WebApp Sec mailing list archives
Fwd: Re: [SC-L] On "application security"
From: Mark Curphey <mark () curphey com>
Date: Sat, 21 Feb 2004 01:27:25 -0500 (EST)
The paper referenced here is an excellent account with some really important points IMHO. Also very timely with some interesting things happening now ;-) ---------- From: "Kenneth R. van Wyk" <Ken () KRvW com> Date: Fri, 20 Feb 2004 10:36:38 -0500 To: sc-l () securecoding org Subject: Re: [SC-L] On "application security" Gary McGraw wrote:
Read this you guys. This paper expands a bit on the distinction I like to draw between application security and software security. http://www.cigital.com/papers/download/software-security-gem.pdf
Yes, excellent article, thanks for sharing it here, Gary. Your definitions of "application security" vs. "software security" particularly hit home for me. I've seen all too many examples of companies that *solely* practice application security -- only doing a cursory network/OS or, in even more rare cases, an app-level pen test one week or so before deploying mission critical software. IMHO, this is far too late in the life cycle to make a real impact on the security of an application. At best, they'll spot a few symptoms of bigger problems. Typically, the rationale that I hear for an approach like this is, "well, we didn't want to break the bank, and at least this methodology is better than nothing" or "at least we'll hit the 'low hanging fruit' this way." Doomed, I say... That's not to say that tests shouldn't be done in the later life cycle phases. They're perfectly reasonable steps for finding things like human errors made during the integration/deployment of the application (e.g., OS mis-configuration). Cheers, Ken van Wyk http://www.krvw.com
Current thread:
- Fwd: Re: [SC-L] On "application security" Mark Curphey (Feb 20)