User:Jeff Williams

I'm Jeff Williams, I work as CEO of Aspect Security and I serve as the volunteer Chair of the OWASP Foundation. I’ve dedicated my life to trying to make the world’s software more secure, and so I create lots of free and open tools, libraries, guidance, and standards to try to change the status quo. Thank you all for your dedication to application security and your participation in OWASP. Please send any questions or comments to me via email at [mailto:jeff.williams@owasp.org jeff.williams@owasp.org]. Or you can twitter @planetlevel.

last revised //

Some of my work (in roughly reverse chronological order)
 * Enterprise Java Rootkits - http://www.aspectsecurity.com/documents/EnterpriseJavaRootkits.zip
 * XSS Prevention Cheatsheet – http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
 * Java EE ClickJack Filter - http://www.owasp.org/index.php/ClickjackFilter_for_Java_EE
 * Enterprise Security API – http://www.owasp.org/index.php/ESAPI
 * Application Security Verification Standard - http://www.owasp.org/index.php/ASVS
 * How to Write Insecure Code - http://www.owasp.org/index.php/How_to_write_insecure_code
 * Java PDF Attack Filter - http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE
 * Application Security Risk Rating Model - http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
 * CSRF Tester Tool - http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project
 * CSRF Guard - http://www.owasp.org/index.php/CSRF_Guard
 * Java Stinger Validation Library - http://www.owasp.org/index.php/Category:OWASP_Stinger_Project
 * Application Security Contract Annex - http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
 * OWASP Chapters Program - http://www.owasp.org/index.php/Category:OWASP_Chapter
 * OWASP Foundation - http://www.owasp.org/index.php/OWASP_Foundation
 * OWASP Top Ten – http://www.owasp.org/index.php/Topten
 * WebGoat Application Security Learning Environment - http://www.owasp.org/index.php/Webgoat
 * Systems Security Engineering CMM - http://sse-cmm.org/index.html

To see my wiki contributions, click here.

Background
My background, from an interview

I set out to be a user interface guy, but I got into security accidentally. I was working at TRW in 1992 on the user interface for a big Navy system that just happened to be highly secure – targeting B2 in the Orange Book. I took on an R&D project to port the user interface to the new compartmented mode workstation (what became Trusted Solaris) and I found that I really liked the challenge of securing such a complex system.

Then Java 1.0 came along and I got NIST and NRL funding to do security research. At the time, we thought the Java sandbox was a good idea, but that there were attacks that might bypass it. So I wrote a special classloader that modified the bytecode to wrap security relevant method calls with a reference monitor. After that I spent several years developing a Java-based multilevel secure network guard on Trusted Solaris. That guard handled HTTP, FTP, TDS, and a number of other protocols – sort of a very early application firewall. But unlike the modern WAFs, we took a whitelist approach where you would define exactly the data formats and rules for allowing messages.

In the mid-90’s, I chaired the group that authored the SSE-CMM, which is now ISO 21827. As it turns out, the processes involved in systems security engineering are quite similar to those necessary for secure software development. I’m very glad to see that the idea of assurance arguments from my work is starting to be used in the application security world.

Then in 1998, while I was the technical director of the Global Security Practice at Exodus Communications, a Fortune 10 company approached us and said “We’d like to host our applications with you, but we have this rule – every line of code has to be reviewed before it goes on the Internet.” So I started an application security practice and started providing application assessments, developer training, and help with security requirements and architecture. We built a successful practice securing some of the biggest and most complex web applications in the world.

In April 2002, together with Dave Wichers, Noelle Hardy, and some other great folks, I started Aspect Security to focus exclusively on application security. I just feel so fortunate to get to work with such an amazing group of consultants and customers. I’m having the most fun of my professional career.

I first heard of OWASP in 2001 from Chuck Pfleeger (the author of Security in Computing). The idea of a free and open community for application security was an interesting idea. At the time, getting companies to focus on application security was difficult. In meetings with several government agencies, they acknowledged that it was an issue, but that they were managing to the SANS Top 20. I came home and literally in the shower said to myself, “I wish we had an application security top ten…” So a small team of us at Aspect took the lead in drafting the first OWASP Top Ten.

Later, Aspect donated WebGoat, a hands-on training environment for application security issues that we had developed for our courses. A huge number of organizations, including Google, use WebGoat today to teach their developers about application security. We started to see that participation in OWASP allowed Aspect to demonstrate our skills in a very constructive way, and many of our customers have contacted us after seeing our participation in OWASP.

I was honored to take over the leadership of OWASP in 2003. At that time, we had a number of great contributors, but OWASP itself was just a domain name and a few small projects. So I got us set up as a 501c3 nonprofit organization and put a management structure in place. I want the OWASP Foundation to provide a free, open, supportive community infrastructure for application security projects. We’re making the barriers to entry for contribution so low that security experts will be motivated to make the effort and share their expertise.

One of the key challenges has been to ensure that OWASP is not influenced by commercial interests. When I set up the AppSec conference and local chapter rules, I made sure that vendors are cannot use OWASP to market their products. We’re also starting to ferret out abuse of the OWASP brand by companies that claim their products “address the OWASP Top Ten” or enable “OWASP Compliance.” The local chapters have been growing very quickly and starting to contribute back to the mothership. Our conferences have also been a great experience.

I think the switch to the MediaWiki platform in 2006 was a major step for OWASP. Prior to that, contributing content was a difficult and painful process. Now, anyone can create an account and contribute easily. We have a team set up to review all the contributions and the number of abuses in our first year has been astoundingly low (less than 10 incidents). We’re to the point now where we get dozens of articles and contributions every day. I don’t see how a non-open approach to building an application security body of knowledge can possibly keep up with our productivity.

We’re still a long way from the point where a company can go to OWASP for everything they need in order to build, acquire, and operate secure applications… but we’ve got an incredible process and we’re working very hard to get there.

I have a wonderful wife Jennifer and three kids, Chance (12), Zack (10), Zoe (3), and Tyler (1). We live in the woods and spend a lot of time outside with our two Labrador retrievers. I’m very much into sports – I rowed on the crew team at U.Va. and still play basketball three times a week. For a while I was into extreme rollerblading and then I got into mountain bike trials – I broke a lot of equipment, but never had any serious injuries :)"

Articles / Presentations
Opening the Black Box: A Source Code Security Analysis Case Study http://www.aspectsecurity.com/documents/Aspect_Opening_Black_Box.doc

Application Security Initiatives - The Best Defense Is a Good Offense http://www.aspectsecurity.com/documents/Application_Security_Initiatives.htm

Let's Sue the Idiots -- Security, Software, Contracts, and Lawyers http://www.aspectsecurity.com/article/sscl.htm

How to Build an HTTP Request Validation Engine for Your J2EE Application http://www.aspectsecurity.com/article/bld_HTTP_req_val_engine.htm

Access Control (aka Authorization) in Your J2EE Application http://www.aspectsecurity.com/article/access_control.htm

Trustworthy Java - Are your apps bulletproof? http://www.aspectsecurity.com/article/trust_java.htm

The Ten Most Critical Web Application Security Vulnerabilities http://www.aspectsecurity.com/owasp.htm

Security Code Review - the Best Way to Eliminate Vulnerabilities in Software" - http://www.aspectsecurity.com/documents/AspectCodeReviewWhitePaper.pdf

Can a 'Social Protocol' Help Protect Privacy? http://www.aspectsecurity.com/documents/p3p.pdf

Jini and Mobile Agent Security - Proceedings of the Workshop on Agent Technologies (AT ‘98) http://www.aspectsecurity.com/documents/jini.pdf

A Practical Approach to Improving and Communicating Assurance - Proceedings of the 10th Canadian Information Technology Security Symposium (CITSS) http://www.aspectsecurity.com/documents/Arguing.pdf

A Practical Approach to Measuring Assurance - Proceedings of the 1998 Security Applications Conference (ACSAC) http://www.aspectsecurity.com/documents/Measuring.pdf

System Security Engineering Capability Maturity Model (SSE-CMM) version 2.0 - Released at the 21st Annual National Information System Security Conference (NISSC) http://www.aspectsecurity.com/documents/SSECMMv2Final.pdf

Just Sick about Security - Proceedings of the New Security Paradigms Workshop http://www.aspectsecurity.com/documents/Sick.pdf

An Enterprise Assurance Framework - Proceedings of the 5th Workshop on Enabling Technologies http://www.aspectsecurity.com/documents/WetIce.pdf

Pretty Good Assurance - Proceedings of the New Security Paradigms Workshop http://www.aspectsecurity.com/documents/Pretty.pdf

Need for a Framework for Reasoning about Assurance - Proceedings of the International Workshop on IT Assurance and Trustworthiness (WITAT) http://www.aspectsecurity.com/documents/Need.pdf

Assurance is an N-Space (Where N is Hopefully Small) - Proceedings of the International Invitational Workshop on Developmental Assurance http://www.aspectsecurity.com/documents/Nspace.pdf

A Capability Maturity Model For Security Engineering - Proceedings of the 6th Annual Canadian Computer Security Symposium http://www.aspectsecurity.com/documents/CITSS94.doc

Unsafe at Any (CPU) Speed: Why We Keep Making the Same Mistakes - NSA High Confidence Software and Systems Conference

Web Applications: The “Last Mile” of Internet Security

A Constructionist Approach to Law and Society - Law and Society Seminar, Georgetown University Law Center

Interpreting Anticircumvention (DMCA) - Advanced International Copyright Law, Georgetown University Law Center

P3I – Protection Profile Process Improvement - Proceedings of the 22nd National Information System Security Conference (NISSC)

Windows NT Security - 17th Annual National Computer Security Conference (NCSC)

Windows NT Client Security and Windows NTAS Security - The Local Area Network Security Conference (LANSEC)

Reusing Existing C3I Systems in a Secure Environment - Proceedings of the Application of COTS and Reusable Components Conference

A Framework for Reasoning about Assurance - Published by the National Computer Security Center of the NSA Proceedings of the 11th Annual Conference on Computer Assurance (COMPASS)

Interconnecting MLS Command Centers - White paper for the Multilevel Security Initiative at Hanscomb AFB

Education

 * JD cum laude – Georgetown Law - Cyberlaw and Intellectual Property
 * MA – George Mason - Human Factors Engineering
 * BA – University of Virginia - Cognitive Psychology and Computer Science (Specialization in AI)