Chris Romeo 00:00
Andrew van der Stock has been around the world of application security for quite a long time. In 2020, he took over as the executive director of OWASP. He's working from within the organization to further the mission of taking application security to the masses. We discuss Andrew's OWASP origin story, he defines OWASP and the OWASP core mission, and we talk about membership, the future, and we even dropped some details about the upcoming 20th anniversary of OWASP. We hope you enjoy this conversation with Andrew van der Stock. You cannot hack yourself secure. Everyone wants to focus on the offensive side of the equation. The challenge is that developers get bored with hacking broken pieces of code after a while. Sure it's a shiny, cool new thing in the beginning. But how about one year later? At Security Journey, we focus on a long-term, sustainable security culture with the developers as defenders. Our approach integrates experimentation together with learning. We believe that developers need hands-on experience but not at the expense of fundamental knowledge. Visit www.securityjourney.com to sign up for a free trial of the security dojo or schedule a demo. Hey, folks, welcome to this episode of the Application Security Podcast. This is Chris Romeo, CEO of Security Journey. And I'm also joined by my good friend Robert Hurlburt. Hey, Robert. How's it going?
Robert Hurlbut 01:34
Hey, Chris. Yeah, good to be here. Threat Modeling architect. I am excited about our topic today.
Chris Romeo 01:38
Yeah. We are going to talk about something that if we had to total things up, like how much coverage did different topics get on the application security podcast, I would say OWASP is pretty high up there. Probably second to threat modeling. Robert, that's just you and me talking about what we love from that perspective. We're excited to have Andrew van der Stock joining us today for his second visit to the application security podcast, we were reminiscing about his first visit, we did an interview with he and Brian and Neil, when they were working on the OWASP Top 10 2017 Edition in a giant room in Orlando, Florida, which we were reminiscing about how it seems like yesterday, but yet it was many years ago. Andrew, I want to jump right in. We already heard your security origin story, folks can go back and hear that from the past. I want to hear your OWASP origin story. I'd even like to know, before you took on the new role that you're in now, give us a little bit of a history lesson about Andrew van der Stock in your interactions with OWASP all the way up to today.
Andrew van der Stock 02:42
Hi, guys. Back in 1998, I got into application security, did my first code review for a bank; they called websites at that point that had ActiveX; they called them mobile applications because the application itself has been transported to this browser and executed over there. That was amusing. But the reality is I had to more or less discover and document the things that I was interested in from first principles. Once I saw I was start, I thought that's a great idea. About three or four months after it got going and they put out the first initial version of the developer guide, I realized that it had all these gaps, and there were a lot of things that they missed. I felt that it could be improved. I started contributing, and in the process, I wrote down everything I knew. It turned out to be quite a lot. I might have accidentally discovered things that other people hadn't discovered to that point. But we stood on the shoulders of giants. It's very hard to say who discovered what at that point because there's such a rush; everyone was learning from each other, posting new techniques all the time. It was great. It was a very exciting time to be in the industry. Every app had SQL injection; every app had it. Back in late 2001, I don't know exactly when, my first post is December of 2001 on the archives. I thought I was there a little bit earlier, but I was not there at the beginning. There were a few people who were there at the beginning. There's a whole bunch of people who claim they were there. McAfee has a blog post about that, which is sort of interesting. I think it shows the success of an organization when suddenly people claim to have started it. I did the developer guide 2.0; it took 18 months of working out of hours. I was pulling 18 hour days doing it. I got my first real experience of a proper group project that was not a group project. It was me. There were contributors I went by; I had some good reviewers like Michael LeBlanc from Microsoft reviewed the buffer overflow chapter because that wasn't a specialty of mine. He gave us a lot of good advice, including three hours before I had to leave to go to Blackhat to release it. I was editing it. If you ever wondered why it was, it's called 201 or something because I edited the final version and then re-released it for the Black Hat edition. I went ahead, showered, got into a taxi, went to the airport, and went to Vegas. That's how close it was to the final edits for some of the things so, and the rest is history. I got involved in the OWASP top 10, realized during the OWASP top 10 that it's exactly the wrong approach, says the person who's the current co-leader of the OWASP top 10. The reality is it's an education piece, and it makes people aware of the issues, but it's not meant to be a standard. People who were using it as a standard PCI DSS chose it as a standard. Even though I wrote in the foreword, please don't use this as a standard. It's an education case. I'm going to be focusing this year's, so the 2021's OWASP top 10 on making sure that developers and the others who use it are aware that there are proper standards and that they should look over here. If they want a short one, like the proactive controls, that's a better choice. That's how the top 10 should have been written in the first place, not like the way it's written at the moment.
Chris Romeo 06:17
Then how did you get to where you sit today as the executive director of OWASP? Now I'm curious as to how you got there.
Andrew van der Stock 06:27
I was a Senior Principal Consultant at Synopsis, a large consulting firm; I was the head of managed services from a technical point of view. I was leading a team of penetration testers, and I was trying to take them to the next level. I've got a new boss, and that new boss decided that he had his team that he wanted to bring along; he may not have been very happy with the direction I was going, which is essentially working towards quality. That's past history. I had a conversation with Sharif Mentel, one of the board members. We talked about the vision for the future because he wanted me to get back involved in the back end of it more than anything else. We had a great executive director, who is fantastic at the administrative side of running a nonprofit, but he wasn't able to connect with the community. I think the community was getting very restless. We talked about ways that we can make that better, where do we need to go, what needs to happen over the next four to five years. Over time that got shaped, and after a fair amount of immigration time for me because I live in America, I'm an Australian Expat. I was able to accept the position of executive director. Since June 29, I've been acting in that role, and I hope I'm making an impact; I think I am. Things have certainly improved from the community's point of view, from my perspective, there are ways to go. Nothing changes overnight. But I think by getting back into the community leading the organization, we're going to be in the right spot.
Chris Romeo 08:05
I was excited when I saw the announcement because I realized we have Andrew, who is an AppSec person has lived and breathed this, knows the technology and stuff behind it, but also is well respected in the community. I was excited when that was announced; I was like, This is going to be great. Certainly, people from a not-for-profit perspective, we've had good leaders in the past, but as you said, they weren't connected to the community. A lot of it was this is a complicated world that we've all chosen. We love it; we wouldn't trade it for anything. But somebody doesn't just come in as a business person and, in three months, say I'm gonna learn everything about AppSec. We've got socks that are older than that, or whatever when we think about it.
Andrew van der Stock 08:51
Well, to be fair, Mike knew how to develop, I just don't think he understood the way our community worked. We're a membership organization that doesn't require membership, we're an organization with a long, and I think, interesting, vendor versus community relationship, that's always been very tense. I've got a blog post that's about to go live on vendor neutrality tomorrow because I think people misunderstand what vendor neutrality is about. It's essentially, in my view, it's a fair and equitable access to OWASP on equal terms, no vendors, not advertising. But our corporate supporters and sponsors help us achieve our mission. Without them, we've got nothing. We need to have a healthy relationship in both directions. I think by resetting expectations and taking the community for the journey, I'm hopeful that we'll get to a nicer place where people will be understanding at the very least, and actively helpful and recruiting more corporate members because we've got finance reform coming up and we want to do grants, grants are going to be funded by corporate sponsorship. I expect the corporate sponsors to say, I need this feature and zap, I needed to happen. How do we get that happening, and you can fund that feature. That's exactly where we need to go. That means that in some cases, some organizations will have quite a lot of say, in the way OWASP works and that's different. But that doesn't mean that that's vendor exclusive. It doesn't mean we should never do that. It means that we need to make sure that everybody has the same opportunity to do that.
Robert Hurlbut 10:36
You've mentioned OWASP top 10 and I think that's sometimes the first introduction for developers when they're hearing about OWASP. But that term, OWASP has been around for a while, obviously. What is it? I know what it stands for. But we don't talk about that as much. But what is it? And what's its mission?
Andrew van der Stock 10:57
OWASP was originally the Open Web Application Security Project. As I've got into application security more, to me, it's about protecting the data of humans; our mission should be making sure that transactions are safe. Privacy is maintained, and the applications are designed and built by default to be secure and safe. We should be encouraging frameworks and developers to choose safer practices at all times, certain languages and frameworks don't have that safety, and they should be discouraged unless you know what you're doing on this. It's sort of like having a very sharp knife; as long as you know what you're doing, and you understand the pitfalls, then it's okay. To my mind, the mission that we've had has been around for some time, and I think we need to reshape it. I've got some ideas, but it's the board's point of view, and the board owns the strategy. I'm going to be guiding them on the 13th and 14th through a two-day strategy meeting, and I've gotten to read a strategy book for nonprofits to create impact. It's not enough to say I want to run three conferences this year; I want to have 150 chapters, I want to have 200 projects. That's irrelevant. We want to make an impact with the developer community. I think our mission statement is to be updated to reflect that.
Robert Hurlbut 12:20
Sort of a follow up on that. You mentioned the Open Web Application, is it exclusively web application focus? I know it isn't, but it's interesting that that was originally in the title, we still keep it. I've seen mobile guides, I've seen a bunch of other stuff, of course, and just general application security.
Andrew van der Stock 12:40
The answer to that is that I think we do need to focus on code, configuration as code, applications that are building on cloud platforms as code. That is interesting. I think it's probably the lowest layer that we should go to; I think we should not focus on infrastructure; we should not focus on networking. They're important, but other foundations, like the Linux Foundation, has a subsidiary that deals with network security. I think it'd be a mistake for OWASP to get unfocused about what we're trying to achieve. We have a role in the IoT world embedded operational technology, API's mobile because they are applications at heart. Now, I think we should get into operating systems and systems languages, which has not been a strong focus for the organization. But now that we're seeing APIs built in go and rust and things like that, which are essentially system languages. I think we probably do need to widen it a little bit. I don't think we should go much further than that.
Chris Romeo 13:47
When you think about membership, you're describing membership, you said we're a membership organization run by non members. When you think about the value proposition for individuals and for corporate folks, what is the value proposition? Why should somebody become a member of OWASP?
Andrew van der Stock 14:08
Honestly, the reality is you can do everything you want to do without being a member of the organization. The only thing you can't do is vote for the board. You can't stand for the board; you can't vote for the board. I am trying to improve the value of our membership. OWASP members can now access what we call a learning platform. The first part of the learning platform, and I know Chris, we've talked about this as well. I want it in that sort of vendor-neutral way. We've got Secure Flag at the moment; I'd love to see Security Journey there. I would love to see Secure Code Warrior there just on a fair and equitable basis; on the same terms that we did with Secure Flag, I would like to see our projects like SKF and other Threat Modeling tools and things like that available on the learning platform. It's early days; the reality is the membership is a way of saying thank you to the organization. If OWASP had not only defined my career, it's enabled me to get to the peak of my career. It's been a helpful organization to say that I'm a thought leader. I'm able to execute at this very high level. To do that, I was doing a lot of research and work for OWASP over a long period of time. My way of thanking the organization was to become a lifetime member. At the end of the day, if you think about it, my predecessor had a thing where he had us akin to other charities; if you volunteer at the local animal shelter, you're going to be walking dogs, you're going to be cleaning out the kennels, you get Patsey at licks. But there are downsides as well. The reality is, OWASP is sort of like that; you shouldn't expect too much. It's got to be a passion of yours. I do encourage people who get value out of OWASP to become a corporate member; I am trying to improve the value; I won't lie for the 50 bucks, which is extremely low compared to, say, most other professional organizations, if you're a CPA, that's quite expensive. You need to be a CPA or a CA to do your job. You don't need to be an OWASP member to do your job. I think we're priced at the right level for the amount you get out of us. But the reality is, you're helping our mission. That's where I think it comes from, to feel good about the fact that you're getting something out of it. It's not easy to say what you're going to get out of it. But I would certainly suggest that people do benefit from being around OWASP, even if you're not a member; please, if you feel like you've got something out of us, please join.
Chris Romeo 16:56
You think about all the different things that are supported by membership, you have events and things, and I know you try to get those to zero so that they pay for themselves. But I know not every event that OWASP has ever done has paid for itself. That's just being a realist. Some of that membership money is going towards helping; I like how you said that, going to further the mission. I think that's something that we all have to be able to grasp; those of us, I've benefited hugely from OWASP, from both learning and being able to participate in some projects and getting to mingle with some of the great minds of AppSec and watch them work and learn from them through the process. Also, just the event perspective and stuff like that, it's a bit of a sales pitch for those people that are out there that are consumers of OWASP. If you're somebody who's used these things, become a member and help to further the mission because we all have the same mission, we all should have the same mission at the end of the day, let's help more people to know about application security, and let's build more people for our industry. That's what we need to do. If I hear one more discussion about a cybersecurity skills shortage, I'm gonna fall out of my chair. We all talk about it, and we know there's some amount of skill shortage, but let's fix it. We fix it by bringing more people to OWASP, and we do that by becoming members. So that OWASP has more resources to be able to help reach more people, let's give Andrew some money here to go out and start marketing; imagine if we went out and marketed to developers who have never heard of OWASP before.
Andrew van der Stock 18:34
We're going to be reaching out to you next year. Absolutely, for corporate members, there is a benefit that we're qualified and interested in the products and services for many of our corporate members. The reality is, though, I am trying to do things so that every single part of the organization has an opportunity of earning money to fund what they're doing. In the past, we've run two or three very big events, and that's paid for everything else. COVID has shown us that it is not a good idea. But it also means that we rely upon two or three regions exclusively. That isn't our mission; our mission is to be global. I've made some reforms recently to get regional pricing for everything. Student members in a regional, developing country. I'm not a huge fan of that term, but it is what it is; it is now $8. If you want to become a startup member, we've got a startup option for $2,000. We want to make sure then the startups in these developing countries have access to that on a fair and equal basis. The startup version of that is $400 in a developing country because I know that it's difficult to come up with money during this time. To a certain degree, we need to spread our wings; we need to address the Indian market, we need to address the African market, we need to address the Asia Pacific area, we've pretty much-lost contact with the chapter in China. Yet, it's a huge area. Now, I'd like to reestablish relations with them. But I don't even know who leads it at the moment. Now, that is an area in that we do need to concentrate on a basic global mission and focus our energies throughout 2021 and beyond by ensuring that there are events in every time zone. We're going to do that.
Robert Hurlbut 20:32
You're mentioning a little bit about this year in 2020, and how we learned a lot more than we wanted to about different conferences and other meetings and so forth. But how has 2020 gone for OWASP? In particular?
Andrew van der Stock 20:51
Well, 2020 for everybody has been terrible. OWASP has had its own set of issues that are probably separate to COVID. I won't lie; it was a pretty rocky time when I first got in. I think the community was at a crossroads. I've been able to turn that around to a certain degree; I think there are more things coming that will turn it around even more. I've got a meeting on Monday with the California chapter leaders to hear what their issues are and to come up with an action plan to address those issues. Because I bet it's not just in California that we've got this issue, or whatever those issues might be. I know, for example, with the failure of the leader's policy to get through, the board did not vote for it. One board member voted against it. We haven't had any other policy that was working that way. We've got to go back to the drawing board for many of the policies that have reset. To a great degree, I am working on that reset; the latest policy will probably die as it stands. We'll probably sprinkle the things that we must have through the rest of the policies. I know the reason why it was constructed to try to treat every leader the same. But at the same time, the settings in that policy just weren't right, not for the community, not for the way that we work. Things like complimentary membership, leaders often had an expectation that they should be able to get honorary membership because they're volunteering their time. That's, in many ways, a strange and unusual request. That's an expectation that the majority of leaders had; 83% of the leaders weren't members. The leaders were the people who were the next in line to become the board. They couldn't set any policy by electing board members who thought like themselves because they weren't members. Complimentary membership is now available to active leaders. I hope that that's taken up some more, so we get more candidates for the board, fresh ideas all the time that are good, and more to the point, we have more people participating in the selection of the board.
Chris Romeo 23:10
When you think about the future, I've heard you talk about where your perspective on this job and the fact that you want to look to 2021 and beyond. We'll go a little further down the road first, and then we'll come back to 2021. I'm curious, as for Andrew van der Stock as the executive director, when you think five or ten years into the future, let's pretend we've got the DeLorean, we can jump in and 88 miles an hour, and boom, we're there. What are you aiming at for five to ten years from now for OWASP?
Andrew van der Stock 23:46
I would like us to be universally known by the developer community and have a strong relationship with developers, developer conferences, and developer organizations. I do think that furthering ties with people like the Open SSF, which is a Linux Foundation initiative, is important to us, that allows us to get in front of hundreds of thousands of developers, in particular, framework owners who help other developers millions of other developers code securely by being involved in these key organizations. I think there are some partnerships going there. We do need to work on bug passes. There are things like cross-site scripting, which are going down rapidly because people are starting to use React and Next. JS. These frameworks don't have cross-site scripting. You can still shoot yourself in the foot, but it's harder. If you use React or Next. JS properly, in the way it was designed, you don't have cross-site scripting. That's a crossover. That's what we need to work with the developers of frameworks on; that's how we got rid of CRSF, that's how we're going to get rid of cross-site scripting. In my view, that's how we're going to get rid of injections in general. Long term, I would like to see the health of OWASP be an incredibly global organization. I think it's well known in Europe and America. It's sort of well known in Australia and the Asia Pacific Area. Through the efforts of some of the amazing leaders like Rio, Terra. We need to make sure that we have healthy chapters because they spread the message. If a developer is interested in coming and talking to OWASP, they'll probably come to a chapter meeting, I'd love to see healthy chapters all over the world, and that's why we've got a chapter initiative, like a chapter restart initiative running right now. I prefer to invest in chapters that are active, but I want as many of them as possible. That's where we need to go. But lastly, one of the things that's important to me is we need projects that are game changes. For too long, OWASP policy to settings was designed to pretty much stop project leaders do projects, it was very difficult for project leaders to spend money, and honestly, they accrued a fair amount of money, but they couldn't spend it; I want to fix that. I want to change it so that we can say that developers break down about eight or nine packages; you'd like to go to sponsors and get you money to be able to work on these things. Not only did the sponsors get something, but the community gets something back as well.
Robert Hurlbut 26:24
OWASP has been around for a while, 20 years, lots of interesting things have happened. What are we planning for a celebration of that?
Andrew van der Stock 26:34
Good question. We are trying to organize a 20th anniversary special on the 24th of September 2021. That is our 21st anniversary. I have had discussions with Mark Curphey, one of our major founders and probably the driving force behind earlier OWASP. At the moment, he doesn't feel like he wants to participate in that. And I hope I can turn him around before then. I want to get together all the early folks and have some panels and get some discussions of key projects like the OWASP top 10. Get Jeff and Javed to discuss the early days of the OWASP Foundation and the OWASP top 10 when it first got going; that would be cool. But I also want to talk about not only the present but also the future. In September, do look for a number of events all themed around the 20th anniversary, and some of them will be the next 20 years. Some of them will be celebrating our current chapters and our current projects, and some of our other missions. For example, we've kicked off the Education Committee. I want them to come up with a curriculum. They are working on industry and tertiary curriculums, which is going to be fantastic. But I also want them to work on Early Start stuff like how do we get folks who want to get into application security, there might be a developer, or there might be someone at university who's getting into it? How do you do it? How do you bootstrap yourself? This is something that I think I was missing for a while. The Education Committee is going to work on that through then, I'd love to see some promotion of that, and I'd certainly like to say that is the future. Bootstrapping the next generation is important. The early pioneers of OWASP are getting, like me, into their late 40s and early 50s, and we've got a bootstrap that next generation before the next 20 years are up.
Chris Romeo 28:21
Andrew, when you think about key takeaway or call to action, what do you want our listeners to do in regards to OWASP?
Andrew van der Stock 28:30
I'd like people to come to meetings. If you're a chapter leader, please have virtual meetings; we've got the facilities to do so. I would love for chapters to promote getting involved in projects; projects are a love that you have to have the itch. You can't just say I want to help Project X, and I'll do X, Y, and Z for them. You've got to say, for example, there's a great threat modeling tool, I want to do Threat Modeling, and you work on that specific tool. We get those volunteers from chapters, and I think it's all integrated. I think the first and major call to action is, please go to a chapter meeting. If there are no chapters happening in your area, virtual makes it easy to attend other people's chapter meetings. Come have a look at the next couple of chapter meetings that are available to you, come to the chapter meetings, and get involved with projects. That's the biggest call to action I have for you.
Chris Romeo 29:28
Andrew, thank you for all that you've done for the OWASP world but all that you're doing today through your current role. We certainly appreciate it, and we see the value that's being driven, and we look forward to the future. We look forward to where OWASP is going because we know that to achieve this mission of getting more people excited about and into application security. It's not going to happen by a bunch of individuals doing things; maybe we'll get a tiny percentage, but it's got to be a coordinated effort, and that's the value that OWASP brings to the table. Thanks for being here, and thanks for what you do for OWASP.
Andrew van der Stock 30:03
No worries. Thank you for having me.
Chris Romeo 30:06
Thanks for listening to the Application Security Podcast. You'll find the show on Twitter @AppSecPodcast or on the web at www.securityjourney.com/application-security-podcast. You can also find Chris on Twitter @edgeroute and Robert @RobertHurlbut. Remember, security is a journey, not a destination