CT-SPIN #82 – Built in, not bolted on: web application security done right

Event Sponsors

Alacrity web site
Polymorph Systems web site

Security for your web applications is not something you should ignore or defer to a later stage of your project. Paul van Woudenberg and Theo van Niekerk, the founders of ThinkSmart Information Systems and Security, will discuss the strategy of incorporating security measures into the development process from an early stage.

View Presentation Slides

Snacks kindly sponsored by Alacrity.
Wine kindly sponsored by Polymorph Systems.

Venue

Wednesday, 19 September 2012, 18h15
Bandwidth Barn’s NEW location,
3rd Floor,
Block B
66 Albert Road,
Woodstock

Note: It is one of those old industrial buildings in Woodstock that is getting a revamp. Enter  from Williams St (around the back) which is closer to the lift/stairs. Their offices are in the corner of the building by Williams and Station St. There is parking on Station St and Williams St around the venue.

RSVP

Anyone is free to attend. Please RSVP at ctspin82.eventbrite.com. Alternatively, RSVP by sending YES or MAYBE via our contact form.

Agenda

18:15 Welcoming and Introduction
Jan Pool
18:20 Web application security done right
Paul van Woudenberg
Theo van Niekerk
19:20 Closing and Thanks
Jan Pool
19:25 Networking & Discussion

Abstract

Most of the money thrown at securing systems misses the weak spots. Huge amounts are spent securing infrastructure while web applications are left exposed. It is a crisis that is largely ignored.

Software development teams, under pressure to deliver features and meet deadlines, often respond to concerns about the security of their web applications by commissioning a last-minute security assessment and then desperately attempt to address only the most glaring findings. They may even simply throw up a web application firewall to mitigate the threats. Such bolted-on solutions are not long-term answers to web application security.

Instead, we advocate a built-in approach. We will show that by weaving security into the software development life cycle, and using mature resources for security coding standards, toolkits and frameworks such as those from OWASP, development teams can consistently produce secure systems without dramatically increasing the development effort or cost.

Speaker Profile

Paul van Woudenberg

Paul is a co-founder of ThinkSmart, a specialist information security consultancy with a range of experience in web application security. After graduating as an Electronic Engineer, Paul moved into software development as a business analyst and architect in the mid-nineties. He acquired a taste for information security on an early web security project in 1997 when he was part of the team that developed a large SA insurer’s first web application security framework. It was on this project that he met Theo, with whom he later founded ThinkSmart. Paul has diverse skills in information security, from writing policies a la ISO27001 to designing transaction authentication processes. Paul is at his happiest professionally when bridging the gap between business and technology. He holds an M.Eng from Stellenbosch University, obtained the CISSP and CSSLP ISC2 qualifications and is a member of OWASP.

Theo van Niekerk

Theo is a co-founder of ThinkSmart, a specialist information security consultancy with a range of experience in web application security. Theo is a seasoned software developer with a strong focus on security. He learned to code on an Apple ][+ as a teenager. In 1997 Theo was part of an R&D team exploring new web technologies at a large SA insurer, where his security skills started paying the bills. It was here that he met Paul, with whom he later founded ThinkSmart. This project spawned a product, eThentiGate, a AAA proxy, which was showcased at the 1999 JavaOne conference. At ThinkSmart, Theo helps clients build secure systems from the inside out, focussing on applying OWASP tools and techniques, by leading code audits, performing security testing and generally providing web application security thought leadership. Theo is a Stellenbosch University graduate and obtained a CSSLP ISC2 qualification. He is also an active member of OWASP and a contributor to the OWASP development guide project.

Company Profile

ThinkSmart

ThinkSmart is an information security consultancy, specifically in web application security and information security management (policies & procedures/guidelines). We have helped many clients design and implement application security frameworks, assure their software security and implement organisational information security management systems.
Our focus is helping clients secure the most vulnerable part of their information system infrastructure – the business applications. A badly coded application can undo the best attempts at securing an organisation at the physical and network layers. We work with software development teams to formalise their security efforts, educate them about security, assist with secure design and review code for vulnerabilities. We can also assist with the bigger security picture including organisational information security management (based on ISO 27001) and a secure software development life cycle.

ThinkSmart’s members are Paul van Woudenberg and Theo van Niekerk. We are both active members of OWASP.