What I Wish I Knew Before Starting A Web Application Security Project
-
Upload
denim-group -
Category
Technology
-
view
1.339 -
download
1
description
Transcript of What I Wish I Knew Before Starting A Web Application Security Project
![Page 1: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/1.jpg)
What I Wish I Knew Before Starting a Web
Application Security Project
February 4th, 2010
![Page 2: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/2.jpg)
1
Thoughts
• Windsurfing Is Hard (Application Security Is Harder)
• Savagely Unavoidable Fact of Life
• Anti-Patterns
• Contact
![Page 3: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/3.jpg)
Windsurfing Is Hard
2
![Page 4: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/4.jpg)
Application Security Is Harder
3
![Page 5: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/5.jpg)
Savagely Unavoidable Fact of Life
Features > Performance > Security
4
![Page 6: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/6.jpg)
Why?
• Short-term economic thinking
• Multi-disciplinary problem
• Changing landscape
5
![Page 7: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/7.jpg)
Anti-Patterns
6
![Page 8: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/8.jpg)
Anti-Patterns
• Compliance-only
• Tools-only
• Training-only
7
![Page 9: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/9.jpg)
Compliance
8
![Page 10: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/10.jpg)
Compliance
• Checkbox mentality
• Optimize on immediate cost
• Failure to focus on risk
9
![Page 11: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/11.jpg)
Tools
10
![Page 12: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/12.jpg)
Tools
Dan: What is your application security strategy
A: We bought Scanner XYZ
Dan: Cool! Have you started using it?
A: Yes. The analyst who wanted us to buy it ran a bunch of scans when we got
the license key.
Dan: All right! Did you find anything?
A: Oh yeah! We found all sorts of scary stuff.
Dan: Well what did you do about it?
A: We sent the PDF report to the development team and told them to fix the
problems.
Dan: Were they successful?
A: I don’t know. I guess I should check in on that…
11
![Page 13: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/13.jpg)
Tools
• Tools do not find everything
• Tools do not run themselves
• They are worthless if you do not use them
• A fool with a tool is still a fool
12
![Page 14: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/14.jpg)
Training
13
![Page 15: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/15.jpg)
Training
• “Our people are our greatest asset…”
• True, but…
• Knowing what you should do and doing it are two
different things
14
![Page 16: What I Wish I Knew Before Starting A Web Application Security Project](https://reader034.fdocuments.in/reader034/viewer/2022051816/5459965aaf79594f558b56ed/html5/thumbnails/16.jpg)
Contact
Dan Cornell
(210) 572-4400
@danielcornell
Web: www.denimgroup.com
Blog: blog.denimgroup.com
15