[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] definition of "web application security"?

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] definition of "web application security"?
Date: Sat, 23 Aug 2008 14:22:19 +0100

> Even if I take the OSSTMM approach that security 
> is a separation of a threat from an asset, which 
> is deliverable by a security professional as a 
> service or solution, it does not fit to a web 
> application which is designed to provide a form 
> of access. It's actually Web Application Controls.

I'm not sure that I see the distinction.  All applications are conduits
for accessing assets, and the term Web is just an ill defined collective
for the interchangeable transport mechanisms.  So a web app is just an
app delivered over the web.  Nothing special.

And separately, I'm also not comfortable with the definition of security
as the separation of a threat from an asset.  Assets may have threats.
Vulnerabilities enhance threats.  Controls address vulnerabilities.
Rock blunts scissors.  

The dictionary definitions have security as an absolute absence of
danger.  Clearly, in a network environment, absence of danger (threat)
means isolation (or turning the damn thing off) which in the commercial
world is generally counter to the business requirement that pays for it
in the first place.  So in this context, I would say that we're
generally not looking for security as an absolute.  What we're left with
is security as a process (hello Dave) in which it is delivered through
an iterative process of identifying vulnerabilities and implementing
controls in order to reduce them, and in doing so balance threats
against required functionality.  This may sound like another mouth-full,
but if you sing it to the tune of "my old man's a dustman" it is much
more memorable.

Martin...







----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] definition of "web application security"?
  - From: Joe White
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog

Prev by Date: Re: [WEB SECURITY] definition of "web application security"?
Next by Date: RE: [WEB SECURITY] definition of "web application security"?
Previous by thread: Re: [WEB SECURITY] definition of "web application security"?
Next by thread: Re: [WEB SECURITY] definition of "web application security"?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site