[WEB SECURITY] Suggestions for Web Application Security Roadmap?

Dave Sanford dsanford at austin.rr.com
Fri Jan 25 11:44:14 EST 2008


I've been doing some lifecycle relates web application work
as well, and I would add:

1) Business process level security analysis - Depending upon development
methodology this could be performing 'Abuse Case" analysis at the same time
systems are using Use Case based design. Alternatively this could be based
on creating threat models that use data flows to enumerate entry and exit
points and enumerate threats at those points.

2) Pre-operational security testing - to including scanning, fuzzers and
other tools depending upon system.

Dave

"We cannot ensure success, but
we can deserve it." John Adams 

> -----Original Message-----
> From: Anurag Agarwal [mailto:a_agrawwal at yahoo.com] 
> Sent: Thursday, January 24, 2008 3:59 PM
> To: Truxaw, Matthew; WASC Forum
> Subject: Re: [WEB SECURITY] Suggestions for Web Application 
> Security Roadmap?
> 
> I agree with Matthew on developer training but I would also 
> like to add executive awareness. For executives to be on 
> board with the program, they have to understand the dangers 
> and extent of damage a breach can do. 
> 
>  
> 
> Cheers,
> 
>  
> 
> Anurag Agarwal
> 
>  
> 
> SEEC - An application security search engine 
> <http://www.myappsecurity.com/> 
> 
> Web: www.attacklabs.com <http://www.attacklabs.com/>  , 
> www.myappsecurity.com <http://www.myappsecurity.com/> 
> 
> Email : anurag.agarwal at yahoo.com
> 
> Blog : http://myappsecurity.blogspot.com 
> <http://myappsecurity.blogspot.com/> 
> 
>  
> 
> 
> 
> ----- Original Message ----
> From: "Truxaw, Matthew" <mtruxaw at firstam.com>
> To: WASC Forum <websecurity at webappsec.org>
> Sent: Thursday, January 24, 2008 12:44:03 PM
> Subject: RE: [WEB SECURITY] Suggestions for Web Application 
> Security Roadmap?
> 
> You've already got some good suggestions, but I would add 
> secure development training to the road map.  The easiest way 
> to clean up a vulnerability is to not create it in the first 
> place.  Unfortunately, very few developers have more than a 
> cursory knowledge of security concepts when it comes to 
> developing software.
> 
> 
> Regards,
> 
> Matt 
> 
> -----Original Message-----
> From: feedyourhead at gmail.com [mailto:feedyourhead at gmail.com] 
> On Behalf Of Joe White
> Sent: Sunday, January 20, 2008 1:51 PM
> To: WASC Forum
> Subject: [WEB SECURITY] Suggestions for Web Application 
> Security Roadmap?
> 
> I am in the process of putting together a Web Application 
> Security Roadmap for a company and was hoping to get some 
> feedback on any similar work or resources available from the group.
> 
> The roadmap would ideally include approximate time lines for 
> key milestones and would also offer a heads-up on future 
> CapEx and other budget needs.
> 
> My current thoughts are to include as key cornerstones of the 
> roadmap the following:
> 
> 1)  static source code analysis
> 2)  Web App Firewall
> 3)  web app security scanning
> 4)  secure code review
> 5)  web app incident response
> 6)  Enterprise Key Management (EKM)
> 
> I think the trick may be to offer the above in a 
> chronological framework and also offer some priorities for each.
> 
> Once completed, I am happy to share what I end up with here 
> but I would rather not re-invent the wheel if this has 
> already been done.
> 
> As always, comments are both welcome and appreciated.
> 
> Thanks,
> 
> joe
> 
> <<<>>>
> 
> --------------------------------------------------------------
> ----------
> ----
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> **********************************************************************
> This message contains confidential information intended only 
> for the use of the addressee(s) named above and may contain 
> information that is legally privileged.  If you are not the 
> addressee, or the person responsible for delivering it to the 
> addressee, you are hereby notified that reading, 
> disseminating, distributing or copying this message is 
> strictly prohibited.  If you have received this message by 
> mistake, please immediately notify us by replying to the 
> message and delete the original message immediately thereafter.
> 
> Thank you.
> 
>                                   FADLD Tag
> **********************************************************************
> 
> --------------------------------------------------------------
> --------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 
> 
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list