[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] definition of "web application security"?

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] definition of "web application security"?
Date: Thu, 28 Aug 2008 11:20:33 +0100

> What the applications require, if 
> they require, is part of an applications 
> environment. 

I still disagree. LOL.  Trying to be specific about this is counter
productive in the real world.  Depending on the application, everything
from the logic to the network transport may be in one monolithic
deliverable.  For others, much of the functionality is provided by
frameworks and platforms.  When a business person asks to have their web
application tested, they mean everything; end-to-end.  For example, most
business people will ask us for a "penetration test", when the reality
is this is not what they want at all.

> That risk was always there. The minute 
> you put up a flammable structure that 
> risk of burning down exists.

No; the risk varies.  If I build an empty concrete building, there is a
threat of damage from fire, but it is negligible.  A low risk.  Concrete
can still burn, given enough heat, but it is unlikely to occur in normal
circumstances.  If I now fill the building with flammable materials,
this has added a tangible vulnerability.  Both the impact and the
probability of the threat occurring have been increased by the
vulnerability, and likewise the risk product has also increased
proportionally.

> Same can be said of an intranet web 
> application versus an external one.

Neither are separated though.  Security equals separation is a terrible
analogy.  LOL.

> The only reason why we don't 
> see them much is because they 
> need decisive planning at onset...

I disagree again.  LOL.  I think that we don't see anything like this in
the real world is that it fails the effort/cost/value test.  For most
organisations, the effort and cost of running an environment like this
outweighs the benefits (or potential punitive measures).

> but with the right environment 
> where you don't have to put out 
> little fires all the time you 
> can actually focus on getting 
> applications to upgrade for 
> functionality when YOU want to 
> upgrade them not because you 
> have to patch them right away.

LOL; I have no experience of this utopian world.  Where can I get one?

Martin...




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] definition of "web application security"?
  - From: Joe White
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog
- Re: [WEB SECURITY] definition of "web application security"?
  - From: Pete Herzog

Prev by Date: Re: [WEB SECURITY] Positive Security Model
Next by Date: RE: [WEB SECURITY] definition of "web application security"?
Previous by thread: Re: [WEB SECURITY] definition of "web application security"?
Next by thread: RE: [WEB SECURITY] definition of "web application security"?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site