RE: [WEB SECURITY] definition of "web application security"?

["Johnson, David E" <david.e.johnson@xxxxxxxxx>]

Martin's Comment:

"No; the risk varies.  If I build an empty concrete building, there is a
threat of damage from fire, but it is negligible.  A low risk.  Concrete
can still burn, given enough heat, but it is unlikely to occur in normal
circumstances.  If I now fill the building with flammable materials,
this has added a tangible vulnerability.  Both the impact and the
probability of the threat occurring have been increased by the
vulnerability, and likewise the risk product has also increased
proportionally."

I would like to take what is implied and make it explicit. I would clarify that risk management consists of more than what you control in the structure and its contents, risk management includes the likelihood that someone is motivated to set the fire and has the appropriate initiator. Lots of Concrete buildings filled with flammable stuff do not explode in flames. Impact X Probability= Risk; Capability X Intent= Threat.

As we define security it should not all be measures of performance (what we do), but also include our effort's effect on the environment and external actors (what the bad guys do). I actually think this war of perception is what has to be won; by separating threats from vulnerabilities we only reduce one side of the equation. A holistic solution cycle that can DETER, Detect, Resist, Mitigate, Remediate, Recover...

Dave
David E.A. Johnson
Director, Digital Security Products
Intel Corporation


My opinions are my own and do not reflect the official position of the Intel Corporation or any other organization which I belong.

-----Original Message-----
From: Martin O'Neal [mailto:martin.oneal@xxxxxxxxxxxx]
Sent: Thursday, August 28, 2008 6:21 AM
To: Pete Herzog
Cc: joe@xxxxxxxxxxxxxxxxxx; WASC Forum
Subject: RE: [WEB SECURITY] definition of "web application security"?


> What the applications require, if
> they require, is part of an applications
> environment.

I still disagree. LOL.  Trying to be specific about this is counter
productive in the real world.  Depending on the application, everything
from the logic to the network transport may be in one monolithic
deliverable.  For others, much of the functionality is provided by
frameworks and platforms.  When a business person asks to have their web
application tested, they mean everything; end-to-end.  For example, most
business people will ask us for a "penetration test", when the reality
is this is not what they want at all.

> That risk was always there. The minute
> you put up a flammable structure that
> risk of burning down exists.

No; the risk varies.  If I build an empty concrete building, there is a
threat of damage from fire, but it is negligible.  A low risk.  Concrete
can still burn, given enough heat, but it is unlikely to occur in normal
circumstances.  If I now fill the building with flammable materials,
this has added a tangible vulnerability.  Both the impact and the
probability of the threat occurring have been increased by the
vulnerability, and likewise the risk product has also increased
proportionally.

> Same can be said of an intranet web
> application versus an external one.

Neither are separated though.  Security equals separation is a terrible
analogy.  LOL.

> The only reason why we don't
> see them much is because they
> need decisive planning at onset...

I disagree again.  LOL.  I think that we don't see anything like this in
the real world is that it fails the effort/cost/value test.  For most
organisations, the effort and cost of running an environment like this
outweighs the benefits (or potential punitive measures).

> but with the right environment
> where you don't have to put out
> little fires all the time you
> can actually focus on getting
> applications to upgrade for
> functionality when YOU want to
> upgrade them not because you
> have to patch them right away.

LOL; I have no experience of this utopian world.  Where can I get one?

Martin...




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA