Jeremiah,
Makes an awful lot of sense and deserves a big AMEN. :D
For what it's worth, I am a very big fan of frameworks and,
furthermore, believe that no project should be initiated without
one -- even if it's a home-grown class library. Why? Because it
requires some forethought before "cranking out code," it tends to
get the developers) together to agree on design patterns, and it
tends toward objects into which input validation (white and black
list) can be abstracted.
But it sounds like I'm preaching to the choir. Thanks for
clarifying things.
Rich Bergmann
-----Original Message-----
From: Jeremiah Grossman
Sent: Thursday, January 18, 2007 2:15 PM
To: Rich Bergmann
Subject: Re: [WEB SECURITY] *RESULTS* Web Application Security
Professionals
Survey (Jan. 2007)
Hi Rich,
You're not missing a thing. That section probably reads a little
wrong.
I wanted to put more of the onus on software-developer-turned-
security-professional and encourage them to be more creative with
solution recommendations. For myself as a security professional,
citing input validation and blaming developers for not doing it
religiously is starting to feel like cop out. As a developer you'd
probably agree that rock solid input validation is MUCH easier said
that done. Especially with rapid code change and short deadlines as
standard web app code practice.
Its my opinion security professionals should be providing
developers with more resources to complete their job easier and not
expect them to shoulder the entirety of security responsibility.
We've not done such a good job in this area and frankly its been
unfair to the developer. So yes, I am saying WAFs. But also better
development frameworks and web server infrastructure configuration.
Perhaps also "patterns" for how to carry out complex businesses the
right way so their is no guess work.
Hopefully that makes more sense than my two sentences worth. :)
Regards,
Jeremiah
On Jan 18, 2007, at 10:59 AM, Rich Bergmann wrote:
Hi Jeremiah,
I am a software developer who subscribes to this list because I
feel it is my professional duty as a developer of, among other
things, web apps.
Here is an interesting sentence that I extracted from your blog:
"This is probably an unpopular opinion, but software developers
seem to have a hard time respecting any solution beyond the code."
As a web developer I would dearly welcome *any* solution that
would not involve code since changing the mindset of developers
can sometimes be like herding cats. I would say that, whenever I
query a security specialist as to the "best" method for
mitigating a threat, the prevailing answer is "validate input,
validate input, and, when you've finished, validate input." This
*is* a code solution. Add to that the consensus of those who
contribute to this list, as I perceive it, that application
firewalls come up short as a "best" solution, then the take home
message is that changing code (or, more accurately, coding
practices) *is* the solution.
What am I missing?
Rich Bergmann
-----Original Message-----
From: Jeremiah Grossman
Sent: Thursday, January 18, 2007 1:38 PM
To: Web Security
Subject: [WEB SECURITY] *RESULTS* Web Application Security
Professionals
Survey (Jan. 2007)
Blogged:
http://jeremiahgrossman.blogspot.com/2007/01/web-application-
security-profes
sionals.html
The results are in and the people have spoken! Our goal was to
capture the "thoughts" of the crowd and boy did it ever! The 59
respondents shared their battleground views of web application
security and in doing so presented interesting perspectives and great
insights of a larger world. There is a huge amount of data inside and
I couldn't be more pleased with the results. We also unexpectedly
created a database of the most popular vulnerability assessment tools
and knowledge resources. Thank you to everyone who took the time to
submit.
Regards,
Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/