• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
What I Wish I Knew Before Starting A Web Application Security Project
 

What I Wish I Knew Before Starting A Web Application Security Project

on

  • 1,298 views

Dan Cornell shares corporate stories about those painful lessons learned during web application security projects: what works, doesn't work and why.

Dan Cornell shares corporate stories about those painful lessons learned during web application security projects: what works, doesn't work and why.

Statistics

Views

Total Views
1,298
Views on SlideShare
1,273
Embed Views
25

Actions

Likes
0
Downloads
16
Comments
0

4 Embeds 25

http://blog.denimgroup.com 9
http://denimgroup.typepad.com 6
http://denimgroup.posterous.com 5
http://www.slideshare.net 5

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    What I Wish I Knew Before Starting A Web Application Security Project What I Wish I Knew Before Starting A Web Application Security Project Presentation Transcript

    • What I Wish I Knew Before Starting a Web Application Security Project February 4th, 2010
    • Thoughts • Windsurfing Is Hard (Application Security Is Harder) • Savagely Unavoidable Fact of Life • Anti-Patterns • Contact 1
    • Windsurfing Is Hard 2
    • Application Security Is Harder 3
    • Savagely Unavoidable Fact of Life Features > Performance > Security 4
    • Why? • Short-term economic thinking • Multi-disciplinary problem • Changing landscape 5
    • Anti-Patterns 6
    • Anti-Patterns • Compliance-only • Tools-only • Training-only 7
    • Compliance 8
    • Compliance • Checkbox mentality • Optimize on immediate cost • Failure to focus on risk 9
    • Tools 10
    • Tools Dan: What is your application security strategy A: We bought Scanner XYZ Dan: Cool! Have you started using it? A: Yes. The analyst who wanted us to buy it ran a bunch of scans when we got the license key. Dan: All right! Did you find anything? A: Oh yeah! We found all sorts of scary stuff. Dan: Well what did you do about it? A: We sent the PDF report to the development team and told them to fix the problems. Dan: Were they successful? A: I don’t know. I guess I should check in on that… 11
    • Tools • Tools do not find everything • Tools do not run themselves • They are worthless if you do not use them • A fool with a tool is still a fool 12
    • Training 13
    • Training • “Our people are our greatest asset…” • True, but… • Knowing what you should do and doing it are two different things 14
    • Contact Dan Cornell dan@denimgroup.com (210) 572-4400 @danielcornell Web: www.denimgroup.com Blog: blog.denimgroup.com 15