[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] note regarding Cobr4 request

From: "Aiken, Dan" <AikenD@xxxxxxx>
Subject: RE: [WEB SECURITY] note regarding Cobr4 request
Date: Mon, 8 Aug 2005 11:44:40 -0400

Andre,

It is my understanding that the "usual suspects" of network controls do not perform the right preventive activities at layer seven. The purpose of the network controls is to make sure that application input gets to the application securely, with integrity, when needed. They do not verify that the input is appropriate for the application or safe. That could be the job of an Application Firewall. See the following web link contained in an excerpt from my GSNA practical in which I performed an application audit: (http://www.giac.org/certified_professionals/practicals/gsna/0184.php).

"Application Firewalls - There are a number of application firewall products that could offer protection for existing and new web applications. Network World Fusion (www.nwfusion.com/_bg/2004/appsecurity/index.jsp) rated and compared ten application firewall products. Purchase prices for the reviewed products range from $1,295 to $35,000."

Dan Aiken, GSEC, GSNA
Corporate Compliance Director
Hospital for Special Surgery
535 East 70th Street
New York, NY  10021
(212) 774-2569
aikend@xxxxxxx
"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." Bruce Schneier

The opinions expressed in this message are the author's own and not necessarily those of Hospital for Special Surgery.


-----Original Message-----
From: Andre Maisonneuve [mailto:Andre.Maisonneuve@xxxxxxxxxxxx] 
Sent: Monday, August 08, 2005 10:36 AM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] note regarding Cobr4 request

To your question about "How can we optimize security?"

One of the elements often mentioned is about "application security". I think this concept should be split into two components:
1 - building "secure" applications, meaning application that cannot be easily penetrated and that cannot induce risks into other applications they interact with.
2 - making sure that the required "network security" with the firewalls, IDS, IPS and all the alphabet soup, be completed by a security network acting at the application layer, not at the transport layer. This way, no malware can penetrate or cause harm to the "application". One must remember that 75% of successful attacks aimed at the Application layer, not at the network layer (Gartner)
 

André Maisonneuve

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Prev by Date: [WEB SECURITY] note regarding Cobr4 request
Next by Date: [WEB SECURITY] Defeating Citi-Bank Virtual Keyboard Protection
Previous by thread: [WEB SECURITY] note regarding Cobr4 request
Next by thread: [WEB SECURITY] Defeating Citi-Bank Virtual Keyboard Protection
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site