Secure Coding mailing list archives
Re: On "application security"
From: "Kenneth R. van Wyk" <Ken () KRvW com>
Date: Fri, 20 Feb 2004 16:46:12 +0000
Gary McGraw wrote: Read this you guys. This paper expands a bit on the distinction I like to draw between application security and software security. http://www.cigital.com/papers/download/software-security-gem.pdf Yes, excellent article, thanks for sharing it here, Gary. Your definitions of "application security" vs. "software security" particularly hit home for me. I've seen all too many examples of companies that *solely* practice application security -- only doing a cursory network/OS or, in even more rare cases, an app-level pen test one week or so before deploying mission critical software. IMHO, this is far too late in the life cycle to make a real impact on the security of an application. At best, they'll spot a few symptoms of bigger problems. Typically, the rationale that I hear for an approach like this is, "well, we didn't want to break the bank, and at least this methodology is better than nothing" or "at least we'll hit the 'low hanging fruit' this way." Doomed, I say... That's not to say that tests shouldn't be done in the later life cycle phases. They're perfectly reasonable steps for finding things like human errors made during the integration/deployment of the application (e.g., OS mis-configuration). Cheers, Ken van Wyk http://www.krvw.com
Current thread:
- On "application security" Gary McGraw (Feb 19)
- Re: On "application security" Kenneth R. van Wyk (Feb 20)
- <Possible follow-ups>
- RE: On "application security" Gary McGraw (Feb 20)