|
WebApp Sec
mailing list archives
Re: A Question of Quality
From: "Alexander Bermudez" <abermudez72 () hotmail com>
Date: Sun, 30 Nov 2008 08:32:03 -0800
Pride of ownership may very well be the reason for lack of adequate QC and
Security control but my take is that it might have something to do with
security professionals not doing a good enough job of selling the value of
security in the SDLC. If the decision makers could be educated on the
contractual and regulatory obligations for secure coding (think PCI and
SOX), coupled with meaningful deliverables (no Nessus or Webinspect scan
reports w/tons of false positives), we might begin to see greater support
for inviting security pros to inception of project rather than remaining as
an afterthought, when the application has already been released to
production.
Security, privacy, compliance requirements have to be built into the product
lifecycle from the beginning (I know. I'm preaching to the choir) and it has
to be based on sound risk management principles, taxonomy, and jargon that
can be understood by the business. How else do we expect to get buy in to
our sell.
Just my 2 cents.
--------------------------------------------------
From: "Robert Hajime Lanning" <robert.lanning () gmail com>
Sent: Sunday, November 02, 2008 11:24 AM
To: "Security Basics" <security-basics () securityfocus com>; "Web Application
Security" <webappsec () securityfocus com>
Subject: Re: A Question of Quality
On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed () gmail com>
wrote:
Why isn't Quality Assumed?
Why isn't Security Assumed?
Why are these concepts thought of as add ons to Applications and
Services?
Why do they need to be specified, when they should be taken for granted?
- Input Validation
- Boundary Conditions
- Encrypt Data as necessary
- Least Privilege Access
- White lists are better than Black lists
I believe one of the issues is, pride of ownership in the end product.
A lot of the coding is now outsourced to cheap code houses. These people
do not have ownership or attribution. They have no reason to take any
extra
steps, that are not specified in the contract. If it is not in the
contract, they
are not being paid for it.
It's like a building contractor. If it is not in the blue prints, it
does not go into
the finished building. That is why a building spec is a thick book, that
goes
all the way to specifying the exact screw to use.
--
And, did Galoka think the Ulus were too ugly to save?
-Centauri
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process? Download this
Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
