AW: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9

Matthieu Estrade mestrade at
Wed Apr 30 03:52:16 EDT 2008

You also forget another European popular WAF, Beeware i-Sentry, tested 
with the others major WAF on this link:,296905,sid14_gci1303838,00.html
Take a look at



Julian Totzek wrote:
> Hi Joe,
> and as often there is one very popular WAF from Europe missing!
> Deny All - rWeb have a look at
> Cheers
> -j
>> -----Ursprüngliche Nachricht-----
>> Von: feedyourhead at [mailto:feedyourhead at] Im Auftrag von
>> Joe White
>> Gesendet: Montag, 28. April 2008 03:32
>> An: WASC Forum
>> Betreff: [WEB SECURITY] Announcing the Web Application Security Roadmap
>> v0.9
>> Announcing the Web Application Security Roadmap v0.9
>> This presentation is v0.9 because I would like a little extra slack to
>> incorporate the comments I am likely to receive after posting to this
>> list.  =)
>> Seriously, I have actually put quite a bit of work into this
>> presentation and I am being serious when I say that I welcome and
>> actively encourage your thoughts, comments and feedback.  Some of you
>> on this list have already quietly offered your feedback in private
>> conversation and for this I am very grateful.  You know who you are so
>> let's just leave it at that.  That said, I think the presentation is
>> now ready for a larger audience.
>> As a bit of background, the driver for this presentation was a
>> realization that the information security landscape is quickly
>> changing. Traditional operations focused security teams are sometimes
>> unable to keep up with the faster paced evolution of web application
>> focused threats.  Often, it seems, traditional network/systems focused
>> information security professionals are resistant to realize that their
>> current defenses are inadequate to defend against a world freely
>> exchanging web application traffic all around them.
>> I also found that in communicating with my peers, many of them found
>> themselves accountable for all the web application exposure in their
>> respective organizations.  Without a publicly available resource or
>> baseline of a roadmap to assist with this challenge, their effort
>> offered no assurance of success.
>> There is a lot of information in this presentation and some have
>> suggested that it may have been better to break the presentation into
>> multiple smaller presentations or even limit the information to a
>> white paper.
>> For the record, I am working on a complementary whitepaper as well but
>> my intention all along was to offer a foundation for a presentation
>> that could be used by other security professionals and shared
>> internally within other organizations to better communicate the work
>> required to secure an existing web application infrastructure.
>> Offering the information in only a white paper would not have best
>> served the target audience for this presentation, namely security
>> professionals who are wrestling with the scope and breadth of
>> accepting ownership of their organizations web application risk
>> exposure.
>> At one level, this presentation aims to offer a current 'state of the
>> nation' in terms of the current information security threat
>> environment and on another level, I am hoping to call attention to the
>> vast divide that is likely to exist between traditional
>> operations/systems focused information security teams and those more
>> aware of the web application specific changes in today's overall
>> threat environment.  I think it is fair to say that in today's
>> information security threat environment, having some extra letters
>> after your name or title is not going to offer you any sizable degree
>> of assurance that you will be better able to successfully adapt to the
>> current web application security risks.
>> At the end of the day, the key point I am trying to make in this
>> presentation is that if you are accountable for the overall web
>> application security risks in your organization, you need to be
>> *proactively* managing expectations of the additional work that
>> will/may be required to secure your web application infrastructure.
>> Furthermore, you need to be focusing your attention on building a
>> *foundation* for your success in securing your web applications.
>> Otherwise, you are likely to find yourself sidetracked on any number
>> of side projects that will ultimately distract you form your ultimate
>> goal of addressing the overall web application risk exposure for your
>> organization.
>> In reality, the security related Capital Expenditures (CapEx) for your
>> organization to date may ultimately turn out to seem misguided as you
>> wrestle with securing your web applications.  In the end, you will
>> need to have a solid understanding of the steps required to secure
>> your web applications so you can better manage the expectations of
>> your senior executives in terms of any additional CapEx requirements
>> you may hrequire to secure your organization's web application
>> infrastructure.
>> Finally, I am also hoping to call attention to the one area that many
>> (if not all) of the web application companies are missing, a formal
>> Web Application Security Incident Response Plan.  It is all but
>> guaranteed that if you look under the covers at your current Incident
>> Response Plans, you will find that they served you well in terms of a
>> 'checkbox' solution for compliance and other regulatory concerns but I
>> would venture to speculate that your existing Incident Response Plans
>> fall short in the area of Web Application specific events.  My point
>> in the presentation is that you are best served in getting your arms
>> around this beast sooner rather than later. You cannot afford to be
>> blindsided by a Web Application Security event while you are spending
>> your time managing expectations and building trust among the senior
>> executives within your organization.
>> The current Web Application Security Roadmap presentation is available
>> here in both ppt and pdf formats:
>> As mentioned earlier, I am actively working on a complementary
>> whitepaper to this presentation that captures some of the narrative
>> likely to be included during an actual showing of the presentation and
>> once this becomes available, you will likely find it posted somewhere
>> at
>> We may ultimately 'agree to disagree' on some of the points I make in
>> the presentation, but with any luck it will still offer the intended
>> foundation so that others can build upon it and adapt/customize it to
>> fit their needs
>> Finally, in return for publicly offering this presentation to the
>> list, I ask that any improvements and/or refinements to the
>> presentation also be posted to the list so that everyone can benefit
>> as well.
>> I hope this helps.
>> Thanks,
>> joe
>> <<<>>>
>> --------------------------------------------------------------------------
>> --
>> Join us on IRC: #webappsec
>> Have a question? Search The Web Security Mailing List Archives:
>> Subscribe via RSS:
>> [RSS Feed]
> ----------------------------------------------------------------------------
> Join us on IRC: #webappsec
> Have a question? Search The Web Security Mailing List Archives: 
> Subscribe via RSS: 
> [RSS Feed]

Join us on IRC: #webappsec

Have a question? Search The Web Security Mailing List Archives:

Subscribe via RSS: [RSS Feed]

More information about the websecurity mailing list