The events of September 11th. and current state of the security in the United States have focused much attention on the coordination of information between organizations. Curphey talked about his contact with various entities such as company security departments, government groups (CIA, FBI, etc.) and individuals.

"We have had some preliminary discussions with some of the agencies and continue to get regular and frequent praise from large corporates. But to be honest we have all been disappointed that we haven't been approached with a grant or major sponsorship so far, especially post Sept 11th. WebScarab and the Filters project have the potential to allow everyone to find and prevent holes in critical systems using a free Open Source tool."

"The Open Source development model also allows people to quickly implement new checks and distribute them quickly and efficiently to those that need them," he added.

Turning attention to the question of what happens if Open Source projects and tools fall into the hands of malicious hackers and terrorists, Curphey was straightforward and practical about the subject.

"There is no doubt that some tools could be used maliciously as well as in the spirit we are designing and building them. But that's been true of any security technology from SATAN to Nessus. I can promise you the closed source commercial community wouldn't turn down a large sale of an unlimited scanner license to a one man company in Kansas as long as he has the cash!" Curphey pointed out.

"However there is a duty of all OWASP projects to act responsibly and we will be working with vendors to make sure that official checks using VulnXML have patches where possible. The focus is always on creating professional security tools and not hacker tools," he emphasized.

Asked about putting OWASP processes into the real world, Curphey explained: "The foot print from WebScarab will light up any half decent IDS like a Christmas tree and so it should. If it doesn't the vendors can contact us and we will make sure they build appropriate signatures or point them to SNORT for help! Again, funding would certainly help us build a good process and investigate some ways to alleviate this."

So, what is the future of Web Application Security over the next one, three, and five years?

"Education will go a long way to help improve the safety of web applications. OWASP has a role to help everyone make the net a safer place and to help people secure our personal and national assets. I am hopeful that security products will improve to address the current problems more effectively. If you look at the technology in a film like Toy Story and compare it to the average web application scanner we are presently 'Buzz Lightyears' apart," he said.

"In the short/medium term I think frameworks will develop that will make it easy for developers to do the right thing. The OWASP Filters project would be an example of a framework component. Within 5 years I would hope that security technology will start to catch up with the rest of the world and smart tools using Artificial Intelligence (AI), for instance will help find problems at a code level before they ever get into the wild," Curphey added.

Curphey and his dedicated team of 'rock star' volunteer developers have taken the often fragmented world of web security and tried to make it safer. Take a look at the great work being done by the OWASP and then ask yourself the question: are my web applications safe?

Rob Reilly is a Technology Consultant who writes and speaks about Linux, business integration, innovation and automotive design. He has 16 years experience in the technology, manufacturing and the utilities industries. He is always 'on-the-lookout' for stories and projects that focus on Linux, business, and the cutting edge. Send him a note or visit his web site athttp://home.cfl.rr.com/rreilly.

« Back: Are Your Web Applications Safe?