[WEB SECURITY] Application Security Program

huan chen ktriv3di at msn.com
Thu Jun 29 18:51:17 EDT 2006


List,

We are trying to design a big picture information security program for out 
organization. The goal is to concentrate on application security. Sub tasks 
should include stuff like policy gap analysis, pen test balc box and white 
box, etc. The goal is to do all the activities and measure progress on an 
yearly basis/

Are thier any existing frameworks? Anything that has worked / not worked for 
you guys?

Thanks


----- Original Message ----- 
From: "Brian Eaton" <eaton.lists at gmail.com>
To: "RSnake" <rsnake at shocking.com>
Cc: "Web Security" <websecurity at webappsec.org>
Sent: Wednesday, June 28, 2006 8:42 AM
Subject: Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the 
iceberg)


> On 6/28/06, RSnake <rsnake at shocking.com> wrote:
>> ... A more realistic problem is I actually _might_ want
>> people to automatically send traffic to my comments function if someone
>> eventually builds an application to forward requests to my page to make
>> it easier for my users.  Again, you could argue that in that case I
>> should explicitly allow that one referrer in, and I might agree, but
>> wow... this is seeming like an administration nightmare, even on a small
>> site like mine.
>
> If you change your policy on who should and shouldn't be sending
> requests to certain pages, you should expect that you will need to do
> some work to make that policy take affect.  That's true no matter what
> kind of enforcement mechanism you are using.  The more elaborate your
> policy, the more work you are going to have to do to describe it.
>
> Is the extra work required to enable the policy worth the trouble?  It
> depends on the site.
>
> Regards,
> Brian
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> 

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list