[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Application Security Program

From: "huan chen" <ktriv3di@xxxxxxx>
Subject: [WEB SECURITY] Application Security Program
Date: Thu, 29 Jun 2006 15:51:17 -0700

List,

We are trying to design a big picture information security program for out organization. The goal is to concentrate on application security. Sub tasks should include stuff like policy gap analysis, pen test balc box and white box, etc. The goal is to do all the activities and measure progress on an yearly basis/

Are thier any existing frameworks? Anything that has worked / not worked for you guys?

Thanks

----- Original Message ----- From: "Brian Eaton" <eaton.lists@xxxxxxxxx> To: "RSnake" <rsnake@xxxxxxxxxxxx> Cc: "Web Security" <websecurity@xxxxxxxxxxxxx> Sent: Wednesday, June 28, 2006 8:42 AM Subject: Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

On 6/28/06, RSnake <rsnake@xxxxxxxxxxxx> wrote:

... A more realistic problem is I actually _might_ want
people to automatically send traffic to my comments function if someone
eventually builds an application to forward requests to my page to make
it easier for my users.  Again, you could argue that in that case I
should explicitly allow that one referrer in, and I might agree, but
wow... this is seeming like an administration nightmare, even on a small
site like mine.


If you change your policy on who should and shouldn't be sending
requests to certain pages, you should expect that you will need to do
some work to make that policy take affect.  That's true no matter what
kind of enforcement mechanism you are using.  The more elaborate your
policy, the more work you are going to have to do to describe it.

Is the extra work required to enable the policy worth the trouble?  It
depends on the site.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- RE: [WEB SECURITY] Application Security Program
  - From: Will Jefferies

References:
- [WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: Jeremiah Grossman
- [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: arian.evans
- Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: Brian Eaton
- Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: RSnake
- Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: Brian Eaton
- Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: RSnake
- Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: Brian Eaton
- Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: RSnake
- Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: Brian Eaton
- Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: RSnake
- Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
  - From: Brian Eaton

Prev by Date: RE: [WEB SECURITY] (XSS via file extension) XSS-Phishing on Financial Sites
Next by Date: RE: [WEB SECURITY] Application Security Program
Previous by thread: Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)
Next by thread: RE: [WEB SECURITY] Application Security Program
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site