[WEB SECURITY] Announcing the Web Application Security Roadmap v0.9

Stewart, Kevin G. USNUNK NAVAIR 1490 RM40 kevin.stewart at navy.mil
Mon Apr 28 21:58:19 EDT 2008

Joe, was there a reason why you excluded the open source web application security assessment products from your list, like Burp. Paros, and Oedipus? I can understand that if you're a consultancy doing assessments for profit, you would certainly consider the commercial tools, but as a company doing its own web assessments, I would think that using the open source products would fit nicely into the security budget.

Kevin Stewart

-----Original Message-----
From: feedyourhead at gmail.com on behalf of Joe White
Sent: Sun 4/27/2008 9:31 PM
To: WASC Forum
Subject: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9
Announcing the Web Application Security Roadmap v0.9

This presentation is v0.9 because I would like a little extra slack to
incorporate the comments I am likely to receive after posting to this
list.  =)

Seriously, I have actually put quite a bit of work into this
presentation and I am being serious when I say that I welcome and
actively encourage your thoughts, comments and feedback.  Some of you
on this list have already quietly offered your feedback in private
conversation and for this I am very grateful.  You know who you are so
let's just leave it at that.  That said, I think the presentation is
now ready for a larger audience.

As a bit of background, the driver for this presentation was a
realization that the information security landscape is quickly
changing. Traditional operations focused security teams are sometimes
unable to keep up with the faster paced evolution of web application
focused threats.  Often, it seems, traditional network/systems focused
information security professionals are resistant to realize that their
current defenses are inadequate to defend against a world freely
exchanging web application traffic all around them.

I also found that in communicating with my peers, many of them found
themselves accountable for all the web application exposure in their
respective organizations.  Without a publicly available resource or
baseline of a roadmap to assist with this challenge, their effort
offered no assurance of success.

There is a lot of information in this presentation and some have
suggested that it may have been better to break the presentation into
multiple smaller presentations or even limit the information to a
white paper.

For the record, I am working on a complementary whitepaper as well but
my intention all along was to offer a foundation for a presentation
that could be used by other security professionals and shared
internally within other organizations to better communicate the work
required to secure an existing web application infrastructure.
Offering the information in only a white paper would not have best
served the target audience for this presentation, namely security
professionals who are wrestling with the scope and breadth of
accepting ownership of their organizations web application risk

At one level, this presentation aims to offer a current 'state of the
nation' in terms of the current information security threat
environment and on another level, I am hoping to call attention to the
vast divide that is likely to exist between traditional
operations/systems focused information security teams and those more
aware of the web application specific changes in today's overall
threat environment.  I think it is fair to say that in today's
information security threat environment, having some extra letters
after your name or title is not going to offer you any sizable degree
of assurance that you will be better able to successfully adapt to the
current web application security risks.

At the end of the day, the key point I am trying to make in this
presentation is that if you are accountable for the overall web
application security risks in your organization, you need to be
*proactively* managing expectations of the additional work that
will/may be required to secure your web application infrastructure.

Furthermore, you need to be focusing your attention on building a
*foundation* for your success in securing your web applications.
Otherwise, you are likely to find yourself sidetracked on any number
of side projects that will ultimately distract you form your ultimate
goal of addressing the overall web application risk exposure for your

In reality, the security related Capital Expenditures (CapEx) for your
organization to date may ultimately turn out to seem misguided as you
wrestle with securing your web applications.  In the end, you will
need to have a solid understanding of the steps required to secure
your web applications so you can better manage the expectations of
your senior executives in terms of any additional CapEx requirements
you may hrequire to secure your organization's web application

Finally, I am also hoping to call attention to the one area that many
(if not all) of the web application companies are missing, a formal
Web Application Security Incident Response Plan.  It is all but
guaranteed that if you look under the covers at your current Incident
Response Plans, you will find that they served you well in terms of a
'checkbox' solution for compliance and other regulatory concerns but I
would venture to speculate that your existing Incident Response Plans
fall short in the area of Web Application specific events.  My point
in the presentation is that you are best served in getting your arms
around this beast sooner rather than later. You cannot afford to be
blindsided by a Web Application Security event while you are spending
your time managing expectations and building trust among the senior
executives within your organization.

The current Web Application Security Roadmap presentation is available
here in both ppt and pdf formats:


As mentioned earlier, I am actively working on a complementary
whitepaper to this presentation that captures some of the narrative
likely to be included during an actual showing of the presentation and
once this becomes available, you will likely find it posted somewhere
at webappsecroadmap.com.

We may ultimately 'agree to disagree' on some of the points I make in
the presentation, but with any luck it will still offer the intended
foundation so that others can build upon it and adapt/customize it to
fit their needs

Finally, in return for publicly offering this presentation to the
list, I ask that any improvements and/or refinements to the
presentation also be posted to the list so that everyone can benefit
as well.

I hope this helps.



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080428/e612f194/attachment.html>

More information about the websecurity mailing list