What I Wish I Knew Before Starting a Web

Application Security Project

February 4th, 2010

1

Thoughts

• Windsurfing Is Hard (Application Security Is Harder)

• Savagely Unavoidable Fact of Life

• Anti-Patterns

• Contact

Windsurfing Is Hard

2

Application Security Is Harder

3

Savagely Unavoidable Fact of Life

Features > Performance > Security

4

Why?

• Short-term economic thinking

• Multi-disciplinary problem

• Changing landscape

5

Anti-Patterns

6

Anti-Patterns

• Compliance-only

• Tools-only

• Training-only

7

Compliance

8

Compliance

• Checkbox mentality

• Optimize on immediate cost

• Failure to focus on risk

9

Tools

10

Tools

Dan: What is your application security strategy

A: We bought Scanner XYZ

Dan: Cool! Have you started using it?

A: Yes. The analyst who wanted us to buy it ran a bunch of scans when we got

the license key.

Dan: All right! Did you find anything?

A: Oh yeah! We found all sorts of scary stuff.

Dan: Well what did you do about it?

A: We sent the PDF report to the development team and told them to fix the

problems.

Dan: Were they successful?

A: I don’t know. I guess I should check in on that…

11

Tools

• Tools do not find everything

• Tools do not run themselves

• They are worthless if you do not use them

• A fool with a tool is still a fool

12

Training

13

Training

• “Our people are our greatest asset…”

• True, but…

• Knowing what you should do and doing it are two

different things

14

Contact

Dan Cornell

dan@denimgroup.com

(210) 572-4400

@danielcornell

Web: www.denimgroup.com

Blog: blog.denimgroup.com

15