[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Suggestions for Web Application Security Roadmap?

From: Anurag Agarwal <a_agrawwal@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Suggestions for Web Application Security Roadmap?
Date: Thu, 24 Jan 2008 13:59:18 -0800 (PST)
--0-609221029-1201211958=:22845
Content-Type: text/plain; charset=us-ascii

I agree with Matthew on developer training but I would also like to add executive awareness. For executives to be on board with the program, they have to understand the dangers and extent of damage a breach can do. 
 
Cheers,
 
Anurag Agarwal
 
SEEC - An application security search engine
Web: www.attacklabs.com , www.myappsecurity.com
Email : anurag.agarwal@yahoo.com
Blog : http://myappsecurity.blogspot.com
 


----- Original Message ----
From: "Truxaw, Matthew" <mtruxaw@firstam.com>
To: WASC Forum <websecurity@webappsec.org>
Sent: Thursday, January 24, 2008 12:44:03 PM
Subject: RE: [WEB SECURITY] Suggestions for Web Application Security Roadmap?


 You've already got some good suggestions, but I would add secure
development training to the road map.  The easiest way to clean up a
vulnerability is to not create it in the first place.  Unfortunately,
very few developers have more than a cursory knowledge of security
concepts when it comes to developing software.


Regards,
 
Matt 

-----Original Message-----
From: feedyourhead@gmail.com [mailto:feedyourhead@gmail.com] On Behalf
Of Joe White
Sent: Sunday, January 20, 2008 1:51 PM
To: WASC Forum
Subject: [WEB SECURITY] Suggestions for Web Application Security
Roadmap?

I am in the process of putting together a Web Application Security
Roadmap for a company and was hoping to get some feedback on any
 similar
work or resources available from the group.

The roadmap would ideally include approximate time lines for key
milestones and would also offer a heads-up on future CapEx and other
budget needs.

My current thoughts are to include as key cornerstones of the roadmap
the following:

1)  static source code analysis
2)  Web App Firewall
3)  web app security scanning
4)  secure code review
5)  web app incident response
6)  Enterprise Key Management (EKM)

I think the trick may be to offer the above in a chronological
 framework
and also offer some priorities for each.

Once completed, I am happy to share what I end up with here but I would
rather not re-invent the wheel if this has already been done.

As always, comments are both welcome and appreciated.

Thanks,

joe

<<<>>>

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

**********************************************************************
This message contains confidential information intended only for the
 use of the addressee(s) named above and may contain information that is
 legally privileged.  If you are not the addressee, or the person
 responsible for delivering it to the addressee, you are hereby notified that
 reading, disseminating, distributing or copying this message is strictly
 prohibited.  If you have received this message by mistake, please
 immediately notify us by replying to the message and delete the original
 message immediately thereafter.

Thank you.

                                   FADLD Tag
**********************************************************************

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]





--0-609221029-1201211958=:22845
Content-Type: text/html; charset=us-ascii

<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial,helvetica,sans-serif;font-size:10pt">I agree with Matthew on developer training but I would also like to add executive awareness. For executives to be on board with the program, they have to understand the dangers and extent of damage a breach can do. <br><div>&nbsp;</div><p>Cheers,</p><p>&nbsp;</p><p>Anurag Agarwal</p><p>&nbsp;</p><p><a rel="nofollow" target="_blank" href="http://www.myappsecurity.com/";>SEEC - An application security search engine</a></p><p>Web:&nbsp;<a rel="nofollow" target="_blank" href="http://www.attacklabs.com/";>www.attacklabs.com</a>&nbsp;, <a rel="nofollow" target="_blank" href="http://www.myappsecurity.com/";>www.myappsecurity.com</a></p><p>Email : <a rel="nofollow" target="_blank" href="mailto:anurag.agarwal@yahoo.com";>anurag.agarwal@yahoo.com</a></p><p>Blog : <a rel="nofollow" target="_blank"
 href="http://myappsecurity.blogspot.com/";>http://myappsecurity.blogspot.com</a></p><p>&nbsp;</p><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">----- Original Message ----<br>From: "Truxaw, Matthew" &lt;mtruxaw@firstam.com&gt;<br>To: WASC Forum &lt;websecurity@webappsec.org&gt;<br>Sent: Thursday, January 24, 2008 12:44:03 PM<br>Subject: RE: [WEB SECURITY] Suggestions for Web Application Security Roadmap?<br><br>
 You've already got some good suggestions, but I would add secure<br>development training to the road map.&nbsp; The easiest way to clean up a<br>vulnerability is to not create it in the first place.&nbsp; Unfortunately,<br>very few developers have more than a cursory knowledge of security<br>concepts when it comes to developing software.<br><br><br>Regards,<br> <br>Matt <br><br>-----Original Message-----<br>From: <a ymailto="mailto:feedyourhead@gmail.com"; href="mailto:feedyourhead@gmail.com";>feedyourhead@gmail.com</a> [mailto:<a ymailto="mailto:feedyourhead@gmail.com"; href="mailto:feedyourhead@gmail.com";>feedyourhead@gmail.com</a>] On Behalf<br>Of Joe White<br>Sent: Sunday, January 20, 2008 1:51 PM<br>To: WASC Forum<br>Subject: [WEB SECURITY] Suggestions for Web Application Security<br>Roadmap?<br><br>I am in the process of putting together a Web Application Security<br>Roadmap for a company and was hoping to get some feedback on any
 similar<br>work or resources available from the group.<br><br>The roadmap would ideally include approximate time lines for key<br>milestones and would also offer a heads-up on future CapEx and other<br>budget needs.<br><br>My current thoughts are to include as key cornerstones of the roadmap<br>the following:<br><br>1)&nbsp; static source code analysis<br>2)&nbsp; Web App Firewall<br>3)&nbsp; web app security scanning<br>4)&nbsp; secure code review<br>5)&nbsp; web app incident response<br>6)&nbsp; Enterprise Key Management (EKM)<br><br>I think the trick may be to offer the above in a chronological
 framework<br>and also offer some priorities for each.<br><br>Once completed, I am happy to share what I end up with here but I would<br>rather not re-invent the wheel if this has already been done.<br><br>As always, comments are both welcome and appreciated.<br><br>Thanks,<br><br>joe<br><br>&lt;&lt;&lt;&gt;&gt;&gt;<br><br>------------------------------------------------------------------------<br>----<br>Join us on IRC: <a target="_blank" href="http://irc.freenode.net";>irc.freenode.net</a> #webappsec<br><br>Have a question? Search The Web Security Mailing List Archives: <br><a href="http://www.webappsec.org/lists/websecurity/"; target="_blank">http://www.webappsec.org/lists/websecurity/</a><br><br>Subscribe via RSS: <br><a href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br>**********************************************************************<br>This message contains
 confidential information intended only for the
 use of the addressee(s) named above and may contain information that is
 legally privileged.&nbsp; If you are not the addressee, or the person
 responsible for delivering it to the addressee, you are hereby notified that
 reading, disseminating, distributing or copying this message is strictly
 prohibited.&nbsp; If you have received this message by mistake, please
 immediately notify us by replying to the message and delete the original
 message immediately thereafter.<br><br>Thank you.<br><br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  FADLD Tag<br>**********************************************************************<br><br>----------------------------------------------------------------------------<br>Join us on IRC: <a target="_blank" href="http://irc.freenode.net";>irc.freenode.net</a> #webappsec<br><br>Have a question? Search The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/"; target="_blank">http://www.webappsec.org/lists/websecurity/</a><br><br>Subscribe via RSS:<br><a href="http://www.webappsec.org/rss/websecurity.rss"; target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></div><br></div></div></body></html>
--0-609221029-1201211958=:22845--
Follow-Ups:
- RE: [WEB SECURITY] Suggestions for Web Application Security Roadmap?
  - From: Dave Sanford
Prev by Date: RE: [WEB SECURITY] Suggestions for Web Application Security Roadmap?
Next by Date: RE: [WEB SECURITY] Re: HTML5 is now a First Public Working Draft
Previous by thread: RE: [WEB SECURITY] Suggestions for Web Application Security Roadmap?
Next by thread: RE: [WEB SECURITY] Suggestions for Web Application Security Roadmap?
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site