[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] definition of "web application security"?

From: "Johnson, David E" <david.e.johnson@xxxxxxxxx>
Subject: RE: [WEB SECURITY] definition of "web application security"?
Date: Tue, 26 Aug 2008 07:25:29 -0600
--_000_231CCE61A330004EA6A38E61580AD3990783B75Brrsmsx502amrcor_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Pete,

Thanks for the interesting discussion. I especially liked the "separation" =
part. Aren't remediation and recovery security mechanisms? I would like to =
play Devil's Advocate here for a second.  I am not certain that we are on t=
he right track trying to prove a negative, when a positive is easier to des=
cribe.



Bottom Line Up Front- If we do not gain any insight to real problems throug=
h the definition process, all we are doing is market segmentation.



Having spent a lot of time around "national security" while in the military=
, and a lot of definitional battles, I would ask what is the purpose of thi=
s debate? Usually, definitions are refined to scope down a problem space to=
 something manageable or provide some insight into the nature of the proble=
m. This begs the question--what subsets of challenges does the definition e=
liminate from the perceived problem space?



When a problem gets too complicated for an agreed upon decision, I think we=
 can do two things.



 First, we can break it down into some form of logical subcomponent structu=
re and attempt to solve the problem by solving the component problems. This=
 linear approach can be applied by discussing the nature of web, etc. (...a=
nother definition of "command and control" is "the distribution of uncertai=
nty"). I have read some of this in the thread. When a problem is not just c=
omplicated but actually complex, we need another approach.



So, we can abstract away. We can abstract up (our favorite approach in CS--=
see XML and Object-Oriented Programming). In our case, we could apply an is=
omorphism to the behavior of the system, like physical security or security=
 in the previous computing environment. Or....We can abstract down. In this=
 case, we could try to define the universal truly atomic common parts of we=
b+application+security.  I have also read some of this into the thread.



We can simply define Web Application Security as Information Assurance in t=
he current environment and work from the positive side describing what serv=
ices we are providing. This does not eliminate anything from the problem sp=
ace. However, it does imply that while web application security is complex,=
 it will behave like other Information Assurance environments (it capitulat=
es by abstracting up).



Obviously, the term, Web Application Security, was coined to describe a par=
ticular niche, requiring unique expertise, at the time...So if that is the =
point of all of this, then start with what Web Application Security is NOT =
in order to refine the definition---



When we cannot agree on that, there is no uniqueness and it is just Informa=
tion Assurance (which I use to include reliability and all forms of availab=
ility, as well as to avoid joining the definition of "secure" discussion). =
The discussion then boils down to marketing collateral about evolution of t=
he computing environment. The FUD-fueled negative approach has, moreover, a=
ctually done us no favors. Is this fodder for another thread or too far off=
 the forum focus?



Dave

David E.A. Johnson

Director, Digital Security Products

Intel Corporation



My opinions are my own and not the official position of Intel Corporation o=
r any other organization with which I may be affiliated.





-----Original Message-----
From: Pete Herzog [mailto:lists@isecom.org]
Sent: Monday, August 25, 2008 5:42 PM
To: Martin O'Neal
Cc: joe@cyberlocksmith.com; WASC Forum
Subject: Re: [WEB SECURITY] definition of "web application security"?



Hi Martin,



Hope you had a good weekend! Back to the discussion....



> I'm not sure that I see the distinction.  All applications are conduits

> for accessing assets, and the term Web is just an ill defined collective

> for the interchangeable transport mechanisms.  So a web app is just an

> app delivered over the web.  Nothing special.



"Delivered over" is the problem.  If the term web is ill-defined then

how is a an application "delivered over" anything?  Actually it is the

output of a web service which is delivered which is rarely (if ever

according to certain definitions) an application.



>

> And separately, I'm also not comfortable with the definition of security

> as the separation of a threat from an asset.  Assets may have threats.

> Vulnerabilities enhance threats.  Controls address vulnerabilities.

> Rock blunts scissors.



Yes, assets may have threats within themselves (assuming that's what

you mean like how people can have cancer).  However, vulnerabilities

don't enhance threats but rather they degrade the effectiveness of the

separation or the controls used.  Otherwise that would imply that a

threat can become stronger, faster, more invulnerable, etc. because of

a vulnerability in the asset, controls, or separation itself.



>

> The dictionary definitions have security as an absolute absence of

> danger.  Clearly, in a network environment, absence of danger (threat)

> means isolation (or turning the damn thing off) which in the commercial



Even turning it off does not protect it as physical forces, even if

meager, over time will leave the systems inoperable.  Not to mention

if you see the web application as more than a server or application

but also the service provided then shutting it off is also a threat to

its continuity.



> world is generally counter to the business requirement that pays for it

> in the first place.  So in this context, I would say that we're

> generally not looking for security as an absolute.  What we're left with



If you can see security as a separation then it is an absolute.

Security can either exist or now exist. That means there is either a

separation or there isn't. If there is one, then we can look at its

porosity-- the holes within that wall or the bridges across that

chasm-- whatever is allowing the separation to be breached. For each

of those pores we apply controls to limit the effectiveness of the

threat or its impact.



> is security as a process (hello Dave) in which it is delivered through

> an iterative process of identifying vulnerabilities and implementing

> controls in order to reduce them, and in doing so balance threats

> against required functionality.



Which brings us to the patching game. Security is only a process in

the physical realm where rot, decay, and chaos reduce security.  In

network security you can apply controls and create an environment

which requires no process cycle-- no identifying vulnerabilities or

implementing more controls because it will be done. It's not easy to

set up but it is possible and then maintenance becomes a people issue

since patches and upgrades will exist only for functionality,

compatibility, and extensibility but not for security.  It's just that

people prefer to choose to buy the mainstream, go the easy way, and

get running fast before running safe which leads them to a future of

taking care of the baby they were too young and immature to have

created ;)



We are slowly seeing the trends change though but way too slowly.  I

saw SUSE has the possibility to make a typical LAMP web server now

that in conjunction with a hardware TPM is a perfectly controlled

environment (a la opentc.net) where hacking becomes no more than a

treadmill exercise-- lot of effort to go nowhere.



-pete.







---------------------------------------------------------------------------=
-

Join us on IRC: irc.freenode.net #webappsec



Have a question? Search The Web Security Mailing List Archives:

http://www.webappsec.org/lists/websecurity/archive/



Subscribe via RSS:

http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



Join WASC on LinkedIn

http://www.linkedin.com/e/gis/83336/4B20E4374DBA



--_000_231CCE61A330004EA6A38E61580AD3990783B75Brrsmsx502amrcor_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"MS Mincho";
	panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
	{font-family:"\@MS Mincho";
	panose-1:2 2 6 9 4 2 5 8 3 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 77.95pt 1.0in 77.95pt;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Pete,<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Thanks for the interesting discussion. I especially liked the
&quot;separation&quot; part. Aren&#8217;t remediation and recovery security
mechanisms? I would like to play Devil&#8217;s Advocate here for a second. =
&nbsp;I
am not certain that we are on the right track trying to prove a negative, w=
hen
a positive is easier to describe.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Bottom Line Up Front- If we do not gain any insight to real problem=
s
through the definition process, all we are doing is market segmentation.<o:=
p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Having spent a lot of time around &quot;national security&quot; whi=
le
in the military, and a lot of definitional battles, I would ask what is the
purpose of this debate? Usually, definitions are refined to scope down a
problem space to something manageable or provide some insight into the natu=
re
of the problem. This begs the question--what subsets of challenges does the
definition eliminate from the perceived problem space?<o:p></o:p></span></f=
ont></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>When a problem gets too complicated for an agreed upon decision, I
think we can do two things.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&nbsp;First, we can break it down into some form of logical
subcomponent structure and attempt to solve the problem by solving the
component problems. This linear approach can be applied by discussing the
nature of web, etc. (...another definition of &quot;command and control&quo=
t;
is &quot;the distribution of uncertainty&quot;). I have read some of this i=
n
the thread. When a problem is not just complicated but actually complex, we
need another approach.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>So, we can abstract away. We can abstract up (our favorite approach=
 in
CS--see XML and Object-Oriented Programming). In our case, we could apply a=
n
isomorphism to the behavior of the system, like physical security or securi=
ty
in the previous computing environment. Or....We can abstract down. In this
case, we could try to define the universal truly atomic common parts of
web+application+security. &nbsp;I have also read some of this into the thre=
ad.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>We can simply define Web Application Security as Information Assura=
nce in
the current environment and work from the positive side describing what ser=
vices
we are providing. This does not eliminate anything from the problem space.
However, it does imply that while web application security is complex, it w=
ill
behave like other Information Assurance environments (it capitulates by
abstracting up).<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Obviously, the term, Web Application Security, was coined to descri=
be a
particular niche, requiring unique expertise, at the time...So if that is t=
he
point of all of this, then start with what Web Application Security is NOT =
in
order to refine the definition---<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>When we cannot agree on that, there is no uniqueness and it is just
Information Assurance (which I use to include reliability and all forms of
availability, as well as to avoid joining the definition of &quot;secure&qu=
ot;
discussion). The discussion then boils down to marketing collateral about e=
volution
of the computing environment. The FUD-fueled negative approach has, moreove=
r,
actually done us no favors. Is this fodder for another thread or too far of=
f the
forum focus?<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Dave<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>David E.A. Johnson<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Director, Digital Security Products<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Intel Corporation<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><b><font size=3D2 face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-weight:bold'>My opinions are my own and not =
the
official position of Intel Corporation or any other organization with which=
 I
may be affiliated.<o:p></o:p></span></font></b></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>-----Original Message-----<br>
From: Pete Herzog [mailto:lists@isecom.org] <br>
Sent: Monday, August 25, 2008 5:42 PM<br>
To: Martin O'Neal<br>
Cc: joe@cyberlocksmith.com; WASC Forum<br>
Subject: Re: [WEB SECURITY] definition of &quot;web application security&qu=
ot;?</span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Hi Martin,<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Hope you had a good weekend! Back to the discussion....<o:p></o:p><=
/span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; I'm not sure that I see the distinction.&nbsp; All application=
s
are conduits<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; for accessing assets, and the term Web is just an ill defined
collective<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; for the interchangeable transport mechanisms.&nbsp; So a web a=
pp
is just an<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; app delivered over the web.&nbsp; Nothing special.<o:p></o:p><=
/span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&quot;Delivered over&quot; is the problem.&nbsp; If the term web is
ill-defined then<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>how is a an application &quot;delivered over&quot; anything?&nbsp;
Actually it is the<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>output of a web service which is delivered which is rarely (if ever=
<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>according to certain definitions) an application.<o:p></o:p></span>=
</font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt;<o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; And separately, I'm also not comfortable with the definition o=
f
security<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; as the separation of a threat from an asset.&nbsp; Assets may =
have
threats.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; Vulnerabilities enhance threats.&nbsp; Controls address
vulnerabilities.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; Rock blunts scissors.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Yes, assets may have threats within themselves (assuming that's wha=
t<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>you mean like how people can have cancer).&nbsp; However,
vulnerabilities<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>don't enhance threats but rather they degrade the effectiveness of =
the<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>separation or the controls used.&nbsp; Otherwise that would imply t=
hat
a<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>threat can become stronger, faster, more invulnerable, etc. because=
 of<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>a vulnerability in the asset, controls, or separation itself.<o:p><=
/o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt;<o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; The dictionary definitions have security as an absolute absenc=
e of<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; danger.&nbsp; Clearly, in a network environment, absence of da=
nger
(threat)<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; means isolation (or turning the damn thing off) which in the
commercial<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Even turning it off does not protect it as physical forces, even if=
<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>meager, over time will leave the systems inoperable.&nbsp; Not to
mention<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>if you see the web application as more than a server or application=
<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>but also the service provided then shutting it off is also a threat=
 to<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>its continuity.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; world is generally counter to the business requirement that pa=
ys
for it<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; in the first place.&nbsp; So in this context, I would say that
we're<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; generally not looking for security as an absolute.&nbsp; What
we're left with<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>If you can see security as a separation then it is an absolute.<o:p=
></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Security can either exist or now exist. That means there is either =
a<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>separation or there isn't. If there is one, then we can look at its=
<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>porosity-- the holes within that wall or the bridges across that<o:=
p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>chasm-- whatever is allowing the separation to be breached. For eac=
h<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>of those pores we apply controls to limit the effectiveness of the<=
o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>threat or its impact.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; is security as a process (hello Dave) in which it is delivered
through<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; an iterative process of identifying vulnerabilities and
implementing<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; controls in order to reduce them, and in doing so balance thre=
ats<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>&gt; against required functionality.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Which brings us to the patching game. Security is only a process in=
<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>the physical realm where rot, decay, and chaos reduce security.&nbs=
p;
In<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>network security you can apply controls and create an environment<o=
:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>which requires no process cycle-- no identifying vulnerabilities or=
<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>implementing more controls because it will be done. It's not easy t=
o<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>set up but it is possible and then maintenance becomes a people iss=
ue<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>since patches and upgrades will exist only for functionality,<o:p><=
/o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>compatibility, and extensibility but not for security.&nbsp; It's j=
ust
that<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>people prefer to choose to buy the mainstream, go the easy way, and=
<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>get running fast before running safe which leads them to a future o=
f<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>taking care of the baby they were too young and immature to have<o:=
p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>created ;)<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>We are slowly seeing the trends change though but way too slowly.&n=
bsp;
I<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>saw SUSE has the possibility to make a typical LAMP web server now<=
o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>that in conjunction with a hardware TPM is a perfectly controlled<o=
:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>environment (a la opentc.net) where hacking becomes no more than a<=
o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>treadmill exercise-- lot of effort to go nowhere.<o:p></o:p></span>=
</font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>-pete.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>-------------------------------------------------------------------=
---------<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Join us on IRC: irc.freenode.net #webappsec<o:p></o:p></span></font=
></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Have a question? Search The Web Security Mailing List Archives:<o:p=
></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>http://www.webappsec.org/lists/websecurity/archive/<o:p></o:p></spa=
n></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Subscribe via RSS:<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]<o:p></o:p><=
/span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>Join WASC on LinkedIn<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'>http://www.linkedin.com/e/gis/83336/4B20E4374DBA<o:p></o:p></span><=
/font></p>

<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span style=3D'=
font-size:
10.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

--_000_231CCE61A330004EA6A38E61580AD3990783B75Brrsmsx502amrcor_--
Follow-Ups:
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
References:
- [WEB SECURITY] definition of "web application security"?
  - From: Joe White
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
Prev by Date: Re: [WEB SECURITY] definition of "web application security"?
Next by Date: [WEB SECURITY] Re: SSO & WebScarab
Previous by thread: RE: [WEB SECURITY] definition of "web application security"?
Next by thread: Re: [WEB SECURITY] definition of "web application security"?
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site