Re: Web Security - what do you do?

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On 12/05/2009, at 12:37 AM, Karen Stopford wrote:

> Those are all valid points.  I came from the business world where  
> time to market pressures often precluded negotiating with vendors to  
> change their applications or in-house developers to learn new coding  
> techniques, etc.  One of the things I’ve come to advocate is those  
> with buying power (large corporations mostly) should not take the  
> path of least resistance but instead insist on interrogating their  
> vendor’s practices and performing a risk assessment before procuring  
> COTS.  In-house, component development allows reuse of stored  
> procedures, authentication routines, etc….
Our standard RFP template contain a security section that (amongst  
other things) tries to determine if the vendor is at least aware of  
things such as OWASP. It is truly depression how many vendors have no  
clue what or why you are asking.  E.g. "Describe what development  
standards or frameworks you used in developing this application"

We promote OWASP for our internal developers along with training our  
testing teams to use vulnerability testing tools (both OS and  
commercial).  WE are also putting in place something that could be  
described as an application firewall.  The primary motivation for this  
was actually to provide differing functionality to different classes  
of users.  Of course the right place to do this is in the app but  
Peoplesoft is not that flexible and the best way of working around  
this we found was to proxy all connection so we could filter urls.   
Sigh...

Russell