RE: [WEB SECURITY] some answered questions

["Chris Weber" <chris@xxxxxxxxxxx>]

I think about the topic in the "rude awakening" all the time.  I've owned a
consulting business for five years now after leaving Foundstone, and I've
seen the cycles of dealing with small clients up through large.  I'm lucky
now to work with large dedicated software firms who totally "get it" when it
comes to security.  They invest tons of money and never release products
without adhereing to a very classic security process which involves threat
modeling all the way through pen testing and code review.  This process has
worked so well that when I go work for other clients like we're talking
about I feel like I've stepped back in time 3-5 years.  Like Sylvan is
saying they still don't understand the value, or maybe it honestly doesn't
apply to their business as much as it does others.  

Who is spending money on web app security?  And when I ask that, I mean, who
are the companies saying "oh we have $10,000 what'll that get us?" versus
the ones saying "we have $100k budgeted for this product's security review
and we want design time threat modeling through late milestone pen testing."
Is it still the large financial institutions, the largest software
companies, the insurance and government most interested?  At some point
every company will see some value in security... even Apple :)

PS I'm hiring http://seattle.craigslist.org/see/sof/256685568.html



-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@xxxxxxxxxxxxxxx] 
Sent: Friday, January 19, 2007 11:25 AM
To: Web Security
Subject: [WEB SECURITY] some answered questions

Every once in a while I come across some really good webappsec material that
people might have missed. Sylvan von Stuppe published a pair of excellent
posts asking some important questions while offering compelling insights.
I've been wanting to answer a few of them, but have found it challenging to
do so without pondering for days/weeks. And then I have no idea if any
answer supplied is vaguely on the mark.

Anyway, here ya go...

A Rude Awakening
http://sylvanvonstuppe.blogspot.com/2007/01/rude-awakening.html

Making Security Rewarding
http://sylvanvonstuppe.blogspot.com/2006/12/making-security-
rewarding.html


Regards,

Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]