Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Home - Web Application Security Consortium
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Tue, 29 Jun 2004 08:15:20 -0700

On Monday, June 28, 2004, at 06:44  PM, Arian J. Evans wrote:

it's predominantly consulting organizations offering security
*services*. I'm excluding Foundstone since their software
offerings are in the highly-commoditized network assessment
space, and Teros makes a specialized web app 'firewall'.

I suspect this group will be more focused on identifying and
addressing the root cause of application security issues,
and a bit less on product advocacy.


Is founded and chartered by many meaningful players in
the Web Application "Assessment Tool" or "Automated
Assessment Service" space. Sanctum, SPI, AppSecInc,
WhiteHats, Kavado, etc.

My guess is this group will be more about pen testing
and assessment, and making boilerplate "best practice"
lists so you can run a scanner against your website
and assuage yourself of the anguish that you might
not be HIPAA or GLBA compliant. (humor) Or apply
that template findings to your "Web Application Firewall".

This is completely a guess; Caleb (or anyone from WASC)
feel free to correct me. But otherwise, why not just use
the seasoned vehicle OWASP provides?

You asked, I'll answer. :)

The charter members of WASC (as you mentioned above) came together for several several reasons. Chief among them was we felt the web application security industry is overrun with complex terminology and lacks widely agree upon best-practice standards. Within our published product/services/marketing materials, we use terms with different names, but that have similar meanings. This confuses people interested in web application security and obviously hinders forward progress towards standards. This problem MUST be remedied.

We'd all like to jump right in and develop best-practice standards, but its impossible to do so without being able to fully understand and articulate all the threats (SQL Injection, XSS, Path Traversal, etc) to a web site. How else do you determine if your best-practices are thwarting the risks? Myself over the years, and those in and out of OWASP, have found creating a web application security threat/attack classification system is VERY difficult.

We as scanning/pen-test/software vendors had an opportunity to help change all this. We make it our business to find vulnerabilities on a daily basis and report the issues to our customers. As a group we could standardize the terminology and affect positive change. Two project plans came out of our conversations, Web Security Glossary and Threat Classification. The Glossary has already been released:

The Threat Classification project, like I said, is very challenging and has taken several months of painstaking work to complete. With the help of near two dozen experts across the industry, I believe we have created something amazing to share. We are currently in the final peer review phase with a scheduled release date of July 20.

We'll be using the completed WASC text within our products and services, but it can also serve as a foundation for other webappsec best-practice methodologies. HIPAA/GLBA compliance issues, developing secure code, pen-test, etc. may all benefit by the documentation.

How WASC going to play with OWASP? Time will tell, but in my opinion the more web application security awareness the better. The fundamental hurtle we have in the industry is education, not the lack of available solutions. Once the problem is known and understood, applying solutions is often easy.

I think I hit all the points, hope this helps.


Jeremiah Grossman
WhiteHat Security

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]