Christian Wenz: Security is like brushing your teeth

Let's move a little to the Security Track and get to know Christian Wenz, who will have an interesting talk on Web Application Security.
Until you will meet Christian in person on April 19, during the conference, you have the chance to find out more about him and his work, if you read this interview that he gave for DevExperience blog!

DevExperience: How did you begin working in this industry? And what has changed since then?

Christian Wenz: I started working in IT right after high school. I’ve always had a knack for computers, and it did help that my father got one for his work, which I occupied during the day.

DevExperience: How does a normal day looks like for you? What about a not so normal day?

Christian Wenz: There are no normal days – constant change is what drives me. I am either visiting a customer site, or I’m in the office, every day with new learnings and new surprises.
But well, there are indeed not so normal days: I remember a customer calling me from a big trade fare which was about to start (read: in thirty minutes), and they needed something (which I wasn’t involved in) fixed. I was done after 29 minutes, but do not need this experience on a regular basis. ;-)

DevExperience: What advice do you have for someone who wants to do what you do?

Christian Wenz: Love what you are doing, take nothing for granted, be kind, and continue to learn every day. I know, that sounds like strait from a calendar, but still…

DevExperience: It is the first time DevExperience has a track on security. So can you explain to our attendees (mostly senior developers and devops) what OWASP is and why is it important?

Christian Wenz: The Open Web Application Security Project is a non-profit organization that provides all kinds of information about security: software, checklists, whitepapers, events, and much more. The project’s most famous publication is their “Top Ten List” of the top security risks for web applications, which is release every three years or so. The list is sometimes controversial (and I will explain my stance in my talk), but it is still mandatory knowledge for every developer working on web applications.

DevExperience: What are the main mistakes that companies do regarding web security?

Christian Wenz: First of all, not taking it seriously. Ever so often I see companies trying to apply security as a patch at the end of a project, or when it’s too late because an attack has happened. Security must be an integral part of the software development process, during all phases. Once it is, everything else can fall into place nicely.

DevExperience: Why is security that hard? Why is everyone struggling with it?

Christian Wenz: Security is like brushing your teeth – you can’t really tell whether someone is doing it before it’s too late. Often, the focus during development is that everything works, not thinking about what could go wrong.
As a security-aware developer, you have to anticipate attacks that may not even exist. This is a challenge, but there are certain patters that are prevalent in many attacks. Being aware of them helps tremendously in securing an application.

DevExperience: We are hearing a lot about shifting security to the left, integrating it as early as possible in the development cycle. But what should a company do to enable that? What actions do you see?

Christian Wenz: I think this question already contains the solution: make a security expert part of every step, not just at the very end, when the deadline is approaching fast. Plan securely, design securely, implement securely, and made code reviews a standard practice.

DevExperience: Do you see an increase in awareness lately about security? Because we see things happening like GDPR, Facebook-Cambridge Analytica scandal. Are we on the right track?

Christian Wenz: I’ve started doing security in 2000 or 2001, stumbling upon that topic by accident. At first I thought that this would be a temporary thing, and the situation would get better and better, due to better education, better tools, and more wide-spread knowledge. But here I am, almost 20 year later, still involved in web security.

But my fatally incorrect prognosis from back then aside, just the fact that there are data breaches and high-profile security incidents almost every week now proves to me that the situation is still bad, despite the awareness that did in fact increase. I´m an optimistic person, so I do think we are on the right track, but it is still a long way to go. Some recent developments like built-in security features and APIs in web browsers are pretty encouraging, though.

DevExperience: Please give us top 3 things to consider to increase security for our web apis.

Christian Wenz: Validate input, escape output, and use the security features web browser provide.

DevExperience: What are your expectations for DevExperience?

Actually it’s my first time in Romania, so I am excited to get to know a new developer community. Also, the agenda covers a lot of different topics, so I hope I’ll be able to attend many of the other talks. And of course I am keen on doing some touristy stuff. :-)

DevExperience: What about the participants? What should they expect from your talk?

They will get to learn many APIs browsers provide to protect web applications from common (and not so common) attacks. Also, they’s hopefully have some fun and will find the information presented useful for their web applications and can apply it right away.

This sounds more than attractive, so we are pretty sure that you will find it attractive too and that you will join us for the 4th Gathering of IT Evangelist!