The Open Worldwide Application Security Project (OWASP) Foundation, a nonprofit foundation launched in December 2001 that focuses on software security, has disclosed a data breach after some members’ resumes were exposed online due to a misconfiguration of its old Wiki web server.
Looking into this cybersecurity matter for Digital Journal is Jason Kent’s, Hacker In Residence at Cequence Security.
Kent begins by stating why this particular cybersecurity incident has caught his attention: “As a member and someone who participates in this community, this obviously makes me sad and ask questions. OWASP’s goal is to help organizations find problems with their web applications, application code, and server frameworks.”
The expert then proceeds to look at the significance of the incident: “To have a web application data breach is a bit of egg on the face of OWASP as a whole but, we aren’t the kind of folks that wonder why. We get to the heart of it, fix it, and make sure everyone knows what happened and how to stop it.”
In terms of the impact of the incident, Kent assesses: “The data that was lost, at the newest, was a decade to almost 2 decades old. This fact doesn’t make the loss of data any better but remember, immediately prior to 2014 every person in the USA’s data was lost when Equifax was breached and all of that data was extremely up to date. OWASP no longer collects this data and has moved to new systems.”
From any major event, learning from the situation provides at least something tangible from a disaster. Here Kent poses: “So what can be learned? Directory Traversal needs to be disabled (it is by default on most systems now) and data retention policies are extremely important for a reason. If they had purged all data when they moved to the new systems a couple of years ago, this wouldn’t have happened. If you read the announcement from OWASP you can see the steps they are taking and you should take if you are part of this”
Kent cautions that the incident could be repeated and this means several firms could well be vulnerable to a future attack. Here he states: “If it can happen to an organization of volunteers that are wanting the world to be a safer place, it can happen to your organization of security professionals dedicated to your environment being a safer place.”
The recent transparency with the cybersecurity event brings Kent to conclude: “Thank you to OWASP for being open and honest and being an example of how to respond when the inevitable happens.”