Re: On "application security"

["Kenneth R. van Wyk" <Ken () KRvW com>]

Gary McGraw wrote:

Read this you guys.  This paper expands a bit on the distinction I like
to draw between application security and software security.

http://www.cigital.com/papers/download/software-security-gem.pdf


Yes, excellent article, thanks for sharing it here, Gary.  Your 
definitions of "application security" vs. "software security" 
particularly hit home for me. 

I've seen all too many examples of companies that *solely* practice 
application security -- only doing a cursory network/OS or, in even more 
rare cases, an app-level pen test one week or so before deploying 
mission critical software.  IMHO, this is far too late in the life cycle 
to make a real impact on the security of an application.  At best, 
they'll spot a few symptoms of bigger problems.  Typically, the 
rationale that I hear for an approach like this is, "well, we didn't 
want to break the bank, and at least this methodology is better than 
nothing" or "at least we'll hit the 'low hanging fruit' this way."  
Doomed, I say...


That's not to say that tests shouldn't be done in the later life cycle 
phases.  They're perfectly reasonable steps for finding things like 
human errors made during the integration/deployment of the application 
(e.g., OS mis-configuration).


Cheers,

Ken van Wyk
http://www.krvw.com