Fwd: Re: [SC-L] On "application security"

[Mark Curphey <mark () curphey com>]

The paper referenced here is an excellent account with some really important points IMHO. Also very timely with some 
interesting things happening now ;-)

----------
From: "Kenneth R. van Wyk" <Ken () KRvW com>
Date: Fri, 20 Feb 2004 10:36:38 -0500
To: sc-l () securecoding org
Subject: Re: [SC-L] On "application security"

Gary McGraw wrote:
> Read this you guys.  This paper expands a bit on the distinction I like
> to draw between application security and software security.
>
> http://www.cigital.com/papers/download/software-security-gem.pdf

Yes, excellent article, thanks for sharing it here, Gary.  Your 
definitions of "application security" vs. "software security" 
particularly hit home for me. 

I've seen all too many examples of companies that *solely* practice 
application security -- only doing a cursory network/OS or, in even more 
rare cases, an app-level pen test one week or so before deploying 
mission critical software.  IMHO, this is far too late in the life cycle 
to make a real impact on the security of an application.  At best, 
they'll spot a few symptoms of bigger problems.  Typically, the 
rationale that I hear for an approach like this is, "well, we didn't 
want to break the bank, and at least this methodology is better than 
nothing" or "at least we'll hit the 'low hanging fruit' this way."  
Doomed, I say...

That's not to say that tests shouldn't be done in the later life cycle 
phases.  They're perfectly reasonable steps for finding things like 
human errors made during the integration/deployment of the application 
(e.g., OS mis-configuration).

Cheers,

Ken van Wyk
http://www.krvw.com