OWASP Chen Liang: Privacy protection cannot rely on a single set of passwords

In the past few years, the Internet industry has undergone tremendous changes. The Internet has never had such a profound impact on people's production and life as it does today. With the surge in information volume, security issues have also received increasing attention. Today, 51CTO reporters interviewed Chen Liang, a special lecturer at the WOT2016 Enterprise Security Technology Summit and the head of OWASP China Beijing Region, to give us an in-depth analysis of related topics.

Chen Liang is the head of OWASP China Beijing region, chief security consultant of Nanjing Yixun, and market strategy officer of Shandong Anyun.

According to him, the number of OWASP members in China is about 3,700, and is still increasing. These members have to go through a very strict screening process, some of which are for students, and there are OWASP researchers in various institutions. In addition, there is also an expert pool system with strong practical experience, which is also an advantage compared to other institutions.

Views on the current domestic security situation

Talking about his views on the current domestic security situation, Chen Liang believes that the core problem is the weak security awareness. A big problem facing many companies now is that they often don’t know how to implement their own security planning, and in most cases they are kidnapped by manufacturers. Party A does not understand what their real security needs are, and Party B does not understand what effect Party A really wants to achieve, which ultimately leads to the goal and the result going in opposite directions, resulting in many security problems and security accidents. In Chen Liang’s view, the core problem is that the awareness of CIOs and CISOs is not strong enough, and many people do not particularly understand the responsibilities and definitions of CIOs and CISOs.

For example, in Japan, their high-level information security managers will take some exams regularly. The exams are very strict. There were ten areas before, but now they are divided into eight areas. In China, there may be only about one-third of talents in this field, but it does not mean that there will be elimination and rotation every day, or that digging up a senior talent will bring real benefits to the company. Because companies often do not understand how to do their own security, this is exactly what they need to think about.

Chen Liang believes that information security planning must be considered by the enterprise itself, rather than letting the manufacturer make the decision. In other words, it should be done in collaboration with the manufacturer, with a requirement issued and then completed by the manufacturer, and then reviewed and approved. This is a relatively reasonable approach.

"Just like the configuration of some security policies, Party A does not understand why this security policy should be applied, but Party B will tell him what kind of protection this security policy can bring to you. However, in fact, the more security policies are applied, the overall performance and resource usage will be affected."

Open Source vs. Closed Source

When talking about the topic of open source and closed source, Chen Liang believes that open source itself is not for commercial purposes, but to encourage everyone to actively participate. As more and more people invest in research, find bugs, and fix vulnerabilities, the software will become more and more perfect. A particularly popular saying internationally is business first, then security. Business is the most important support department. Business-driven open source projects are often used first, problems are discovered later, and then they are constantly adjusted and reinforced.

He mentioned that the most valuable vulnerabilities nowadays are business logic vulnerabilities. As an attacker, you often need to think from the perspective of others and understand the core logic of the business. It will be very easy to find and bypass vulnerabilities or unauthorized access. The reason why Apple's system is more difficult to attack is that it is closed source, while Android phones have many problems. It can be seen that the higher the threshold, the harder it is to be taken down.

How to better protect personal privacy

In this era of information explosion, everyone is more or less connected to the Internet. This year, network leaks have emerged one after another. How can ordinary netizens better protect their personal privacy? Chen Liang gave his opinion on this issue. He believes that first of all, we must have security awareness, be skeptical, and not believe it easily. Some people believe that points redemption, bank system upgrades, etc. are true, but in fact, these are often not sent to you via text messages. Second, you can't use one set of passwords to conquer the world. Many people's bank passwords have been stolen, including account thefts, often because they only use a simple set of passwords, which makes it very easy to become a victim of database collision. Third, don't believe some gossip. For example, "grabbing red envelopes" often gives a picture of a red envelope with a hyperlink to a fraudulent website.

Book Recommendations

For those who are interested in working in security or operation and maintenance related fields, Chen Liang recommends that they can read books from Japan and South Korea. He is mainly responsible for the verification of new security books in Japan and South Korea Turing, so he has read each book at least three or four times. He also found some problems during the verification, but basically these books are still very suitable for practitioners. He recommended "Web Security Authoritative Guide", which is the designated textbook for Japanese people engaged in information security, script mining, vulnerability scanning, etc. If you want to work in software reverse engineering, you can read Korean books. Kelly is a necessary threshold. In terms of operation and maintenance, a language that must be passed is Python, because the trend of automated operation and maintenance is becoming more and more obvious.

Speech Topic

At the end of the interview, the author asked Chen Liang what he would share at the WOT Security Summit in June as a special lecturer of the WOT Summit. He said that if he had enough time, he would talk about the latest Mobile Top 10 compiled by OWASP, which is also a topic that many companies are concerned about in terms of mobile security. OWASP has been engaged in research in this area for a long time and hopes to share it with everyone when he has time.