Re: [WEB SECURITY] definition of "web application security"?

[Pete Herzog <lists@xxxxxxxxxx>]

Hi Martin,

Hope you had a good weekend! Back to the discussion....

> I'm not sure that I see the distinction.  All applications are conduits
> for accessing assets, and the term Web is just an ill defined collective
> for the interchangeable transport mechanisms.  So a web app is just an
> app delivered over the web.  Nothing special.

"Delivered over" is the problem.  If the term web is ill-defined then 
how is a an application "delivered over" anything?  Actually it is the 
output of a web service which is delivered which is rarely (if ever 
according to certain definitions) an application.

> And separately, I'm also not comfortable with the definition of security
> as the separation of a threat from an asset.  Assets may have threats.
> Vulnerabilities enhance threats.  Controls address vulnerabilities.
> Rock blunts scissors.  

Yes, assets may have threats within themselves (assuming that's what 
you mean like how people can have cancer).  However, vulnerabilities 
don't enhance threats but rather they degrade the effectiveness of the 
separation or the controls used.  Otherwise that would imply that a 
threat can become stronger, faster, more invulnerable, etc. because of 
a vulnerability in the asset, controls, or separation itself.

> The dictionary definitions have security as an absolute absence of
> danger.  Clearly, in a network environment, absence of danger (threat)
> means isolation (or turning the damn thing off) which in the commercial

Even turning it off does not protect it as physical forces, even if 
meager, over time will leave the systems inoperable.  Not to mention 
if you see the web application as more than a server or application 
but also the service provided then shutting it off is also a threat to 
its continuity.

> world is generally counter to the business requirement that pays for it
> in the first place.  So in this context, I would say that we're
> generally not looking for security as an absolute.  What we're left with

If you can see security as a separation then it is an absolute. 
Security can either exist or now exist. That means there is either a 
separation or there isn't. If there is one, then we can look at its 
porosity-- the holes within that wall or the bridges across that 
chasm-- whatever is allowing the separation to be breached. For each 
of those pores we apply controls to limit the effectiveness of the 
threat or its impact.

> is security as a process (hello Dave) in which it is delivered through
> an iterative process of identifying vulnerabilities and implementing
> controls in order to reduce them, and in doing so balance threats
> against required functionality.  

Which brings us to the patching game. Security is only a process in 
the physical realm where rot, decay, and chaos reduce security.  In 
network security you can apply controls and create an environment 
which requires no process cycle-- no identifying vulnerabilities or 
implementing more controls because it will be done. It's not easy to 
set up but it is possible and then maintenance becomes a people issue 
since patches and upgrades will exist only for functionality, 
compatibility, and extensibility but not for security.  It's just that 
people prefer to choose to buy the mainstream, go the easy way, and 
get running fast before running safe which leads them to a future of 
taking care of the baby they were too young and immature to have 
created ;)

We are slowly seeing the trends change though but way too slowly.  I 
saw SUSE has the possibility to make a typical LAMP web server now 
that in conjunction with a hardware TPM is a perfectly controlled 
environment (a la opentc.net) where hacking becomes no more than a 
treadmill exercise-- lot of effort to go nowhere.

-pete.



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA