WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AppSic

From: George Capehart <gwc () acm org>
Date: Tue, 06 Jun 2006 20:09:15 -0400
Eoin wrote:

http://www.csoonline.com/podcasts/cso_appsic_022806.html

Anyone have any insight into APPSIC?
- They focus on App Sec metrics.





Sounds to me as if they're trying to rediscover the Certification and
Accrediatation process . . .Notice that the C&A process is an
internally-driven process which requires that real risk assessments be
done and that business owners understand the risks that they face and
have signed off on controls that will manage the risks to their level of
tolerance.  The APPSIC effort is a /*vendor*/ led process that, of
course is going to focus on risks they have decided to try to control
and ignore the others.  Anyone who takes APPSIC seriously runs the risk
of having their risk profiled defined for them and their risk management
process run by APPSIC.

Sorry, when I see Microsoft and Oracle on a security-related project, my
only response is to fire up the bong so that I can have fun reading what
they propose . . . .  By now it should be pretty well known that when
vendors get involved in "standards," their primary purpose is to get
their own intrepretation included in the result.

Sorry about the cynicism, and I wouldn't blame the moderator if he
didn't post this . . . but history tells the story.  The reason that
OWASP, et al. have survived and had their work widely adopted is
precisely because the parties involved had as their only motivation to
put out a completely agnostic, but valid and informational product.

Exercises left to the reader are the stories of ECMAscript and the
IETF'S PKIX process . . .

-- 
George Capehart

PGP KeyID:  0xDD7034EA

"Sometimes you're the windshield, sometimes you're the bug."
 -- Mark Knofler

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: