness of IPAs.
John Verry (06:01):
Gotcha. Can you get Cooper’s here in Australia? Excuse me, here in America?
Andrew Van Der Stock (06:07):
I’m sure you can, but I haven’t tried.
John Verry (06:09):
Andrew Van Der Stock (06:10):
In Colorado, it’s a little bit tricky, the supermarkets don’t tend to sell anything other than standard beers. The bottle shops around here tend to be a bit small. In Australia, bottle shops are huge. I think Lowe’s, or one of those other big barn type places, and they put alcohol in it. That’s an Australia bottle shop.
John Verry (06:33):
So, good news, come to New Jersey. We have those and I’ll get you any beer you want. On the espresso, are you a Lavazza person or an Illy person.
Andrew Van Der Stock (06:43):
John Verry (06:43):
Andrew Van Der Stock (06:45):
Illy, because they actually train their barista. They’re actually baristas. They’re not just people with the title barista. They actually know what they’re doing with a bean. Because I drink espresso, there’s absolutely no way to hide if it’s a bad draw. It’s going to be a terrible coffee.
Andrew Van Der Stock (07:04):
Funny story, when I was in Tasmania, they had new café owner. She’d only been there for a couple of weeks, and she didn’t know how to make a long black. Which is a double espresso with a little bit of [inaudible 00:07:12]. It’s not an Americano, it’s a little shorter than that. So, I ended up having to show her how to use her equipment to make a proper longer black. So, if you go to Australia, flat whites, long blacks, it’s a bit of a strange title that in Italian it’s a lungo, or a long and show that’s what it comes from. That’s the culture.
John Verry (07:33):
It’s funny, my daughter likes flat white, iced flat whites. She’s young, she’ll grow up. Then real quick for you, do you brew your own everyday? Do you have an espresso machine in the house?
Andrew Van Der Stock (07:49):
John Verry (07:49):
Andrew Van Der Stock (07:49):
Yes, just getting the quality of coffee from the local supermarket, it’s very difficult, getting the grind is difficult, and so it’s better to [inaudible 00:07:58] over your own machine, and be in control of that.
John Verry (08:01):
Excellent. All right, so let’s get down to business. So, what is the OWASP Top Ten.
Andrew Van Der Stock (08:15):
I just had to show you. Coffee.
John Verry (08:16):
What is that? Oh, that’s your coffee.
Andrew Van Der Stock (08:16):
That’s espresso cup. [crosstalk 00:08:16]
John Verry (08:17):
No, come on you’re suppose to have the little one with the, if you like Italian… I always found it funny, going to Italy, you go into like a gas station, and they serve you with the Lavazza or the Illy cup, and the saucer, and it’s awesome. It is awesome, and after being in Italy, I drink a little bit more than I use to.
John Verry (08:35):
So, getting back to both wine, and espresso. So, getting back to, what is the OWASP Top Ten?
Andrew Van Der Stock (08:40):
The OWASP Top Ten, from our perspective is an awareness document. So, the things that you need to know to avoid being hacked. It was designed primarily to provide some sort of awareness to security professionals, and developers. Our primary audience is developers, but they may not necessarily be aware of it. But because it’s got literally a 15 plus year history, the developers in the beginning never knew anything about it.
Andrew Van Der Stock (09:04):
So, we had to work with application security teams to bring it in. Our goal is to give people who are starting out on their application security journey the rough map. Like, here’s New York, here’s Atlanta. It’s not too, here is like Queens, and here is the Bronx, and here is some other place in New York that I don’t know. Fundamentally, we’re not trying to give people every answer. We’re trying to give them, these are the places you’re most likely to get mugged in.
John Verry (09:41):
I’ve never heard it referred to, though. So, it’s an application mugging. All right, I’m with you. So, I apologize, you’re the project lead, so I can’t disagree, but I always considered it the gold standard. For the last 10, 15 years to me, you guys have produced, what most people would consider the gold standard. The most referenced document in the world when it comes to application security.
John Verry (10:06):
It’s a great document, constantly evolving, and it lists the 10 most significant vulnerabilities at that particular point in time, that people should be cognizant of, and be aware of, and try to avoid. So, when you put this document out, how do you expect, or hope that it’s going to be used, right?
John Verry (10:22):
There’s different user communities, there’s developers that are writing code, there’s people like us that are testing applications on their behalf, and letting them know whether we found anything wrong, and there’s management that might go down, and talk to a product lead or to an application security lead.
John Verry (10:36):
What’s your expectation, you’re the one that produces this document. Who do you think is using it, and how do you want them to use it?
Andrew Van Der Stock (10:42):
Honestly, 15 years ago it was application security teams. They were telling, not asking, they were telling developers how to do things. Quite frankly, I think that was a bit of a fail. Over time, the actual how it gets used, really hasn’t been changed. But I think people are actually aware of it now.
Andrew Van Der Stock (11:03):
So, it succeeded being an awareness document but also it got [inaudible 00:11:08] adopted as the standard. It’s not a standard. When I wrote the OWASP Top 10 2007, I put into the frontiers piece, “This is not a standard, please don’t use it as such. It’s an awareness piece.” I’ve been very consistent about that for a long time. However, people, because it’s so approachable, it’s only theoretically 10 things, although there’s 43 of them in there. People think that’s all I need to do.
Andrew Van Der Stock (11:29):
It’s not, it’s the very start of your journey. So, if you are starting your journey, it’s a great start, but the reality is they should use the application security verification standard, which is the other one that I work on. That’s much more developer focused, it’s built around the concept of testing, and so you can use it from the very word go. From sprint planning sessions, where you’re saying “These are the constraints I need to think about from a security perspective. These are the functional issues that I need to consider.” The ASVS can help guide you.
Andrew Van Der Stock (11:56):
The ASVS itself, there’s a lot of things in there, it can be overwhelming. So, if you are starting out, the OWASP Top 10 is probably a better choice but if you are on the journey you should probably stop using it and start the ASVS level 1 then work up.
John Verry (12:12):
I like the word that you used, approachable. That idea of 10 things, people can wrap their arms around that, and really kind of understand what they need to concentrate on. When we spoke in priory, I think you used the term, the OWASP Top 10 are things which we are avoiding. When you look at the ASVS, which is another companion document or another great document that OWASP produces that you have some involvement in, is that kind of the opposite, is that the list of things you should do. So, one is don’t do and one is do?
Andrew Van Der Stock (12:40):
Absolutely. Every single thing in the ASVS is written as positive control. So, it tells you what to do. It’s designed to be forked and so we make it very easily available on GitHub. You can pull it down and change it to your hearts content. If you don’t do web services, you can remove that chapter all together.
Andrew Van Der Stock (12:54):
If you do, for example, GraphQL, you don’t need to consider SQL injection. For example, you need to think about ORM injection [inaudible 00:13:01] there. You can strip things out, put things in, and change it around. The OWASP Top 10 bundles like things together. Like the authentication, we have over 80 things in the authentication chapter I think in the ASVS. We only have one page of 300 words in the OWASP Top 10.
Andrew Van Der Stock (13:22):
Just communicating the basics of what multifactor authentication is and whether or not you need it. It’s impossible in the OWASP Top 10. Whereas in the ASVS we actually give you the ability, if you don’t want to do two factor authentication, just don’t do that two factor authentication section and your done. Move on.
John Verry (13:39):
Beyond the approachability, is there another set of constructs, or context that you would say would be proper use. So, as an example, would you say that, “Oh, because your application is of a high risk nature, you should use X.” Or a specific use case, maybe it’s processing credit card data, or maybe it’s processing some other sensitive PII or something of that nature, or something about the application architecture. Are there other beyond just that approachability, and hey I’m new to this, are there other particular context when you would recommend to somebody to use one or the other?
Andrew Van Der Stock (14:14):
Yep, if you’re doing applications that can kill people, or run the economy, you should absolutely not be using the OWASP Top 10. You absolutely need to start with the ASVS level two and work your way up. If you’re doing command and control software for the military, you actually have to use level three. That’s what it’s designed for.
Andrew Van Der Stock (14:29):
It has a level of paranoia that is built in. It assumes bad [inaudible 00:14:35], it assumes Easter eggs, it assumes that people will attack your memory. Things that just don’t happen for most apps. We care about it very deeply at level three.
Andrew Van Der Stock (14:46):
If you’re doing medical device software that needs to be resilient, you should do level three selectively, because there are areas where you need to be very, very cognizant of, if your software fails because of security issue, you’re going to kill people. That is not the OWASP Top 10. It’s never been the OWASP Top 10.
Andrew Van Der Stock (15:02):
The ASVS has been that level for sometime. The level of the paranoia on level three is for those high level document, those high level software. Most software though is level 2. Banking software, even the stuff that runs national economies. For example, recently we’ve had [inaudible 00:15:21] the coronavirus, the stock market crashed. They had a reset where they literally paused the stock market for [inaudible 00:15:26]
Andrew Van Der Stock (15:27):
That would probably still be a level two application because it’s got this in built process that slows thing down even though there’s high frequency trading happening in the background worth trillions of dollars. The reality is the market can cope with that. So, maybe level two is still appropriate to those.
John Verry (15:42):
Gotcha. So, quick question for you, I know that there’s some folks that are OWASP contributors are big threat modeling risk assessment fans and some are less so. I think you fall on the more of a believer in it. Would that be something…
Andrew Van Der Stock (16:01):
This is the OWASP Cornucopia card set, signed by Colin Watson, who’s one of the guys really heavily involved in the OWASP threat modeling community. I would highly recommend Cornucopia.
John Verry (16:15):
Where do I get one?
Andrew Van Der Stock (16:17):
You go to our website and there should me a merch store. You can buy them for I believe ten bucks. I actually have another copy here which was made by another company, but this is my favorite copy because it’s signed by Colin. It’s actually got my name in it a couple of times, which is fantastic. It’s used by developers as part of a game. So, effectively you start thinking “Oh we’re doing crypto today. Here are the crypto cards. Does this apply to my particular problem today. These are related back to ASVS sections.
John Verry (16:46):
That’s kind of cool.
Andrew Van Der Stock (16:47):
You then pin, this is what I try to do, you pin this to the story to say, “I need to deal with this. This is the test I need to write.”
John Verry (16:54):
That’s pretty cool. [inaudible 00:16:56] now I’m jealous. Now, I want a set. I got to go and buy those. In fact, I was so interested in seeing those I navigated away from my script here. So, I got to navigate back.
John Verry (17:08):
Question for you, so we talked about the idea of developers using this. One of the things with the testing is that OWASP Top 10 is a fully pen testable, fully dynamic application security testable framework. One of the things which has been very good, is some very good tools that are out there. I’ll loosely use the term integrated yours, and cross reference your stuff. So, something like Burp or something like Burp Suite, which is a great ridiculously low priced product for value, is an amazing product. AppSpider we use. Even the secure controls framework, is actually listing your stuff there, and cross referencing it to other controls.
John Verry (17:47):
Thoughts on that integration, and were that might be going, and it does drive some people to use the OWASP Top 10 from a testing perspective, because it’s just easier because the tools are there. Be great if the tools were ASVS enabled as well.
Andrew Van Der Stock (18:02):
Yeah, so the ASVS is actually available in JSON format. So, we’re easily consumable by tools. So, it’s just surprising that we’re not more consumed by tools, because we make it easier to consume the ASVS, than the Top 10. Realistically, for things like Burp, and Zap, and other tools, because we’re more granular, you can be a little bit more specific about what the ASVS issue is. Therefore, you can fork the ASVS, and say “Hey, we’re not going to deal with 200 of these things because we can’t test for it, and here’s the ones we do care about.” Therefore, you can work on it.
Andrew Van Der Stock (18:35):
What I’d probably suggest is, the ASVS level one is entirely pen testable. It’s also completely integration testable. So, from the developer perspective, everything on level one can be integration tested using Selenium, or whatever your favorite framework is. So, I would highly recommend people look at level one as the new testing checklist. Because it is so granular, and it’s easy to fork, and it’s consumable by machine technology.
John Verry (19:00):
That’s interesting, and that seems to start to align with a shift that we’re seeing from a testing perspective, where people are starting to talk about “Don’t give me a report at the end of the test, put stuff into Jira for me, right. Open up tickets.” Is that kind of the way that you’re seeing things going in that more CICD, if you’re doing like a level one test and they’re going directly into Jira and directly into a story?
Andrew Van Der Stock (19:26):
Yeah, the most advanced organizations will actually use something like the ASVS to drive the test cases. So, every time they do a build they automatically test, they don’t have to do a pen test. They automatically test the application for this particular issue. The next generation of people along, who aren’t quite there yet, are looking for that integration.
Andrew Van Der Stock (19:46):
They’re using vulnerability managers, who when they get a new finding, from a tool, whatever the case may be, they actually do a level of de duplication. They include something like Jira or GitHub Issues or whatever, because if a tool, runs a scan once a day, and it just reports the same problem, day after day after day, 365 days later you’ve got 365 dupe tickets. So, you do need that level of care.
Andrew Van Der Stock (20:11):
I am seeing that, and so there are platforms, like ThreadFix, and others that will actually of that deduplication for you. The old fashioned way is to get a PDF report. I wish we’d stop doing it, because developers don’t read them. They just don’t.
John Verry (20:24):
Yeah, that’s interesting. So, you guys produce some awesome content at OWASP. The application security verification standard, we’ve already talked about. You also have the mobile application security verification standard, you’ve got the IoT Top 10 amongst others. Talk a little bit about where both the OWASP Top 10 are going, and how they may or may bot integrate with some of these other great forms of guidance that you guys put out at OWASP.
Andrew Van Der Stock (20:51):
Sure, so the OWASP Top 10 because it’s a [inaudible 00:20:55] piece we want to make people aware of the other standards. So, we do link to the testing guide. We do link to the ASVS, the proactive controls. So, if today I would have probably have suggested it, it would have been lovely for OWASP to have started with the proactive controls back in 2003. But we’re here, the OWASP Top 10 is an awareness piece, and it concentrated on the negative. So, it’s our job to use that fame, and glory to actually promote these other standards.
John Verry (21:23):
I thought it was to get rich and famous.
Andrew Van Der Stock (21:25):
That hasn’t happened.
John Verry (21:27):
Sorry about that. [crosstalk 00:21:32] I recognize that picture behind you. It’s one of my favorite. I told you this when we started, that I have socks with that same picture on it. Are you saying that’s not the original behind you?
Andrew Van Der Stock (21:40):
No, that’s me when I was having a date night with my wife. There was alcohol involved so, so it’s better than if I was [crosstalk 00:21:49]
John Verry (21:49):
Did you actually paint that.
Andrew Van Der Stock (21:50):
John Verry (21:52):
Congratulations, that look pretty darn good from here.
Andrew Van Der Stock (21:55):
As I said there was alcohol involved.
Andrew Van Der Stock (22:01):
Within the OWASP community, I think I’m moderately well known. However, the reality is I don’t get recognized in super markets. So, fame and glory, being rich, no. Doesn’t happen that way, but it’s been good for my career. Let’s put it that way.
Andrew Van Der Stock (22:15):
Getting back to the actual problem. The OWASP Top Ten points at these other things that may be more relevant. So, it’s our job within the 300 words for each of the sections, to actually point out this is the problem. These are the people who might do it to you. Here’s some examples of people [inaudible 00:22:30] doing it to others, and roughly what you might want to do about it.
Andrew Van Der Stock (22:34):
Generally, that points of to one of those other links. For example, the ASVS, or the testing guide of a mobile application security verification standard. So, the interlinking will continue. As far as I’m concerned, standards should try to interlink because if you have, for example, ISO 27,002 says “you must have an eight character password, blah, blah, blah.” Or ridiculous password complexity. Then NIST says, “That makes no sense, do it this way.” Which one do you comply with?
Andrew Van Der Stock (23:00):
So, at OWASP Top 10 and the ASVS, we chose the NIST pathway, because it’s evidence based. We’ll continue to align ourselves with other standards, so that we don’t have our own special version of it. If there’s nothing in the market place that says, do it this way because there limited data on it. We will of course set some sort of standard, but there’s no reason for us to have our own password complexity rules. So, we do like interlinking with other standards well there are relevant.
John Verry (23:28):
One of the problems you have of course is they have to be friendly. PCI is an example, they have their own software standard. It would be great if that was cross referenced to ASVS, but they’ve got to work with you for that, right?
Andrew Van Der Stock (23:43):
Yeah, funny story, back in 2007 when I did the OWASP Top 10 2007, I wrote in the forward please don’t use this as a standard. Then next year, the PCI council used it as a standard. So, it’s a mixture of the 2004, and 2007 versions. If they come to us, we could have come up with a much better section 6.5 than the one they had, but they didn’t.
Andrew Van Der Stock (24:08):
Only member organizations can contribute to the PCI standards. Same with ISO, if you’re not part of the national bodies, from a particular country. So, for example, I live in the U S now, I’m Australian. If I was to work with ISO, I would have to work with the Australian Standards Body for me to contribute to ISO’s standards. Yet ISO 27034, of the [inaudible 00:24:32] one, I could provide them a lot of interesting advice. I get backhanded copies from people who are interested. I can’t deliberately contribute to that particular standard. I find that disappointing, I’d really like to help them produce a better standard.
John Verry (24:47):
You can’t participate, because you’re not U S citizen? Is that what the reason is?
Andrew Van Der Stock (24:52):
If I was to be invited it would be from the Australian government. For that I’d have to be involved in the Australian government’s standards setting body.
John Verry (25:03):
Andrew Van Der Stock (25:03):
That’s possible. So, Australian standards exist, and there are people who participate there who are my friends. I’m sure that if I ask around enough, I’d find out who of my friends is on the U S version of ANSI. But the reality is, unless you’re actually a citizen of the country you can’t you participate in the one you live in right now. You have to participate in the one you are a citizen of.
John Verry (25:22):
That’s interesting. I didn’t know that.
Andrew Van Der Stock (25:26):
It’s a bit more convoluted than it should be.
John Verry (25:28):
Gotcha, so you have maintained a pattern of every three to four years. You’ve been updating the OWASP Top 10, I think the most recent one is 2017. That implies that we’re probably coming up with a new one pretty soon.
Andrew Van Der Stock (25:42):
Yes, we are working on it now. We have been meeting since last June. Progress has been a bit slow because of the Coronavirus. Our original plan to release at AppSec USA, or AppSec in San Francisco later this year. It’s been a little delayed. At the moment I’m between jobs. I’ll use this time to actually push forward, we got to do data collection and analysis.
Andrew Van Der Stock (26:06):
I really want us to get it done, and get it done in 2020. I don’t think we can release it in 2020. So, do look out for data collection assistance. We’ll be putting that on to Twitter very shortly. We want to get the analysis, and actual publication done this time. Unlike last time, we do not want to release it on Thanksgiving Week. That was terrible we couldn’t get any media. We couldn’t get any traction with anybody. I think we missed the boat. So, I think October has to be the last possible month for us to release it. It’d be ideal to release it in September. But with Coronavirus, it makes it a bit trickier.
John Verry (26:42):
I think this year is going to be a little but hard, I think most news stories are going to struggle for some effort, until this gets a little bit further along. From your perspective will we see any difference in terms of your top 10, and the way that you integrate with ASVS?
Andrew Van Der Stock (26:58):
I think we’ll do more of the same in that way. This time around, last time we had 43 CWEs, that’s probably 33 to many. I really want us to either focus in on a category. So, for example the crypto category is like 327, or something. It’d be ideal for us to focus in on a category. So, we only have one CWE per page. We still probably need to stick to the one page per item.
Andrew Van Der Stock (27:28):
Integrating with other standards, integrating with other elements that are actually out there. For example, if we end up finding out that business logic’s laws is a big deal. Maybe we’ll find someone who’s doing some work in that area and we can reference them. But we need to make sure it’s fresh. We need to make sure that it’s not self referential.
Andrew Van Der Stock (27:49):
One of the criticisms of the OWASP Top 10, is that it looks like the one that was the last time. That looks like the one before that. The reality is is that if everyone uses the OWASP Top 10 as a standard/ That’s what people find, and that’s the methodology the OWASP Top 10 uses to create itself. It’s always like that.
John Verry (28:05):
It’s not your fault that developers haven’t learned, yet. You’ve been telling them about injection problems for a decade, and we still have them. What are you going to do? Not report what the most important thing is that you see.
Andrew Van Der Stock (28:20):
So, this is I think an area that we need to work on. Back in the old days, it was very easy to blame developers who didn’t know something. But I’ve never met a developer that didn’t want to know how to secure software. They have pride in the work that they do. I think we need to do a better job as a community working with the frameworks. If they produce frameworks that are by default, the easiest way to do something is to not shoot yourself in the foot. For example, why is there any PHP functions at all that are SQL injectable.
John Verry (28:46):
Andrew Van Der Stock (28:46):
It could be removed. It should be saying in PHP 8, MySQL real query will not exist. All software that uses that function will not work. You have two years. It would get people on the road. That’s what we need to do. We need to get frameworks to saying “Hey, this is not okay. This is a common source of things, let’s fix the bug class, and we do that in frameworks.” I don’t like the idea that we’re blaming developers for not understanding something they didn’t know, and then not protecting themselves.
Andrew Van Der Stock (29:17):
I do think frameworks have the highest standard they need to come up. That’s how [inaudible 00:29:21] SF got fixed. That how it got out of the OWASP Top 10. The correct place to fix that was in frameworks. [inaudible 00:29:28] put [inaudible 00:29:28] protection in, problem solved.
John Verry (29:30):
Yeah, I think the other thing to in fairness, developers is we have to also understand that as business leaders, and organization that are running the business. That we have to give people the time energy, and effort necessarily to actually prioritize security, move security left. I mean it’s not that they don’t know what to do, it’s that they’ve got so many other pressures to get features out, to serve the business. Security tends to come a little bit later in the process, where it needs to come a little bit earlier in the process.
Andrew Van Der Stock (30:00):
Exactly. GraphQL, for example was a really good [inaudible 00:30:06] I watched a little while ago on all the different ways you could attack it, and it’s like, this is like 2001 again. Everything that we learned back them about SQL injection, I would have hoped that GraphQL would have not had some of those problems. They fixed the most obvious ones but then they reintroduced the ones we already knew how to solve. It’s like “Aw, really?”
John Verry (30:26):
One step forward, two steps back, right.
Andrew Van Der Stock (30:28):
Yeah, it has like this thing where it actually tells you the schema, and actually the sorts of things you might be able to do. Why?
John Verry (30:38):
All right, so you hit everything on my list, quite well, I would say, as well. Anything else you think we should touch on, with regards to the top ten?
Andrew Van Der Stock (30:47):
Yeah, we’re already trying to build the 2020 version. I’d loved to get data contributions. At the end of the day this is how we make the OWASP Top 10 better, and more relevant. Last time we had data from 43 firms. We had data from bounties. We had data from software study code analysis tools. In fact, we got so much data from them it almost overwhelmed the entire data, and we had to figure out how to normalize that.
Andrew Van Der Stock (31:10):
Fundamentally, the data that we get, and the quality of that data, really helps build a better OWASP Top 10 2020. So, if you do have data, please help contribute. Go to the OWASP Top 10 Twitter handle or mine, I will retweet it. My DMs are open. Please, just ask us how do we contribute. We’ll be putting it out there in the next couple of weeks. How to actually submit the form. What we’re looking for. What sort of data quality we’re looking for.
Andrew Van Der Stock (31:36):
If it’s hand constructed we need to know that, if it’s something from your internal system, and you need to message the data to get rid of identifying information. Let us help you with that. We would like the data to be public. We are thinking about having anonymous contributors. But obviously then that means you might need to hide who you are, and things like that. Help us understand how we can help you give us the data. We would rather have the data than to not have the data because you’re concerned about identification. The last part is, please give us feedback. When you see drafts, give us feedback.
John Verry (32:09):
You guys recently moved to, I know the site just recently evolved completely, and you moved everything to GitHub, right?
Andrew Van Der Stock (32:18):
Yes. So, the actual website for the OWASP organization, it was on media wiki for a long time. It had a lot of crap, and it was difficult to find things. The search engine didn’t really find much, but people have hard links into. It was a disturbing thing for everyone, including us. I know, Torsten, one of our co-leaders, he actually is busy working on it at the moment, has had improvements in the last week, since we last spoke.
Andrew Van Der Stock (32:41):
So, I’m hopeful that the work he’s putting into there will actually make it easier for us to actually have translations of all those things up. At the moment, it’s a bit rough. That’s because we’re translating hundreds of thousands of pages from an old [inaudible 00:32:56] system to maybe a thousand pages in the new. It’s all looking at pages.
John Verry (33:01):
Gotcha, really all of the projects have been migrated over to the new. Just for everyone listening it’s O W A S P dot O R G, is still we’re we’re going to find all this wonderful content, correct?
Andrew Van Der Stock (33:12):
That’s correct. A lot of good projects there, yep.
John Verry (33:15):
Andrew Van Der Stock (33:15):
Active projects need to do what we did, or what Torsten did, and actually help with the migration of their pages.
John Verry (33:21):
Gotcha. Okay anything else you want to touch base on?
Andrew Van Der Stock (33:25):
Other than that, if any ones interested in collaborating on standards, I’m very interested in hearing from other standard setters. If you are working on a standard that relevant to OWASP, web application security, information security in general, please do touch base. We often have a very good relationship with some folks. We are actually working on some collaborations with others. We want to see where they can go.
John Verry (33:47):
It would be great to see some maps between something like I said the new PCI standard, and what you guys are doing. Anyone that would be producing those maps, it would be great to have them be part of the project.
John Verry (33:58):
So, I always like to close with two questions, one is fun. An amazing or horrible CISO, it could an application security person if you want, it can be a fictional character, it could be a real life person. Who would either make an amazing, or horrible CISO and why?
Andrew Van Der Stock (34:13):
Okay, I think we’ll go with horrible CISO, because it’s easier. I actually would nominate Frye, from Futurama. Because he always says “here, take my money.” You don’t want to be lead that easily as a CISO. You need to have a philosophy, and a way of thinking about conceptual integrity, and making decision around that particular choice every time. Not because someone’s yelling at you. Not because it’s fashionable, not because a tool vendor took you to lunch. It’s really important to make… It happens, we know that happens, right?
John Verry (34:45):
That particular one resonates with me so strongly. Or the guy who’s security strategy is driven by the Gartner Magic Quadrant Reports. I got one of them, and I got one of them, and I got. No, no, no, no, this is not going to work. I agree with you.
John Verry (35:04):
You also said when we were talking earlier. You said something that I thought was also interesting, is you also differentiated that a CISO may or not be a good or bad CISO, also depending upon where you are in an organization. I think you used the example of someone going through a transformation. So, could you touch on that?
Andrew Van Der Stock (35:22):
Yeah, so there are CISOs who are going to be basically just keeping the lights on. They need to have a steady hand, be the voice of calm, and actually just make sure all the basics are done. That’s fine, but if you’re the sort of CISO who’s being brought in for a transformation to enable secure business, and take the organization to the next level, you are a different type of CISO, and you need to be proactive, and you need to have that.
Andrew Van Der Stock (35:45):
You need to have a bit of a vision about where you want to take it, and how it can actually work. To a certain degree the best way to create the future is to invent it. That doesn’t mean necessarily following everybody else. CISOs they can change the culture within an organization, and if you’re the sort of organization that doesn’t like applying patches and what not, you’re going to get broken into someday.
Andrew Van Der Stock (36:07):
That doesn’t really change whether or not you’re going to be a leading organization in the future. I’ve worked on a number of big projects over the years, where we have changed the future. One platform we did corporate internet banking and if you had $2 billion in the bank, you could transfer $2 billion in the bank. You could just do it, and we did it securely. It changed the nature of payments in Australia. It literally, it began real time payments in Australia 15 years ago.
Andrew Van Der Stock (36:33):
So, instead of waiting two or three days and getting our transactions, like payroll. It use to be delivered on non-tracked tape. We do that immediately, and it saves companies a fortune. It actually got us market share, and that was really important. That’s a transformation roll. You cannot say I’m going to implement, such and such a banking solutions from three years ago, and call that transformation. You need to think about what it is the business really wants to achieve. There are CISOs that are good for that, and there are CISOs that are a very steady hand. I think there’s two different types.
John Verry (37:06):
That’s actually of very interest because it’s ties into a conversation I had with a gentlemen, he was talking CIOs. Then we said “well, it applies to CISOs as, well.” He kind of used a similar analogy, too. He said that “If you have a CIO who loves technology, that person might be able to keep those lights on, and do that. But if he loves the business, he can help you transform.” So, I think to your point it’s the same kind of analogy. You need that CISO to love the business as much as he loves a tool, and technology.
Andrew Van Der Stock (37:37):
Exactly, one of my favorite CISOs was a gentleman by the name of Gary Burgess. He transformed a couple of banks in Australia in his time. He actually introduced a [inaudible 00:37:47] in Australia. Effectively it allows you to do things like splitting tips, payments, licenses, renewals, everything. It’s literally like a little tiny smart pad that is a wireless [inaudible 00:38:00] controller.
Andrew Van Der Stock (38:00):
We’re talking about the days when you came to a store you may, or may not have an EMV terminal. Whereas that’s universal today, but this is essentially the next generation of [inaudible 00:38:11] devices and the only equivalence I can think of today, and is still not that quite advanced, is the ones that you see occasionally like the Square, and whatnot. This was 12 years ago. So, those sorts of people who can take you to the next level, can transform your business. When you find them. Look after them.
John Verry (38:32):
I think it’s also recognize who you are as a business. That person that has that ability to solve security challenges of that nature that will help you transform a company. If you don’t need that skill set, and you just need a guy to keep the lights on, hire that, because that guys going to cost you a lot, right. But if you need someone to transform you. Don’t hire the guy that’s going to keep the lights on.
John Verry (38:58):
My last question is, everyday all day, you’re talking about technology, and security like we are. This podcast is listened to by both information security people, and people that are on the business side, trying to learn that. What do you think would be an interesting topic for a future episode?
Andrew Van Der Stock (39:13):
Class solving, I think at the end of the day, if we’re just stamping like whack-a-mole along, this bug, that bug. Look back at the Zoom issue, that’s an [inaudible 00:39:22] that’s not a bug that’s unknown. But solving [inaudible 00:39:26] doors, solving memory issues, solving business logic flaws automatically. Formal methods is a way of solving some of those things, but how do you do that all this legacy code hanging around? When every single piece of code in existence is legacy code. I would like to hear from someone who’s actually going to do that intersection between the business, and technology to actually understand how do we solve some of these bug class issues?
Andrew Van Der Stock (39:49):
Is it a thing where we start to remove liability from firms who produce buggy software? Is it something that we start to think more about really taking application security from professional amateurs, like people like myself who have been doing it for a long time to people who actually understand why this happens. Then fixing it so it never happens again. I think we should stop paying for things that we should know don’t happen, should not happen.
John Verry (40:16):
Is that something that’s the realm of AI, and machine learning. Is that something that’s the realm of the people that develop the developer tools. Is that the Microsoft Visual Studio folks? How would you go about doing that because that sounds like a pretty tall mountain.
Andrew Van Der Stock (40:34):
It is a mountain, and in fact, the only way to solve some of this stuff is to isolate it into a domain, and fix that domain. I think it is actually someone like the compiler manufacturers working with the [inaudible 00:40:48] the people who actually create these languages, and the frameworks sitting in a room saying “How do we actually solve this?” Because we now have some AI tools that can say “Well, that looks bad.”
Andrew Van Der Stock (40:58):
Otherwise, we have to wait for general AI. If we’re waiting for general AI, we may be waiting for a very long time. So, then how do we scale developers to get the answers they need. If you have got a application security team with five people on it, and they’re looking after 1500 apps, they are not looking at the source code. How do we scale it? The answer is, it has to be scalable. In my mind that means frameworks, languages, and compilers.
John Verry (41:23):
I would agree. I think actually now is, unfortunately, probably I really critical time for that to be happening. Before, we put out, whatever insane number we’re talking about, 100 billion IoT devices. All of them have firmware on it. They haven’t moved security left. If we let too many of these devices out there, you’re going to be talking about a legacy code problem that has some pretty significant implications.
Andrew Van Der Stock (41:51):
So, there was talk, I mean this again come back to the intersection between business and regulation. There was talk a few years ago that if you can’t update the IoT device, it can only live for 80 months, and then it dies. So, if you want to have a device that’s not disposable, like a car, then it needs to be updatable. Updatable to that uses intervention. I think that goes for even things like children’s toys.
Andrew Van Der Stock (42:13):
They had this Barbie doll that listened to kid’s conversations, and then decided what it was going to do in the future. If it’s not updatable, kill it. As far as I’m concerned, we need to have that conversation between the businesses, and the technologist to be able to come up with the frameworks that allow us to move on. As we get to self driving cars, you’ll get to a situation where, this generations of self driving car might accidentally kill people, because it doesn’t know anything better.
Andrew Van Der Stock (42:39):
Unless it’s up dateable, is that okay? If the answers no, then it needs to be updatable. So, I think a lot of the things in IoT in particular, you really need to have that legal regulatory framework around what is an acceptable IoT device? It’s the same as you can’t plug things into the wall unless they’ve got some sort of regulatory approval.
John Verry (42:59):
Right, UL or something of that nature.
Andrew Van Der Stock (43:03):
There needs to be something along those lines with what does the industry again is an acceptable way of keeping IoT safe. When it comes to things like power grids, things like for example, network devices, and what not. Something that runs this entire neighborhoods power might be built to higher, more stringent level than say for example this network device. But I think the fundamental philosophy of it should be, if it’s not updatable kill it.
John Verry (43:29):
Andrew Van Der Stock (43:30):
Therefore, we know it’s a disposable thing, therefore it should be cheaper. If you want a more expensive thing, it’s updatable.
John Verry (43:37):
Right, the good news is, that guidance is getting out there. I know Daniel Miessler runs the IoT Top 10, and I know that’s one of the IoT top things that he said. I’ve heard him talk extensively about that. You’re starting to see that creep into things like California SB327, NIST 8228 as well. Yeah, I think you’re right. I think the good news is that we’re getting out in front of it. I just think that we’re not quite as in front of it as would be ideal. Better a little late than never.
John Verry (44:03):
Before we say goodbye, how can folks get in contact with you?
Andrew Van Der Stock (44:06):
The easiest way is by twitter, I got open DMs, I’m just @vanderaj, there. If they want to email me [email protected]. Other than that I’ve been on the internet since 1989, just search for my name.
John Verry (44:19):
Like you said, you’re famous, just not rich and famous. You’re not getting that table at Spago’s on Friday nights.
John Verry (44:30):
Andrew, thank you so much for coming on, and Andrew is as gracious as can be, because we got 45 minutes into our last interview, and I realized that I hadn’t hit record.
Andrew Van Der Stock (44:40):
These things happen.
John Verry (44:42):
An extra special thanks to Andrew.
Andrew Van Der Stock (44:45):
No worries, thank you. Talk soon.
Speaker 1 (44:48):
You’ve been listening to the Virtual CISO podcast. As you’ve probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected].
To ensure you never miss an episode subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.