Sunday, September 30, 2007

OWASP Asia Conference 2007

A capacity audience of over 600 people attended the half-day OWASP Asia Conference 2007. Must be a record for any web application security event anywhere in the world. This goes to show how much the industry has matured in recent years as truly a global interest. Everything was extremely well organized. The venue was simply stellar (TaiWan Information Security Center), professional branding d├ęcor everywhere, the media in force, top-notch speakers (from the U.S. and Taiwan), and fantastic content (discussed below). Wayne Huang (CEO) and the entire Armorize Technologies (makers of source code review software) team did an amazing job pulling it all together. I’ll link to the pictures when they’re made available. It’s going to be a tough act to follow for the OWASP & WASC AppSec 2007 in November.

From my (too) short stay the impression I got from the Taiwanese people is they have a deep sense of national pride, the security community possesses an eager thirst for knowledge, and they’re excited to share what they’ve learned with others. Let me tell you, the Taiwan cyber crime environment is MUCH different and WAY more serious than anything I’ve ever been exposed to in the U.S or elsewhere. My job experience thus far has everything to do with criminals attempting to monetize. In Taiwan it’s an environment of true military supported cyber warfare as a result of an intense political climate with China. Both sides are extremely well organized, funded, motivated, their actions unrestricted.

Consider for a moment daily computing life filled with 0-days, single person target rootkits, trojan horses, malware-laced spam, and attacks designed not to monetize or embarrass but for militaristic espionage with command and control goals. They view their exploit code more like weapons and munitions than anything else. Imagine an environment of being able to hack anything you want, which is seemingly culturally encouraged, and offenses rarely prosecuted. The private and government sectors are in close, open, and bi-directional communication. This might have something to do with their mandatory military service so relationships between the two are more natural. It was an amazing contrast to our environment in the U.S.

I attended two presentations where I’m not exactly sure how much I’m free to reveal. The organizers requested the audience to turn off all recording devices and refrain from taking photos of the sensitive intelligence research gathered about the Chinese NetArmy. The speakers definitely knew their stuff and supposedly one of them is blocked from entering the U.S. because of past associations. Apparently he wanted to speak at Black Hat last year and couldn’t. The speeches covered what forms of military-grade malware are in the wild, methods of propagation, capabilities, progression, etc. They went over how the NetArmy is trained and organized and how courses in Military Cyber Warfare are being institutionalized. Imagine instead of getting a degree in Information Security, you get one in Military Cyber Warfare. Talk about a bold new world.

My subject matter was all about Business Logic Flaws, to coincide with my white paper release, which I felt would be fresh and new for the audience since so a lot of emphasis is already being placed on XSS, SQLi, and CSRF. Judging from the questions and the feedback it was very well received. The undertone was we need to take a holistic approach in web application security since there is no silver bullet solution. Big surprise huh. Just like network security they have a mixture of solutions in place and we need to mature to the same level for website security. Vulnerability assessment, security in the SDLC, Web Application Firewalls, Security configurations, etc are all steps in the right direction. It’s the only way to effectively reduce risk of compromise.

It occurred to me on the trip back that if I wasn’t already on the Taiwanese and Chinese government cyber security watch list, I certainly am now. Great. :/ As Anurag has said, comes with the job I guess. I’m actually wondering now that I’ve spoken at a Taiwan computer security event, if they’ll let me into China now, let alone speak at a conference there. Hard to know ahead of time I guess. Personally I was just flattered to be invited to the event and proud to be a part of its beginnings. I’m sure it’ll get even bigger next year. Bringing the importance of web application security to a larger world and helping to get more people involved is what its all about.


CG said...

looks like it was a great conference especially learning about other country's "cyber army" capabilities.

looks like there is always really good things and research being presented at these overseas conferences. too bad its so far away and so much money to attend.

Jeremiah Grossman said...

cg, yah, easily a few more hours could have been dedicated the subject. I think there is probably room for an entire day of conference material for government sponsored cyber warfare.

Speaking with them they also think its too expensive to come to the U.S. to learn. Lots can be learned from international events, I plan to do more of it in 2008. Would be nice if we could bring the world closer together to share data in some way.

CG said...

sounds like someone needs to plan "WorldCon" where all the speakers would be virtual around the world and it would be streamed live in almost real time to people who registered.

it would be an undertaking, but probably doable.

Jeremiah Grossman said...

I like the idea, but sheesh, what a scheduling nightmare. I wonder if something similar has been done in that way before. If so, we might be able to learn a bit from the execution.