WebApp Sec mailing list archives
Re: Home - Web Application Security Consortium
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Tue, 29 Jun 2004 08:15:20 -0700
On Monday, June 28, 2004, at 06:44 PM, Arian J. Evans wrote:
it's predominantly consulting organizations offering security *services*. I'm excluding Foundstone since their software offerings are in the highly-commoditized network assessment space, and Teros makes a specialized web app 'firewall'. I suspect this group will be more focused on identifying and addressing the root cause of application security issues, and a bit less on product advocacy. WASC: Is founded and chartered by many meaningful players in the Web Application "Assessment Tool" or "Automated Assessment Service" space. Sanctum, SPI, AppSecInc, WhiteHats, Kavado, etc. My guess is this group will be more about pen testing and assessment, and making boilerplate "best practice" lists so you can run a scanner against your website and assuage yourself of the anguish that you might not be HIPAA or GLBA compliant. (humor) Or apply that template findings to your "Web Application Firewall". This is completely a guess; Caleb (or anyone from WASC) feel free to correct me. But otherwise, why not just use the seasoned vehicle OWASP provides?
You asked, I'll answer. :)The charter members of WASC (as you mentioned above) came together for several several reasons. Chief among them was we felt the web application security industry is overrun with complex terminology and lacks widely agree upon best-practice standards. Within our published product/services/marketing materials, we use terms with different names, but that have similar meanings. This confuses people interested in web application security and obviously hinders forward progress towards standards. This problem MUST be remedied.
We'd all like to jump right in and develop best-practice standards, but its impossible to do so without being able to fully understand and articulate all the threats (SQL Injection, XSS, Path Traversal, etc) to a web site. How else do you determine if your best-practices are thwarting the risks? Myself over the years, and those in and out of OWASP, have found creating a web application security threat/attack classification system is VERY difficult.
We as scanning/pen-test/software vendors had an opportunity to help change all this. We make it our business to find vulnerabilities on a daily basis and report the issues to our customers. As a group we could standardize the terminology and affect positive change. Two project plans came out of our conversations, Web Security Glossary and Threat Classification. The Glossary has already been released:
http://www.webappsec.org/glossary.htmlThe Threat Classification project, like I said, is very challenging and has taken several months of painstaking work to complete. With the help of near two dozen experts across the industry, I believe we have created something amazing to share. We are currently in the final peer review phase with a scheduled release date of July 20.
We'll be using the completed WASC text within our products and services, but it can also serve as a foundation for other webappsec best-practice methodologies. HIPAA/GLBA compliance issues, developing secure code, pen-test, etc. may all benefit by the documentation.
How WASC going to play with OWASP? Time will tell, but in my opinion the more web application security awareness the better. The fundamental hurtle we have in the industry is education, not the lack of available solutions. Once the problem is known and understood, applying solutions is often easy.
I think I hit all the points, hope this helps. Regards, Jeremiah Grossman WhiteHat Security
Current thread:
- Home - Web Application Security Consortium Mads Rasmussen (Jun 28)
- RE: Home - Web Application Security Consortium Arian J. Evans (Jun 29)
- Re: Home - Web Application Security Consortium Jeremiah Grossman (Jun 29)
- RE: Home - Web Application Security Consortium Arian J. Evans (Jun 30)
- Re: Home - Web Application Security Consortium Jeremiah Grossman (Jun 30)
- Re: Home - Web Application Security Consortium Jeremiah Grossman (Jun 29)
- RE: Home - Web Application Security Consortium Arian J. Evans (Jun 29)