[WEB SECURITY] When all you have is a hammer...
Arian J. Evans
arian.evans at anachronic.com
Tue Feb 10 21:31:32 EST 2009
One of our biggest problems in webappsec-land right now is that no one
has clearly defined:
- What an Enterprise Web Application Risk Management Program is.
- What all (or most) of the possible components of that program could be.
- How to measure the success of various components in the program to
decide what they should be going forward.
- Shortcuts to decide what components of that program are "more
probably" right for you based upon known strengths/weaknesses and
business realities of your organization.
We need to define the starting line.
We need to define the multiple, possible finish lines.
We need a blueprint that helps folks see how to get from here to
there. (start to target finish)
I humbly suggest webappsec needs its own standards and blueprints,
since the business case, development model, and threat landscape for
web software is often different enough from non-web software to
require its own approach subtleties. IMO.
Certainly could be wrapped in an "Enterprise Software Security Risk
Management Program" though.
ciao
--
Arian Evans
"From the hour the Pilgrims landed,
to the present day, events, occurrences,
and tendencies prove that to ensure
peace, security, and happiness, the
rifle and pistol are equally indispensable"
-- George Washington
On Tue, Feb 10, 2009 at 2:58 PM, Rafal @ IsHackingYou.com
<rafal at ishackingyou.com> wrote:
> Friends, Countrymen, fellow security nerds... lend me your {ears |
> eyeballs},
>
> As a security practitioner, and vendor-employed security "expert" I feel
> like I'm often unfairly labeled with a bias towards tools as a means of
> vulnerability detection, analysis, and mitigation. While I will readily
> debate the merits of security tools such as white-box, black-box scanners I
> have always believed the correct answer to a sustainable web application
> security program involves a good mix of people, tools and processes. With
> that in mind I have written a blog post that explains my point further and
> why I feel like any enterprise security program based on tools or services
> alone is doomed to fail. There is an element of false-security that I feel
> creeps up and hurts more than it helps.
>
> To use expand further on Vinnie Liu's[1] point from his presentation at
> Blue Hat this past year... "When all you have is a hammer, everything looks
> like a nail"... as always I appreciate community feedback and constructive
> debate.
>
> http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2009/02/10/an-unfortunate-case-of-learned-behavior.aspx
>
> [1] http://technet.microsoft.com/en-us/security/dd285265.aspx
>
> Cheers!
> __
> Rafal M. Los
> Security & IT Risk Strategist
> - Blog: http://preachsecurity.blogspot.com
> - LinkedIn: http://www.linkedin.com/in/rmlos
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list