Re: [WEB SECURITY] definition of "web application security"?

[Pete Herzog <lists@xxxxxxxxxx>]

Hi David,

> Thanks for the interesting discussion. I especially liked the 
> "separation" part. Aren’t remediation and recovery security mechanisms? 

We consider them as part of the controls. They are sub controls to the 
control of Continuity. In the OSSTMM they are tested under 
Configuration Verification and Survivability Validation.

> Having spent a lot of time around "national security" while in the 
> military, and a lot of definitional battles, I would ask what is the 
> purpose of this debate? Usually, definitions are refined to scope down a 
> problem space to something manageable or provide some insight into the 
> nature of the problem. This begs the question--what subsets of 
> challenges does the definition eliminate from the perceived problem space?

Definition is important criteria for communication.  Definition allows 
us to compare and contrast. The current problem is that as security is 
currently sold in consultancy and in solutions, it cannot possibly be 
provided. This discrepancy allows for poor service because there can 
be little comparison and almost no accountability.

Security defined as an absolute allows for it to be sold as an actual 
item that is achievable.

At ISECOM, we devise the definitions because without it, there could 
be no solid foundation from which to measure risk.  We broke down 
security and controls to their most basic components to be able to 
work with it and build a proper and thorough means for testing and 
measuring it.


> Obviously, the term, Web Application Security, was coined to describe a 
> particular niche, requiring unique expertise, at the time...So if that 
> is the point of all of this, then start with what Web Application 
> Security is NOT in order to refine the definition---

While I am in agreement with this approach to identify what is a web 
application, what components are entailed and where does it end before 
it becomes part of something else, like name resolution or software 
security like fuzzing, part of the discussion needed to include what 
security actually is.  So i's a two-part.  And we haven't even gotten 
into risk yet which I prefer to stay away from anyway with all its 
opinions and conjecture.


> When we cannot agree on that, there is no uniqueness and it is just 
> Information Assurance (which I use to include reliability and all forms 
> of availability, as well as to avoid joining the definition of "secure" 
> discussion). The discussion then boils down to marketing collateral 
> about evolution of the computing environment. The FUD-fueled negative 
> approach has, moreover, actually done us no favors. Is this fodder for 
> another thread or too far off the forum focus?

While I can't say anything for Information Assurance per se as it's 
not a term I'm deeply familiar with, according to how you use it here, 
I would agree that web applications do fall under that category.  So 
I'm okay on hearing more about your approach on this thread or we just 
tweak the subject on your reply and make a new one.

-pete.


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA