mailing list archives
Re: Home - Web Application Security Consortium
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Tue, 29 Jun 2004 08:15:20 -0700
On Monday, June 28, 2004, at 06:44 PM, Arian J. Evans wrote:
it's predominantly consulting organizations offering security
*services*. I'm excluding Foundstone since their software
offerings are in the highly-commoditized network assessment
space, and Teros makes a specialized web app 'firewall'.
I suspect this group will be more focused on identifying and
addressing the root cause of application security issues,
and a bit less on product advocacy.
Is founded and chartered by many meaningful players in
the Web Application "Assessment Tool" or "Automated
Assessment Service" space. Sanctum, SPI, AppSecInc,
WhiteHats, Kavado, etc.
My guess is this group will be more about pen testing
and assessment, and making boilerplate "best practice"
lists so you can run a scanner against your website
and assuage yourself of the anguish that you might
not be HIPAA or GLBA compliant. (humor) Or apply
that template findings to your "Web Application Firewall".
This is completely a guess; Caleb (or anyone from WASC)
feel free to correct me. But otherwise, why not just use
the seasoned vehicle OWASP provides?
You asked, I'll answer. :)
The charter members of WASC (as you mentioned above) came together for
several several reasons. Chief among
them was we felt the web application security industry is overrun with
complex terminology and lacks widely agree upon best-practice
standards. Within our published product/services/marketing materials,
we use terms with different names, but that have similar meanings. This
confuses people interested in web application security and obviously
hinders forward progress towards standards. This problem MUST be
We'd all like to jump right in and develop best-practice standards, but
its impossible to do so without being able to fully understand and
articulate all the threats (SQL Injection, XSS, Path Traversal, etc) to
a web site. How else do you determine if your best-practices are
thwarting the risks? Myself over the years, and those in and out of
OWASP, have found creating a web application security threat/attack
classification system is VERY difficult.
We as scanning/pen-test/software vendors had an opportunity to help
change all this. We make it our business to find vulnerabilities on a
daily basis and report the issues to our customers. As a group we could
standardize the terminology and affect positive change. Two project
plans came out of our conversations, Web Security Glossary and Threat
Classification. The Glossary has already been released:
The Threat Classification project, like I said, is very challenging and
has taken several months of painstaking work to complete. With the help
of near two dozen experts across the industry, I believe we have
created something amazing to share. We are currently in the final peer
review phase with a scheduled release date of July 20.
We'll be using the completed WASC text within our products and
services, but it can also serve as a foundation for other webappsec
best-practice methodologies. HIPAA/GLBA compliance issues, developing
secure code, pen-test, etc. may all benefit by the documentation.
How WASC going to play with OWASP? Time will tell, but in my opinion
the more web application security awareness the better. The fundamental
hurtle we have in the industry is education, not the lack of available
solutions. Once the problem is known and understood, applying solutions
is often easy.
I think I hit all the points, hope this helps.