[WEB SECURITY] Announcing the Web Application Security Roadmap v0.9

Joe White joe at cyberlocksmith.com
Mon Apr 28 22:26:04 EDT 2008


You make an excellent point.

In terms of budget, I have learned to include some 'padding' in order
to avoid blind-siding the keeper of the checkbook.  =).

That said, I do use the tools you reference and I guess my point is
that if you are going to agree to be accountable for web application
exposure at your organization, you need to be firm in communicating
the tools and budget that you will need to be successful.  Knowing
that you have some open source tools available is great if you have to
adapt to less than you asked for but nonetheless, your point is worth
serious consideration.



On Mon, Apr 28, 2008 at 6:58 PM, Stewart, Kevin G.  USNUNK NAVAIR 1490
RM40 <kevin.stewart at navy.mil> wrote:
> Joe, was there a reason why you excluded the open source web application security assessment products from your list, like Burp. Paros, and Oedipus? I can understand that if you're a consultancy doing assessments for profit, you would certainly consider the commercial tools, but as a company doing its own web assessments, I would think that using the open source products would fit nicely into the security budget.
>  Kevin Stewart
>  -----Original Message-----
>  From: feedyourhead at gmail.com on behalf of Joe White
>  Sent: Sun 4/27/2008 9:31 PM
>  To: WASC Forum
>  Subject: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9
>  Announcing the Web Application Security Roadmap v0.9
>  This presentation is v0.9 because I would like a little extra slack to
>  incorporate the comments I am likely to receive after posting to this
>  list.  =)
>  Seriously, I have actually put quite a bit of work into this
>  presentation and I am being serious when I say that I welcome and
>  actively encourage your thoughts, comments and feedback.  Some of you
>  on this list have already quietly offered your feedback in private
>  conversation and for this I am very grateful.  You know who you are so
>  let's just leave it at that.  That said, I think the presentation is
>  now ready for a larger audience.
>  As a bit of background, the driver for this presentation was a
>  realization that the information security landscape is quickly
>  changing. Traditional operations focused security teams are sometimes
>  unable to keep up with the faster paced evolution of web application
>  focused threats.  Often, it seems, traditional network/systems focused
>  information security professionals are resistant to realize that their
>  current defenses are inadequate to defend against a world freely
>  exchanging web application traffic all around them.
>  I also found that in communicating with my peers, many of them found
>  themselves accountable for all the web application exposure in their
>  respective organizations.  Without a publicly available resource or
>  baseline of a roadmap to assist with this challenge, their effort
>  offered no assurance of success.
>  There is a lot of information in this presentation and some have
>  suggested that it may have been better to break the presentation into
>  multiple smaller presentations or even limit the information to a
>  white paper.
>  For the record, I am working on a complementary whitepaper as well but
>  my intention all along was to offer a foundation for a presentation
>  that could be used by other security professionals and shared
>  internally within other organizations to better communicate the work
>  required to secure an existing web application infrastructure.
>  Offering the information in only a white paper would not have best
>  served the target audience for this presentation, namely security
>  professionals who are wrestling with the scope and breadth of
>  accepting ownership of their organizations web application risk
>  exposure.
>  At one level, this presentation aims to offer a current 'state of the
>  nation' in terms of the current information security threat
>  environment and on another level, I am hoping to call attention to the
>  vast divide that is likely to exist between traditional
>  operations/systems focused information security teams and those more
>  aware of the web application specific changes in today's overall
>  threat environment.  I think it is fair to say that in today's
>  information security threat environment, having some extra letters
>  after your name or title is not going to offer you any sizable degree
>  of assurance that you will be better able to successfully adapt to the
>  current web application security risks.
>  At the end of the day, the key point I am trying to make in this
>  presentation is that if you are accountable for the overall web
>  application security risks in your organization, you need to be
>  *proactively* managing expectations of the additional work that
>  will/may be required to secure your web application infrastructure.
>  Furthermore, you need to be focusing your attention on building a
>  *foundation* for your success in securing your web applications.
>  Otherwise, you are likely to find yourself sidetracked on any number
>  of side projects that will ultimately distract you form your ultimate
>  goal of addressing the overall web application risk exposure for your
>  organization.
>  In reality, the security related Capital Expenditures (CapEx) for your
>  organization to date may ultimately turn out to seem misguided as you
>  wrestle with securing your web applications.  In the end, you will
>  need to have a solid understanding of the steps required to secure
>  your web applications so you can better manage the expectations of
>  your senior executives in terms of any additional CapEx requirements
>  you may hrequire to secure your organization's web application
>  infrastructure.
>  Finally, I am also hoping to call attention to the one area that many
>  (if not all) of the web application companies are missing, a formal
>  Web Application Security Incident Response Plan.  It is all but
>  guaranteed that if you look under the covers at your current Incident
>  Response Plans, you will find that they served you well in terms of a
>  'checkbox' solution for compliance and other regulatory concerns but I
>  would venture to speculate that your existing Incident Response Plans
>  fall short in the area of Web Application specific events.  My point
>  in the presentation is that you are best served in getting your arms
>  around this beast sooner rather than later. You cannot afford to be
>  blindsided by a Web Application Security event while you are spending
>  your time managing expectations and building trust among the senior
>  executives within your organization.
>  The current Web Application Security Roadmap presentation is available
>  here in both ppt and pdf formats:
>  http://www.cyberlocksmith.com/cyber_web_app_security_roadmap_v0.9.ppt
>  http://www.cyberlocksmith.com/cyber_web_app_security_roadmap_v0.9.pdf
>  As mentioned earlier, I am actively working on a complementary
>  whitepaper to this presentation that captures some of the narrative
>  likely to be included during an actual showing of the presentation and
>  once this becomes available, you will likely find it posted somewhere
>  at webappsecroadmap.com.
>  We may ultimately 'agree to disagree' on some of the points I make in
>  the presentation, but with any luck it will still offer the intended
>  foundation so that others can build upon it and adapt/customize it to
>  fit their needs
>  Finally, in return for publicly offering this presentation to the
>  list, I ask that any improvements and/or refinements to the
>  presentation also be posted to the list so that everyone can benefit
>  as well.
>  I hope this helps.
>  Thanks,
>  joe
>  <<<>>>
> ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>  Have a question? Search The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/
>  Subscribe via RSS:
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list