AW: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9

Julian Totzek jtotzek at
Tue Apr 29 02:58:47 EDT 2008

Hi Joe,

and as often there is one very popular WAF from Europe missing!

Deny All - rWeb have a look at


> -----Ursprüngliche Nachricht-----
> Von: feedyourhead at [mailto:feedyourhead at] Im Auftrag von
> Joe White
> Gesendet: Montag, 28. April 2008 03:32
> An: WASC Forum
> Betreff: [WEB SECURITY] Announcing the Web Application Security Roadmap
> v0.9
> Announcing the Web Application Security Roadmap v0.9
> This presentation is v0.9 because I would like a little extra slack to
> incorporate the comments I am likely to receive after posting to this
> list.  =)
> Seriously, I have actually put quite a bit of work into this
> presentation and I am being serious when I say that I welcome and
> actively encourage your thoughts, comments and feedback.  Some of you
> on this list have already quietly offered your feedback in private
> conversation and for this I am very grateful.  You know who you are so
> let's just leave it at that.  That said, I think the presentation is
> now ready for a larger audience.
> As a bit of background, the driver for this presentation was a
> realization that the information security landscape is quickly
> changing. Traditional operations focused security teams are sometimes
> unable to keep up with the faster paced evolution of web application
> focused threats.  Often, it seems, traditional network/systems focused
> information security professionals are resistant to realize that their
> current defenses are inadequate to defend against a world freely
> exchanging web application traffic all around them.
> I also found that in communicating with my peers, many of them found
> themselves accountable for all the web application exposure in their
> respective organizations.  Without a publicly available resource or
> baseline of a roadmap to assist with this challenge, their effort
> offered no assurance of success.
> There is a lot of information in this presentation and some have
> suggested that it may have been better to break the presentation into
> multiple smaller presentations or even limit the information to a
> white paper.
> For the record, I am working on a complementary whitepaper as well but
> my intention all along was to offer a foundation for a presentation
> that could be used by other security professionals and shared
> internally within other organizations to better communicate the work
> required to secure an existing web application infrastructure.
> Offering the information in only a white paper would not have best
> served the target audience for this presentation, namely security
> professionals who are wrestling with the scope and breadth of
> accepting ownership of their organizations web application risk
> exposure.
> At one level, this presentation aims to offer a current 'state of the
> nation' in terms of the current information security threat
> environment and on another level, I am hoping to call attention to the
> vast divide that is likely to exist between traditional
> operations/systems focused information security teams and those more
> aware of the web application specific changes in today's overall
> threat environment.  I think it is fair to say that in today's
> information security threat environment, having some extra letters
> after your name or title is not going to offer you any sizable degree
> of assurance that you will be better able to successfully adapt to the
> current web application security risks.
> At the end of the day, the key point I am trying to make in this
> presentation is that if you are accountable for the overall web
> application security risks in your organization, you need to be
> *proactively* managing expectations of the additional work that
> will/may be required to secure your web application infrastructure.
> Furthermore, you need to be focusing your attention on building a
> *foundation* for your success in securing your web applications.
> Otherwise, you are likely to find yourself sidetracked on any number
> of side projects that will ultimately distract you form your ultimate
> goal of addressing the overall web application risk exposure for your
> organization.
> In reality, the security related Capital Expenditures (CapEx) for your
> organization to date may ultimately turn out to seem misguided as you
> wrestle with securing your web applications.  In the end, you will
> need to have a solid understanding of the steps required to secure
> your web applications so you can better manage the expectations of
> your senior executives in terms of any additional CapEx requirements
> you may hrequire to secure your organization's web application
> infrastructure.
> Finally, I am also hoping to call attention to the one area that many
> (if not all) of the web application companies are missing, a formal
> Web Application Security Incident Response Plan.  It is all but
> guaranteed that if you look under the covers at your current Incident
> Response Plans, you will find that they served you well in terms of a
> 'checkbox' solution for compliance and other regulatory concerns but I
> would venture to speculate that your existing Incident Response Plans
> fall short in the area of Web Application specific events.  My point
> in the presentation is that you are best served in getting your arms
> around this beast sooner rather than later. You cannot afford to be
> blindsided by a Web Application Security event while you are spending
> your time managing expectations and building trust among the senior
> executives within your organization.
> The current Web Application Security Roadmap presentation is available
> here in both ppt and pdf formats:
> As mentioned earlier, I am actively working on a complementary
> whitepaper to this presentation that captures some of the narrative
> likely to be included during an actual showing of the presentation and
> once this becomes available, you will likely find it posted somewhere
> at
> We may ultimately 'agree to disagree' on some of the points I make in
> the presentation, but with any luck it will still offer the intended
> foundation so that others can build upon it and adapt/customize it to
> fit their needs
> Finally, in return for publicly offering this presentation to the
> list, I ask that any improvements and/or refinements to the
> presentation also be posted to the list so that everyone can benefit
> as well.
> I hope this helps.
> Thanks,
> joe
> <<<>>>
> --------------------------------------------------------------------------
> --
> Join us on IRC: #webappsec
> Have a question? Search The Web Security Mailing List Archives:
> Subscribe via RSS:
> [RSS Feed]

Join us on IRC: #webappsec

Have a question? Search The Web Security Mailing List Archives:

Subscribe via RSS: [RSS Feed]

More information about the websecurity mailing list