[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] definition of "web application security"?

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] definition of "web application security"?
Date: Tue, 26 Aug 2008 11:00:38 +0100

> Hope you had a good weekend! 
> Back to the discussion....

Whoop!

> output of a web service which is delivered 
> which is rarely (if ever according to certain 
> definitions) an application.

I don't think this is a feasible place to go; by pursuing this course of
logic you end up with few actual applications, because any network
application will use the OS network transports which aren't part of the
application, or likewise the GDI/X (or equivalent).

> However, vulnerabilities don't enhance threats 
> but rather they degrade the effectiveness of the 
> separation or the controls used.  

I disagree strongly with this; for the classic example scenario of fire
(a threat), the presence of flammable materials (a vulnerability)
clearly enhances both the probability and impact of the threat
occurring.  The same is true for most tech vulnerabilities.

> If you can see security as a separation then 
> it is an absolute. 

But security is rarely a separation.  For example, the primary goal of a
firewall is to allow traffic through (obviously in a controlled way),
not to separate.  Separation is an absence of functionality.

> In network security you can apply controls 
> and create an environment which requires 
> no process cycle-- no identifying 
> vulnerabilities or implementing more 
> controls because it will be done.

Again, I disagree. I don't think that in all my years in IT, I have ever
seen a static environment.  Flawless products don't exist; patches are
periodically released.  Functionality is constantly enhanced in the
applications, the infrastructure and the controls that protect them.
New controls are developed.  And all change requires some degree of
analysis and review.

Martin...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] definition of "web application security"?
  - From: Joe White
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog

Prev by Date: Re: [WEB SECURITY] definition of "web application security"?
Next by Date: [WEB SECURITY] SSO & WebScarab
Previous by thread: Re: [WEB SECURITY] definition of "web application security"?
Next by thread: Re: [WEB SECURITY] definition of "web application security"?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site