Re: [WEB SECURITY] definition of "web application security"?

[Pete Herzog <lists@xxxxxxxxxx>]

I think the stumble here is that the web isn't something you go over. 
It's still all IP, just with a stricter set of rules attached to it. 
So it's an environment, a service, a protocol, a means of 
communication, a delivery system, and a culture.  A web application is 
any application whether client, server, CGI, or add-on that fits into 
the "web" context.

How one provides "security" in that context is extremely broad and 
made unreasonably irrelevant by the fact that security as currently 
defined by the professionals in the security community or industry is 
not something anyone can reliably or perhaps actually provide.

Even if I take the OSSTMM approach that security is a separation of a 
threat from an asset, which is deliverable by a security professional 
as a service or solution, it does not fit to a web application which 
is designed to provide a form of access. It's actually Web Application 
Controls.

What's really funny is how serious the security industry takes how to 
market security and how little has been done to actually understand 
it. I mean just look at how many products and services are based on 
best practice, what sells, what sounds most appealing, and what can be 
deliverable without the promise of any real kind of delivery as 
opposed to fact.

-pete.
OPST, OPSA, OPSE, OWSE


Martin O'Neal wrote:
> > Web Application Security is the 
> > separation or control of threats
> > from assets within or maintained 
> > by web-based services to protect 
> > the integrity of the service, the 
> > confidentiality of the communication, 
> > and the availability of the application.
>
> LOL, is it not just: security* in the context of an application*
> delivered over the web*?
>
> Martin...
>
>
> * outside the scope of this document
>
>
>
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street,
> Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
> Registered in England No. 3338312. Registered office: Portland House,
> Park Street, Bagshot, Surrey GU19 5PG.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA