Ken van Wyk
Ken van Wyk is a CERT® Certified Computer Security Incident Handler, an internationally recognized information security expert and author of two popular O'Reilly books, Incident Response: Planning & Management and Secure Coding: Principles and Practices, as well as a monthly columnist for eSecurityPlanet. Ken is a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor and consultant to the CERT® Coordination Center.
Ken has previously held senior information security technologist roles at Tekmark's Technology Risk Management practice, Para-Protect Services, Inc., and Science Applications International Corporation (SAIC). Ken was also the Operations Chief for the U.S. Defense Information Systems Agency's DoD-CERT incident response team, as well as a founding employee of the CERT® Coordination Center at Carnegie Mellon University's Software Engineering Institute.
Ken has previously served as the Chairman and as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST), a non-profit professional organization supporting the incident response community. He currently sits on their Steering Committee and Board of Directors.
Developing web applications as if operations mattered
Today's web-based software applications have grown substantially in importance over those of just a few years ago. As a result, the impact of security failures has increased commensurately, often with potentially large-scale financial impact to the enterprise. Yet, security failures occur in often times spectacular ways.
A common failing occurs in how enterprise software interacts with security infrastructures, from enterprise event logging through intrusion detection and prevention systems. These security facilities frequently go untouched by application developers, leaving security staff to seek bolt-on solutions to application-layer security issues.
In this session, a common web application user interface component known as a servlet is examined and enhanced, to build a web app example that is not only secure against attack, but able to stand up to the rigors of a modern enterprise computing environment. Starting from a simple, highly vulnerable servlet is examined and discussed as a case study, with particular attention paid to some of today's most prevalent web-based attacks like SQL injection and cross-site scripting. First, security features are added to the servlet to provide defense against these most common attacks (e.g., OWASP Top-10 2010). Next, enterprise event logging is added, with the use cases of the CSIRT in mind specifically. Finally, the servlet is enhanced to provide the ability to take evasive actions when attacks are detected, based on policies set by the CSIRT and/or CISO staff.
By highlighting these building blocks in source code case studies, we clearly illustrate the urgent need for close collaboration among the CSIRT, software development, and business staff.