As the software world still reels from the major hacks and breaches that occurred, and surfaced, in 2016, it’s critical that organizations ensure that their code security gets the attention that it deserves in 2017, and beyond.
In order to gain some quick insight into the application security landscape for 2017, we conducted a short interview with Jim Manico.
Jim Manico has been an active member of OWASP since 2008 and he served as a global board member from January 2013 through May 2016. At OWASP, his main passion is supporting efforts that help developers write secure code.
Additionally, Jim trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, is a investor/advisor for Signal Sciences, and is a volunteer for the OWASP Foundation. His writings include “Iron-Clad Java: Building Secure Web Applications” from McGraw-Hill and Oracle Press.
Checkmarx: What is one thing you wish more people knew about the OWASP Top 10?
Jim Manico: It’s incomplete. This is just an awareness document that is good for folks new in application security. After reading the OWASP Top Ten, folks should read the OWASP ASVS standard, the OWASP proactive controls, the BSIMM study and other documents to get a more complete picture on application security.
Checkmarx: What were some major application security challenges you noticed in 2016, and will these challenges get worse in 2017?
Jim Manico: The number one problem is being able to hire enough security people to get the job done. There are many jobs and just not nearly enough talented security professionals to get those jobs done. If you are a senior security professional the opportunities before you are significant.
Checkmarx: Where is the best place to start for developers hoping to become more “security aware?
Jim Manico: I think a good place for web and webservice developers to start is to understand a few basic technical risks like SQLi, XSS, and CSRF – especially how to deal with them specific to you current software framework. Start with a focused study there. Once you understand those three risk categories; move to a deep understanding of modern IAM technologies like SAML, OAUTH, OIDC and JWT’s. That should be enough to keep you busy for a while.
In general, commit to make studying AppSec a regular part of your job as a developer.
Be sure to follow Jim on twitter for more application security insights at @manicode.
Join Jim Manico’s Meet the Experts Webinar “What is the OWASP Application Security Verification Standard” by clicking here. here.