RE: [WEB SECURITY] Application Security Program

["Will Jefferies" <wjefferies@xxxxxxxxxx>]

I have found the NIST.org site to be a lot of help with policies and
procedures.  Most of their sample policies map directly to ISO 17799,
which is a standard framework for security.  I would suggest you first
decide on your goals (ISO 17799 compliance?) and then you can move on to
risk and gap analysis.

Will Jefferies
ISO - FNC, Inc.

-----Original Message-----
From: huan chen [mailto:ktriv3di@xxxxxxx] 
Sent: Thursday, June 29, 2006 5:51 PM
To: Web Security
Subject: [WEB SECURITY] Application Security Program

List,

We are trying to design a big picture information security program for
out 
organization. The goal is to concentrate on application security. Sub
tasks 
should include stuff like policy gap analysis, pen test balc box and
white 
box, etc. The goal is to do all the activities and measure progress on
an 
yearly basis/

Are thier any existing frameworks? Anything that has worked / not worked
for 
you guys?

Thanks


----- Original Message ----- 
From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
To: "RSnake" <rsnake@xxxxxxxxxxxx>
Cc: "Web Security" <websecurity@xxxxxxxxxxxxx>
Sent: Wednesday, June 28, 2006 8:42 AM
Subject: Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of
the 
iceberg)


> On 6/28/06, RSnake <rsnake@xxxxxxxxxxxx> wrote:
>> ... A more realistic problem is I actually _might_ want
>> people to automatically send traffic to my comments function if
someone
>> eventually builds an application to forward requests to my page to
make
>> it easier for my users.  Again, you could argue that in that case I
>> should explicitly allow that one referrer in, and I might agree, but
>> wow... this is seeming like an administration nightmare, even on a
small
>> site like mine.
>
> If you change your policy on who should and shouldn't be sending
> requests to certain pages, you should expect that you will need to do
> some work to make that policy take affect.  That's true no matter what
> kind of enforcement mechanism you are using.  The more elaborate your
> policy, the more work you are going to have to do to describe it.
>
> Is the extra work required to enable the policy worth the trouble?  It
> depends on the site.
>
> Regards,
> Brian
>
>
------------------------------------------------------------------------
----
> The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> 

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Confidentiality Notice: This message is for the sole use of the intended recipient(s).
It may contain confidential or proprietary information and may be subject to the
attorney-client privilege or other confidentiality protections. If this message was
misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any
confidentiality, privilege, or trade secrets. If you are not a designated recipient,
you may not review, print, copy, retransmit, disseminate, or otherwise use this message. 
If you have received this message in error, please notify the sender by reply e-mail 
and delete this message.

----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]