[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] "Enterprise Web Application Security Program"... baby steps

From: Pravir Chandra <chandra@xxxxxxxx>
Subject: Re: [WEB SECURITY] "Enterprise Web Application Security Program"... baby steps
Date: Wed, 4 Mar 2009 14:50:31 -0800

A few weeks back, I sent out a link to the Software Assurance Maturity
Model (SAMM) project  that I'm leading (www.opensamm.org) and I think
we have a very similar goal in mind. Seems like we ought to put out
efforts together.

I'm working on the next release quite feverishly, but take a look at
the Beta release on the website and let me know what you think. If you
look under the News section, there's a presentation and google video
of me giving the pres at the OWASP NYC conference in 2008.

Let me know what you think!

p.

On Wed, Feb 25, 2009 at 1:20 PM, Dave Ferguson <gmdavef@xxxxxxxxx> wrote:
> Great information Rafal.  I don't know if you saw this, but thought I would
> share this link to a nice article by Mark Carney that addresses the same
> subject.  Short, but a good overview to complement what you've done.
>
> http://www.csoonline.com/article/216752/Carney_How_to_Create_an_Effective_Application_Security_Program_
>
> -Dave
>
> On Tue, Feb 24, 2009 at 4:57 PM, Rafal Los <rafal@xxxxxxxxxxxxxxxx> wrote:
>>
>> Hello Web Sec readers... I believe it was Arian that nailed it a while
>> back when they argued that web application security programs are poorly
>> defined.  While I couldn't agree more I looked for some resources to aide
>> the averge practitioner, and low and behold there are virtually none.  There
>> is much development to be done in this direction...
>>
>> With that in mind, I decided to write a series of blog posts dedicated to
>> helping folks build a security program, start to finish with some clear
>> definition of components.  I hope you enjoy the series, and maybe even
>> bookmark it for future reference.  I know the response I got last time I
>> posted here was overwhelming... so hopefully you great readers and thinkers
>> will continue to flood my inbox and comments section with ideas, thoughts,
>> and commentary on the work being done.  I hope to turn this into a paper,
>> and do some extensive enterprise testing on this process... but for now it's
>> a blog post that details some of the foundational elements behind an
>> enterprise web application security program.
>>
>> Enjoy!
>>
>> Following the White Rabbit
>>   http://www.communities.hp.com/securitysoftware/blogs/rafal/
>>
>>
>> ________________________________
>> Rafal (Ralph) M. Los
>> Security & IT Risk Strategist
>> - Blog:    http://preachsecurity.blogspot.com
>>  - LinkedIn: http://www.linkedin.com/in/rmlos
>>
>>
>>
>> ________________________________
>> Access your email online and on the go with Windows Live Hotmail. Sign up
>> today.
>



-- 
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~ ~~~~~ ~~~ ~~ ~
Pravir Chandra                      chandra<at>list<dot>org
PGP:    CE60 0E10 9207 7290 06EB   5107 4032 63FC 338E 16E4
~ ~~ ~~~ ~~~~~ ~~~~~~~~ ~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] "Enterprise Web Application Security Program"... baby steps
  - From: Craig Ingram

Prev by Date: Re: [WEB SECURITY] Cross-Site Scripting PCI Question
Next by Date: Re: [WEB SECURITY] Cross-Site Scripting PCI Question
Previous by thread: [WEB SECURITY] Cross-Site Scripting PCI Question
Next by thread: Re: [WEB SECURITY] "Enterprise Web Application Security Program"... baby steps
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site