Jeff Williams

This handbook explores how to structure a modern application security program. We reject the old paradigm of periodic and serial scanning, hacking, and patching, which has proven expensive and ineffective. Instead, Continuous Application Security (CAS) relies on security instrumentation in every application. This instrumentation provides security visibility, assessment, and protection in real time and in parallel across the entire application portfolio. CAS is a unified program covering the… Show more

This handbook explores how to structure a modern application security program. We reject the old paradigm of periodic and serial scanning, hacking, and patching, which has proven expensive and ineffective. Instead, Continuous Application Security (CAS) relies on security instrumentation in every application. This instrumentation provides security visibility, assessment, and protection in real time and in parallel across the entire application portfolio. CAS is a unified program covering the entire software lifecycle, including both development and production, designed to create a clear line of sight from the threat to strong defenses, and ultimately to assurance.
Show less

Whether we choose to or not, we all trust software with our lives, our finances, our safety, our
government, our communication, our businesses, and even our happiness. This increasing dependence demands that we build our software to survive and thrive despite any threats and challenges we might face, now or in the future. While many brilliant minds have pursued this goal and discovered many powerful techniques and technologies, the complexity, connectivity, and criticality of our software is… Show more

Whether we choose to or not, we all trust software with our lives, our finances, our safety, our
government, our communication, our businesses, and even our happiness. This increasing dependence demands that we build our software to survive and thrive despite any threats and challenges we might face, now or in the future. While many brilliant minds have pursued this goal and discovered many powerful techniques and technologies, the complexity, connectivity, and criticality of our software is unquestionably increasing faster than our ability to understand the risks associated with that growth. We envision a world where software can be trusted with the most important activities of humanity, where software enables us to fulfill a higher purpose without enabling those who would profit by harming others, and where the power of software benefits everyone. Show less

More than half of the Global 500 use software built using components with vulnerable code. 80% of the code in today’s applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated. The authors analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations. We studied the 31 most popular Java frameworks and security libraries downloaded from the Central (“Central”) Repository… Show more

More than half of the Global 500 use software built using components with vulnerable code. 80% of the code in today’s applications comes from libraries and frameworks. The risk of vulnerabilities in these components is widely ignored and underappreciated. The authors analyzed over 113 million downloads by more than 60,000 commercial, government and non-profit organizations. We studied the 31 most popular Java frameworks and security libraries downloaded from the Central (“Central”) Repository and discovered that 26% of these have known vulnerabilities. Every organization should be concerned about the security of the components that they use and trust to run their business. Show less

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as… Show more

The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. Show less

How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? In many ways, malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. What's really scary is that a trojaned Struts or Log4j library could affect most of the financial… Show more

How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? In many ways, malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. What's really scary is that a trojaned Struts or Log4j library could affect most of the financial industry all at once.

In this paper, we examine the techniques that malicious developers can use to insert and hide these attacks in an enterprise Java application. We examine techniques for bootstrapping external attacks, avoiding code review, avoiding vulnerability analysis, trojaning libraries, and trojaning an enterprise build server. The point here is not to show how complex these attacks are, but rather how many opportunities there are and how simple and obvious they are to most developers. Show less

A compilation of research into defending against XSS vulnerabilities. This document was the first to introduce the concept of different "contexts" into which a malicious XSS payload might land in an XSS document, and detailed the specific escaping techniques to use in each.

Application Security code review guide. Principles of reviewing code for technical and logical vulnerabilities.

This is the second update of the OWASP Top 10, and the one that was included in the PCI DSS as section 6.5!

The SSE-CMM is a process model for system security based on the Software CMM from the SEI. The model covers Security Engineering, Risk, and Assurance in a unified process. I served as the Chair of the Author Group of the SSE-CMM and wrote the majority of the model. It was later turned into an ISO Standard and has been used by thousands of organizations to improve their ability to reliably produce secure systems.

A comparison of human defenses to computer security

Americans have been fond of saying that representative democracy is the worst form of government except for all the other alternatives. In the special context of a need to govern the online world, however, there may indeed be a better alternative. Participants in online spaces cannot readily make use of the basic ideas of geographically defined representative democracy. There is no way to meaningfully provide equal votes to online "citizens,"​ who are not for this purpose whole people entirely… Show more

Americans have been fond of saying that representative democracy is the worst form of government except for all the other alternatives. In the special context of a need to govern the online world, however, there may indeed be a better alternative. Participants in online spaces cannot readily make use of the basic ideas of geographically defined representative democracy. There is no way to meaningfully provide equal votes to online "citizens,"​ who are not for this purpose whole people entirely located in particular territorially defined "places."​ Law-making for diverse online spaces should not be centralized in any single global government, even a democratic one, much less one created by the slow, incomplete, and undemocratic treaty process. Legitimacy cannot be preserved by allowing existing geographical sovereigns to assert an inconsistent and asymmetrical control over all online activities that might have any impact on their citizens. But the task of setting rules for online spaces can be cut into workable pieces. And the collective-action and liberty problems can be solved simultaneously for online spaces by relying on the decisions of participants to join (or leave) those areas with rules they find empowering (or oppressive).
The new science of complex systems gives reason to hope that an overall system of governance of the Internet that reconnects rule-making for online spaces with those most affected by those rules--and that also allows online groups to make decentralized decisions that have some impact on others, and that therefore elicit disparate responsive strategies--will create a new form of civic virtue. The old hope that rational debate among wise elected representatives will result in the overall public good may be replaced, online at least, by a new certainty that dispersed and complex interactions among groups of individuals taking unilateral actions to serve "local" goals will be best for everyone, overall, over time. Show less