[WEB SECURITY] Suggestions for Web Application Security Roadmap?

Truxaw, Matthew mtruxaw at firstam.com
Thu Jan 24 15:44:03 EST 2008


 You've already got some good suggestions, but I would add secure
development training to the road map.  The easiest way to clean up a
vulnerability is to not create it in the first place.  Unfortunately,
very few developers have more than a cursory knowledge of security
concepts when it comes to developing software.


Regards,
 
Matt 

-----Original Message-----
From: feedyourhead at gmail.com [mailto:feedyourhead at gmail.com] On Behalf
Of Joe White
Sent: Sunday, January 20, 2008 1:51 PM
To: WASC Forum
Subject: [WEB SECURITY] Suggestions for Web Application Security
Roadmap?

I am in the process of putting together a Web Application Security
Roadmap for a company and was hoping to get some feedback on any similar
work or resources available from the group.

The roadmap would ideally include approximate time lines for key
milestones and would also offer a heads-up on future CapEx and other
budget needs.

My current thoughts are to include as key cornerstones of the roadmap
the following:

1)  static source code analysis
2)  Web App Firewall
3)  web app security scanning
4)  secure code review
5)  web app incident response
6)  Enterprise Key Management (EKM)

I think the trick may be to offer the above in a chronological framework
and also offer some priorities for each.

Once completed, I am happy to share what I end up with here but I would
rather not re-invent the wheel if this has already been done.

As always, comments are both welcome and appreciated.

Thanks,

joe

<<<>>>

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

**********************************************************************
This message contains confidential information intended only for the use of the addressee(s) named above and may contain information that is legally privileged.  If you are not the addressee, or the person responsible for delivering it to the addressee, you are hereby notified that reading, disseminating, distributing or copying this message is strictly prohibited.  If you have received this message by mistake, please immediately notify us by replying to the message and delete the original message immediately thereafter.

Thank you.

                                   FADLD Tag
**********************************************************************

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list