What I Wish I Knew Before Starting A Web Application Security Project
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

What I Wish I Knew Before Starting A Web Application Security Project

  • 1,365 views
Uploaded on

Dan Cornell shares corporate stories about those painful lessons learned during web application security projects: what works, doesn't work and why.

Dan Cornell shares corporate stories about those painful lessons learned during web application security projects: what works, doesn't work and why.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,365
On Slideshare
1,340
From Embeds
25
Number of Embeds
4

Actions

Shares
Downloads
17
Comments
0
Likes
0

Embeds 25

http://blog.denimgroup.com 9
http://denimgroup.typepad.com 6
http://denimgroup.posterous.com 5
http://www.slideshare.net 5

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. What I Wish I Knew Before Starting a Web Application Security Project February 4th, 2010
  • 2. Thoughts • Windsurfing Is Hard (Application Security Is Harder) • Savagely Unavoidable Fact of Life • Anti-Patterns • Contact 1
  • 3. Windsurfing Is Hard 2
  • 4. Application Security Is Harder 3
  • 5. Savagely Unavoidable Fact of Life Features > Performance > Security 4
  • 6. Why? • Short-term economic thinking • Multi-disciplinary problem • Changing landscape 5
  • 7. Anti-Patterns 6
  • 8. Anti-Patterns • Compliance-only • Tools-only • Training-only 7
  • 9. Compliance 8
  • 10. Compliance • Checkbox mentality • Optimize on immediate cost • Failure to focus on risk 9
  • 11. Tools 10
  • 12. Tools Dan: What is your application security strategy A: We bought Scanner XYZ Dan: Cool! Have you started using it? A: Yes. The analyst who wanted us to buy it ran a bunch of scans when we got the license key. Dan: All right! Did you find anything? A: Oh yeah! We found all sorts of scary stuff. Dan: Well what did you do about it? A: We sent the PDF report to the development team and told them to fix the problems. Dan: Were they successful? A: I don’t know. I guess I should check in on that… 11
  • 13. Tools • Tools do not find everything • Tools do not run themselves • They are worthless if you do not use them • A fool with a tool is still a fool 12
  • 14. Training 13
  • 15. Training • “Our people are our greatest asset…” • True, but… • Knowing what you should do and doing it are two different things 14
  • 16. Contact Dan Cornell dan@denimgroup.com (210) 572-4400 @danielcornell Web: www.denimgroup.com Blog: blog.denimgroup.com 15