Patrick Laverty is a longtime member of CIS’s WebServices Team and the “Go-To Guy” for web application security. He is founder of the Rhode Island chapter of OWASP (Open Web Application Security Project), coordinating monthly meetings, which feature guest speakers (such as PaulDotCom’s and former CIS employee Paul Asadoorian) and provide an opportunity for like-minded folk to network.
Q. Can you provide some background on the RI Chapter of the OWASP? What prompted you to start it?
A. I developed an interest in web application security and went to a couple OWASP meetings in Boston after work. That’s a bit of a hike for a 60-90 minute meeting, so I started looking for something similar in Providence. I asked a few people and no one was aware of such a thing existing. I think one day, I said out loud “someone should start a web security group here in Providence.” and my co-worker, John Pennypacker, “You should do that.” So I figured why not and in April 2011, we were born. Plus, as I explain at many of the meetings, one of the reasons this group was started is purely selfish. I definitely do not consider myself to be any kind of security expert. I want to learn from experts, I want to attend presentations from them. I figured the best way to do that is to invite them to come and speak on topics that I am interested in and that I want to learn about.
Q. Describe some of the accomplishments of the group.
A. So far, we’ve had some top-notch speakers come to our meetings and present. We’ve had people who have been keynote presenters for conferences with hundreds of people. We’ve had people like the mobile security expert, Georgia Weidman, founder of PaulDotCom, Paul Asadoorian and SANS instructor Joshua Wright to speak on web encryption. Just mentioning those three doesn’t do the list justice, as we’ve had some really great speakers. We’re also open to new speakers as we’ve also had a couple giving their first talk as well as a Brown University undergrad. So we are open to all comers.
Q. What’s next for the PWASG? Any big plans?
A. Unfortunately no, we don’t have any big plans. It’s still a new group and I’m still looking to grow the group. If others wanted to take part in the leadership of the group, I’d be very open to that. I do want to try to get the colleges more involved with the meetings and get students and anyone else interested coming and participating in the discussions.
Q. Focusing now on the person behind all this, what got you interested in security issues?
A. I don’t know. I’ve always been interested in the security area and figured out early on that “security” is just too big of a bucket to learn everything in all areas. My area of focus turned to the web in part because that’s where I spend most of my time at Brown, supporting the web and internet community. I saw a need here at Brown and wanted to help keep the environment secure. When we have security incidents, it’s embarrassing and often could have been prevented. It’s nice to see when we can make changes that prevent problems in the future.
Q. You’ve been a web developer for 10 years. Have you seen a shift in the types of threats to web applications?
A. I’m having a tough time with some of these questions because I’m not an expert in the field. I’m just learning about the various things and don’t have much to go on other than what I hear. One of the most interesting things that I hear the experts say is that now we’ve done a great job securing the network that people don’t try to attack it as much as they used to. In fact, the network is probably third in the general scheme, ranked behind web pages and the person. We think all about securing our web pages and keeping the hackers out, or at least we try, but one area that many don’t think about is with the social engineering angle. People will willingly give out information, even in situations where they should be aware not to, that can lead to their sites and systems becoming compromised or simply “hacked.”
Q. What are the current big issues and have you seen these threats here at Brown?
A. Oh boy, the biggest problem we have here is old software. All too often the problem seems that there is a site where someone set it up two, three or even five years ago and it hasn’t been updated. It might be some third-party software like WordPress or Drupal and the person who set it up just walked away from it. It isn’t hard for someone to find that and exploit it, even to the point of taking down Brown’s web environment. We’re currently pretty permissive with our web environment, maybe too much so, and we’re working to better contain that issue.
Q. From your experiences, what’s your sage advice to web developers when coding applications?
A. Probably just the standard answer that everyone gives, never trust your data inputs, and don’t even trust your own outputs. The first part is probably obvious to most, but you need to check everything that you capture from users and check to see if it is acceptable to be stored in your systems. The last thing you want is to leave your applications open to a SQL injection attack where someone can, in a best-case scenario, simply download your entire database. In a worst case, they can get access to the entire server and do anything they want from that point. As for not even trusting your own data output, it would seem that everything coming from your systems should be clean, especially if you’re checking it on the way in. However, you can’t completely know for sure if the data was tampered with during storage. Even if someone can’t get bad data through your front end (web site), if they can get it in through someone else’s web site and your database shares a server with theirs, they could potentially change information in your database too. So definitely check and sanitize on the way in and out.
Q. What about the general web user? Do you recommend certain browsers, software protection, and/or habits?
A. I don’t think I’m enough of an expert to really comment on that area. I would say to simply keep everything up to date, install patches when the vendor recommends it and stay current. If you’re using an outdated browser, you could be asking for trouble. Oh and when you get a Facebook message from me that I have crazy pictures of you, they’re not real, so please don’t click on them!
Q. And parting words for our readers?
A. We’d love to have everyone interested in IT security come to our meetings whether it is to just listen or you have a topic that you’d like to present on, we’d love to have you. We’re open to anyone, everyone and the meetings are always free. Plus, if you have an interest in the area of web application security, I’d highly recommend taking a few minutes and just poking around the http://owasp.org web site as my one problem with it is that it might have too much information! There’s something for everyone from great articles to cheat sheets, videos, free books. Please check it out!
Note: In October the group will meet twice at its home on 200 Dyer Street in Providence (Brown’s new Continuing Education building). On Tuesday, October 9, Brown’s CISO David Sherry will talk about “Security Management”, and on the following Tuesday, October 16, Ryan Dewhurst’s topic is “WordPress > Security”. Meetings start at 6:45, are free and open to anyone interested. See the RI OWASP page for more details. See also the Providence Web App Security Group blog for info on past events.