Profile of Jeff Williams

Co-Founder & Chief Technology Officer, Contrast Security

Member Since: 4/1/2014
Author
News & Commentary Posts: 22
Comments: 32

Jeff brings more than 20 years of security leadership experience as Co-Founder and Chief Technology Officer of Contrast. Previously, Jeff was Co-Founder and Chief Executive Officer of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for eight years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from the University of Virginia, an MA from George Mason, and a JD from Georgetown.

Articles by Jeff Williams

View Content By Month

It's High Time for a Security Scoring System for Applications and Open Source Libraries

7/6/2021
A benchmarking system would help buyers choose more secure software products and, more importantly, light a fire underneath software producers to make products secure.
Post a Comment

Tough Love: Debunking Myths about DevOps & Security

8/19/2019
It's time to move past trivial 'shift left' conceptions of DevSecOps and take a hard look at how security work actually gets accomplished.
Post a Comment

Open Source Software Poses a Real Security Threat

8/15/2018
It's true that open source software has many benefits, but it also has weak points. These four practical steps can help your company stay safer.
Post a Comment

How Code Vulnerabilities Can Lead to Bad Accidents

7/10/2017
The software supply chain is broken. To prevent hackers from exploiting vulnerabilities, organizations need to know where their applications are, and whether they are built using trustworthy components.
Post a Comment

New OWASP Top 10 Reveals Critical Weakness in Application Defenses

4/27/2017
It's time to move from a dependence on the flawed process of vulnerability identification and remediation to a two-pronged approach that also protects organizations from attacks.
Post a Comment

Why It’s Insane To Trust Static Analysis

9/22/2015
If you care about achieving application security at scale, then your highest priority should be to move to tools that empower everyone, not just security experts.
Post a Comment

What Do You Mean My Security Tools Don’t Work on APIs?!!

6/25/2015
SAST and DAST scanners haven’t advanced much in 15 years. But the bigger problem is that they were designed for web apps, not to test the security of an API.
Post a Comment

Why We Can't Afford To Give Up On Cybersecurity Defense

5/18/2015
There is no quick fix, but organizations can massively reduce the complexity of building secure applications by empowering developers with four basic practices.
Post a Comment

Which Apps Should You Secure First? Wrong Question.

3/5/2015
Instead, develop security instrumentation capability and stop wasting time on '4 terrible tactics' that focus on the trivial.
Post a Comment

What Government Can (And Can’t) Do About Cybersecurity

1/22/2015
In his 2015 State of the Union address, President Obama introduced a number of interesting, if not terribly novel, proposals. Here are six that will have minimal impact.
Post a Comment

The New Target for State-Sponsored Cyber Attacks: Applications

12/17/2014
Skilled hackers are now using simple web application vulnerabilities like SQL Injection to take over database servers. Are you prepared to defend against this new type of threat actor?
Post a Comment

The Staggering Complexity of Application Security

11/10/2014
During the past few decades of high-speed coding we have automated our businesses so fast that we are now incapable of securing what we have built.
Post a Comment

In AppSec, ‘Fast’ Is Everything

10/13/2014
The world has shifted. The SAST and DAST tools that were invented over a decade ago are no longer viable approaches to application security.
Post a Comment

An AppSec Report Card: Developers Barely Passing

9/19/2014
A new study reveals that application developers are getting failing grades when it comes to their knowledge of critical security such as how to protect sensitive data, Web services, and threat modeling.
Post a Comment

Why Your Application Security Program May Backfire

7/2/2014
You have to consider the human factor when you’re designing security interventions, because the best intentions can have completely opposite consequences.
Post a Comment

The Only 2 Things Every Developer Needs To Know About Injection

5/22/2014
There’s no simple solution for preventing injection attacks. There are effective strategies that can stop them in their tracks.
Post a Comment

The Real Wakeup Call From Heartbleed

4/16/2014
There's nothing special about Heartbleed. It’s another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.
Post a Comment

Flying Naked: Why Most Web Apps Leave You Defenseless

3/28/2014
Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place.
Post a Comment

The 7 Deadly Sins of Application Security

2/6/2014
How can two organizations with the exact same app security program have such wildly different outcomes over time? The reason is corporate culture.
Post a Comment

What Healthcare Can Teach Us About App Security

1/15/2014
The Centers for Disease Control protects people from health threats and increases the health security of our nation. It’s a mission that’s not so different from InfoSec.
Post a Comment

Secure Code Starts With Measuring What Developers Know

12/19/2013
I recently discovered I’ve been teaching blindly about application security. I assumed that I know what students need to learn. Nothing could be further from the truth.
Post a Comment

Application Security: We Still Have A Long Way To Go

11/21/2013
The past decade shows only trivial progress in improving web app security, according to new vulnerability guidelines in the OWASP Top Ten 2013.
Post a Comment