Re: Home - Web Application Security Consortium

[Jeremiah Grossman <jeremiah () whitehatsec com>]

On Monday, June 28, 2004, at 06:44  PM, Arian J. Evans wrote:
> >
> it's predominantly consulting organizations offering security
> *services*. I'm excluding Foundstone since their software
> offerings are in the highly-commoditized network assessment
> space, and Teros makes a specialized web app 'firewall'.
>
> I suspect this group will be more focused on identifying and
> addressing the root cause of application security issues,
> and a bit less on product advocacy.
>
> WASC:
>
> Is founded and chartered by many meaningful players in
> the Web Application "Assessment Tool" or "Automated
> Assessment Service" space. Sanctum, SPI, AppSecInc,
> WhiteHats, Kavado, etc.
>
> My guess is this group will be more about pen testing
> and assessment, and making boilerplate "best practice"
> lists so you can run a scanner against your website
> and assuage yourself of the anguish that you might
> not be HIPAA or GLBA compliant. (humor) Or apply
> that template findings to your "Web Application Firewall".
>
> This is completely a guess; Caleb (or anyone from WASC)
> feel free to correct me. But otherwise, why not just use
> the seasoned vehicle OWASP provides?


You asked, I'll answer. :)

The charter members of WASC (as you mentioned above) came together for 
several several reasons. Chief among
them was we felt the web application security industry is overrun with 
complex terminology and lacks widely agree upon best-practice 
standards. Within our published product/services/marketing materials, 
we use terms with different names, but that have similar meanings. This 
confuses people interested in web application security and obviously 
hinders forward progress towards standards. This problem MUST be 
remedied.

We'd all like to jump right in and develop best-practice standards, but 
its impossible to do so without being able to fully understand and 
articulate all the threats (SQL Injection, XSS, Path Traversal, etc) to 
a web site. How else do you determine if your best-practices are 
thwarting the risks? Myself over the years, and those in and out of 
OWASP, have found  creating a web application security threat/attack 
classification system is VERY difficult.

We as scanning/pen-test/software vendors had an opportunity to help 
change all this. We make it our business to find vulnerabilities on a 
daily basis and report the issues to our customers. As a group we could 
standardize the terminology and affect positive change. Two project 
plans came out of our conversations, Web Security Glossary and Threat 
Classification.  The Glossary has already been released:
http://www.webappsec.org/glossary.html

The Threat Classification project, like I said, is very challenging and 
has taken several months of painstaking work to complete. With the help 
of near two dozen experts across the industry, I believe we have 
created something amazing to share. We are currently in the final peer 
review phase with a scheduled release date of July 20.

We'll be using the completed WASC text within our products and 
services, but it can also serve as a foundation for other webappsec 
best-practice methodologies. HIPAA/GLBA compliance issues, developing 
secure code, pen-test, etc. may all benefit by the documentation.

How WASC going to play with OWASP? Time will tell, but in my opinion 
the more web application security awareness the better. The fundamental 
hurtle we have in the industry is education, not the lack of available 
solutions. Once the problem is known and understood, applying solutions 
is often easy.

I think I hit all the points, hope this helps.

Regards,

Jeremiah Grossman
WhiteHat Security