[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9
- From: "Stewart, Kevin G. USNUNK NAVAIR 1490 RM40" <kevin.stewart@xxxxxxxx>
- Subject: RE: [WEB SECURITY] Announcing the Web Application Security Roadmap v0.9
- Date: Mon, 28 Apr 2008 21:58:19 -0400
------_=_NextPart_001_01C8A99C.7F4EFDFB
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Joe, was there a reason why you excluded the open source web application =
security assessment products from your list, like Burp. Paros, and =
Oedipus? I can understand that if you're a consultancy doing assessments =
for profit, you would certainly consider the commercial tools, but as a =
company doing its own web assessments, I would think that using the open =
source products would fit nicely into the security budget.
Kevin Stewart
-----Original Message-----
From: feedyourhead@gmail.com on behalf of Joe White
Sent: Sun 4/27/2008 9:31 PM
To: WASC Forum
Subject: [WEB SECURITY] Announcing the Web Application Security Roadmap =
v0.9
=20
Announcing the Web Application Security Roadmap v0.9
This presentation is v0.9 because I would like a little extra slack to
incorporate the comments I am likely to receive after posting to this
list. =3D)
Seriously, I have actually put quite a bit of work into this
presentation and I am being serious when I say that I welcome and
actively encourage your thoughts, comments and feedback. Some of you
on this list have already quietly offered your feedback in private
conversation and for this I am very grateful. You know who you are so
let's just leave it at that. That said, I think the presentation is
now ready for a larger audience.
As a bit of background, the driver for this presentation was a
realization that the information security landscape is quickly
changing. Traditional operations focused security teams are sometimes
unable to keep up with the faster paced evolution of web application
focused threats. Often, it seems, traditional network/systems focused
information security professionals are resistant to realize that their
current defenses are inadequate to defend against a world freely
exchanging web application traffic all around them.
I also found that in communicating with my peers, many of them found
themselves accountable for all the web application exposure in their
respective organizations. Without a publicly available resource or
baseline of a roadmap to assist with this challenge, their effort
offered no assurance of success.
There is a lot of information in this presentation and some have
suggested that it may have been better to break the presentation into
multiple smaller presentations or even limit the information to a
white paper.
For the record, I am working on a complementary whitepaper as well but
my intention all along was to offer a foundation for a presentation
that could be used by other security professionals and shared
internally within other organizations to better communicate the work
required to secure an existing web application infrastructure.
Offering the information in only a white paper would not have best
served the target audience for this presentation, namely security
professionals who are wrestling with the scope and breadth of
accepting ownership of their organizations web application risk
exposure.
At one level, this presentation aims to offer a current 'state of the
nation' in terms of the current information security threat
environment and on another level, I am hoping to call attention to the
vast divide that is likely to exist between traditional
operations/systems focused information security teams and those more
aware of the web application specific changes in today's overall
threat environment. I think it is fair to say that in today's
information security threat environment, having some extra letters
after your name or title is not going to offer you any sizable degree
of assurance that you will be better able to successfully adapt to the
current web application security risks.
At the end of the day, the key point I am trying to make in this
presentation is that if you are accountable for the overall web
application security risks in your organization, you need to be
*proactively* managing expectations of the additional work that
will/may be required to secure your web application infrastructure.
Furthermore, you need to be focusing your attention on building a
*foundation* for your success in securing your web applications.
Otherwise, you are likely to find yourself sidetracked on any number
of side projects that will ultimately distract you form your ultimate
goal of addressing the overall web application risk exposure for your
organization.
In reality, the security related Capital Expenditures (CapEx) for your
organization to date may ultimately turn out to seem misguided as you
wrestle with securing your web applications. In the end, you will
need to have a solid understanding of the steps required to secure
your web applications so you can better manage the expectations of
your senior executives in terms of any additional CapEx requirements
you may hrequire to secure your organization's web application
infrastructure.
Finally, I am also hoping to call attention to the one area that many
(if not all) of the web application companies are missing, a formal
Web Application Security Incident Response Plan. It is all but
guaranteed that if you look under the covers at your current Incident
Response Plans, you will find that they served you well in terms of a
'checkbox' solution for compliance and other regulatory concerns but I
would venture to speculate that your existing Incident Response Plans
fall short in the area of Web Application specific events. My point
in the presentation is that you are best served in getting your arms
around this beast sooner rather than later. You cannot afford to be
blindsided by a Web Application Security event while you are spending
your time managing expectations and building trust among the senior
executives within your organization.
The current Web Application Security Roadmap presentation is available
here in both ppt and pdf formats:
http://www.cyberlocksmith.com/cyber_web_app_security_roadmap_v0.9.ppt
http://www.cyberlocksmith.com/cyber_web_app_security_roadmap_v0.9.pdf
As mentioned earlier, I am actively working on a complementary
whitepaper to this presentation that captures some of the narrative
likely to be included during an actual showing of the presentation and
once this becomes available, you will likely find it posted somewhere
at webappsecroadmap.com.
We may ultimately 'agree to disagree' on some of the points I make in
the presentation, but with any luck it will still offer the intended
foundation so that others can build upon it and adapt/customize it to
fit their needs
Finally, in return for publicly offering this presentation to the
list, I ask that any improvements and/or refinements to the
presentation also be posted to the list so that everyone can benefit
as well.
I hope this helps.
Thanks,
joe
<<<>>>
-------------------------------------------------------------------------=
---
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:=20
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
------_=_NextPart_001_01C8A99C.7F4EFDFB
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7652.24">
<TITLE>RE: [WEB SECURITY] Announcing the Web Application Security =
Roadmap v0.9</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=3D2>Joe, was there a reason why you excluded the open =
source web application security assessment products from your list, like =
Burp. Paros, and Oedipus? I can understand that if you're a consultancy =
doing assessments for profit, you would certainly consider the =
commercial tools, but as a company doing its own web assessments, I =
would think that using the open source products would fit nicely into =
the security budget.<BR>
<BR>
Kevin Stewart<BR>
<BR>
-----Original Message-----<BR>
From: feedyourhead@gmail.com on behalf of Joe White<BR>
Sent: Sun 4/27/2008 9:31 PM<BR>
To: WASC Forum<BR>
Subject: [WEB SECURITY] Announcing the Web Application Security Roadmap =
v0.9<BR>
<BR>
Announcing the Web Application Security Roadmap v0.9<BR>
<BR>
This presentation is v0.9 because I would like a little extra slack =
to<BR>
incorporate the comments I am likely to receive after posting to =
this<BR>
list. =3D)<BR>
<BR>
Seriously, I have actually put quite a bit of work into this<BR>
presentation and I am being serious when I say that I welcome and<BR>
actively encourage your thoughts, comments and feedback. Some of =
you<BR>
on this list have already quietly offered your feedback in private<BR>
conversation and for this I am very grateful. You know who you are =
so<BR>
let's just leave it at that. That said, I think the presentation =
is<BR>
now ready for a larger audience.<BR>
<BR>
As a bit of background, the driver for this presentation was a<BR>
realization that the information security landscape is quickly<BR>
changing. Traditional operations focused security teams are =
sometimes<BR>
unable to keep up with the faster paced evolution of web application<BR>
focused threats. Often, it seems, traditional network/systems =
focused<BR>
information security professionals are resistant to realize that =
their<BR>
current defenses are inadequate to defend against a world freely<BR>
exchanging web application traffic all around them.<BR>
<BR>
I also found that in communicating with my peers, many of them found<BR>
themselves accountable for all the web application exposure in their<BR>
respective organizations. Without a publicly available resource =
or<BR>
baseline of a roadmap to assist with this challenge, their effort<BR>
offered no assurance of success.<BR>
<BR>
There is a lot of information in this presentation and some have<BR>
suggested that it may have been better to break the presentation =
into<BR>
multiple smaller presentations or even limit the information to a<BR>
white paper.<BR>
<BR>
For the record, I am working on a complementary whitepaper as well =
but<BR>
my intention all along was to offer a foundation for a presentation<BR>
that could be used by other security professionals and shared<BR>
internally within other organizations to better communicate the work<BR>
required to secure an existing web application infrastructure.<BR>
Offering the information in only a white paper would not have best<BR>
served the target audience for this presentation, namely security<BR>
professionals who are wrestling with the scope and breadth of<BR>
accepting ownership of their organizations web application risk<BR>
exposure.<BR>
<BR>
At one level, this presentation aims to offer a current 'state of =
the<BR>
nation' in terms of the current information security threat<BR>
environment and on another level, I am hoping to call attention to =
the<BR>
vast divide that is likely to exist between traditional<BR>
operations/systems focused information security teams and those more<BR>
aware of the web application specific changes in today's overall<BR>
threat environment. I think it is fair to say that in today's<BR>
information security threat environment, having some extra letters<BR>
after your name or title is not going to offer you any sizable =
degree<BR>
of assurance that you will be better able to successfully adapt to =
the<BR>
current web application security risks.<BR>
<BR>
At the end of the day, the key point I am trying to make in this<BR>
presentation is that if you are accountable for the overall web<BR>
application security risks in your organization, you need to be<BR>
*proactively* managing expectations of the additional work that<BR>
will/may be required to secure your web application infrastructure.<BR>
<BR>
Furthermore, you need to be focusing your attention on building a<BR>
*foundation* for your success in securing your web applications.<BR>
Otherwise, you are likely to find yourself sidetracked on any number<BR>
of side projects that will ultimately distract you form your =
ultimate<BR>
goal of addressing the overall web application risk exposure for =
your<BR>
organization.<BR>
<BR>
In reality, the security related Capital Expenditures (CapEx) for =
your<BR>
organization to date may ultimately turn out to seem misguided as =
you<BR>
wrestle with securing your web applications. In the end, you =
will<BR>
need to have a solid understanding of the steps required to secure<BR>
your web applications so you can better manage the expectations of<BR>
your senior executives in terms of any additional CapEx requirements<BR>
you may hrequire to secure your organization's web application<BR>
infrastructure.<BR>
<BR>
Finally, I am also hoping to call attention to the one area that =
many<BR>
(if not all) of the web application companies are missing, a formal<BR>
Web Application Security Incident Response Plan. It is all but<BR>
guaranteed that if you look under the covers at your current =
Incident<BR>
Response Plans, you will find that they served you well in terms of =
a<BR>
'checkbox' solution for compliance and other regulatory concerns but =
I<BR>
would venture to speculate that your existing Incident Response =
Plans<BR>
fall short in the area of Web Application specific events. My =
point<BR>
in the presentation is that you are best served in getting your arms<BR>
around this beast sooner rather than later. You cannot afford to be<BR>
blindsided by a Web Application Security event while you are =
spending<BR>
your time managing expectations and building trust among the senior<BR>
executives within your organization.<BR>
<BR>
The current Web Application Security Roadmap presentation is =
available<BR>
here in both ppt and pdf formats:<BR>
<BR>
<A =
HREF=3D"http://www.cyberlocksmith.com/cyber_web_app_security_roadmap_v0.9=
.ppt">http://www.cyberlocksmith.com/cyber_web_app_security_roadmap_v0.9.p=
pt</A><BR>
<A =
HREF=3D"http://www.cyberlocksmith.com/cyber_web_app_security_roadmap_v0.9=
.pdf">http://www.cyberlocksmith.com/cyber_web_app_security_roadmap_v0.9.p=
df</A><BR>
<BR>
As mentioned earlier, I am actively working on a complementary<BR>
whitepaper to this presentation that captures some of the narrative<BR>
likely to be included during an actual showing of the presentation =
and<BR>
once this becomes available, you will likely find it posted =
somewhere<BR>
at webappsecroadmap.com.<BR>
<BR>
We may ultimately 'agree to disagree' on some of the points I make =
in<BR>
the presentation, but with any luck it will still offer the intended<BR>
foundation so that others can build upon it and adapt/customize it =
to<BR>
fit their needs<BR>
<BR>
Finally, in return for publicly offering this presentation to the<BR>
list, I ask that any improvements and/or refinements to the<BR>
presentation also be posted to the list so that everyone can benefit<BR>
as well.<BR>
<BR>
I hope this helps.<BR>
<BR>
Thanks,<BR>
joe<BR>
<BR>
<<<>>><BR>
<BR>
-------------------------------------------------------------------------=
---<BR>
Join us on IRC: irc.freenode.net #webappsec<BR>
<BR>
Have a question? Search The Web Security Mailing List Archives:<BR>
<A =
HREF=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR>
<BR>
Subscribe via RSS:<BR>
<A =
HREF=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C8A99C.7F4EFDFB--
Brought to you by http://www.webappsec.org
Search this site
|