What I Wish I Knew Before Starting a Web
Application Security Project

February 4th, 2010
Thoughts
•   Windsurfing Is Hard (Application Security Is Harder)
•   Savagely Unavoidable Fact of Life
•   Anti-Patterns
...
Windsurfing Is Hard




                      2
Application Security Is Harder




                                 3
Savagely Unavoidable Fact of Life

Features > Performance > Security




                                    4
Why?
• Short-term economic thinking
• Multi-disciplinary problem
• Changing landscape




                                ...
Anti-Patterns




                6
Anti-Patterns
• Compliance-only
• Tools-only
• Training-only




                    7
Compliance




             8
Compliance
• Checkbox mentality
• Optimize on immediate cost
• Failure to focus on risk




                              ...
Tools




        10
Tools
Dan: What is your application security strategy
A: We bought Scanner XYZ
Dan: Cool! Have you started using it?
A: Ye...
Tools
•   Tools do not find everything
•   Tools do not run themselves
•   They are worthless if you do not use them
•   A...
Training




           13
Training
• “Our people are our greatest asset…”
• True, but…
• Knowing what you should do and doing it are two
  different...
Contact
Dan Cornell
dan@denimgroup.com
(210) 572-4400
@danielcornell

Web: www.denimgroup.com
Blog: blog.denimgroup.com


...
Upcoming SlideShare
Loading in …5
×

What I Wish I Knew Before Starting A Web Application Security Project

1,040 views

Published on

Dan Cornell shares corporate stories about those painful lessons learned during web application security projects: what works, doesn't work and why.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,040
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

What I Wish I Knew Before Starting A Web Application Security Project

  1. 1. What I Wish I Knew Before Starting a Web Application Security Project February 4th, 2010
  2. 2. Thoughts • Windsurfing Is Hard (Application Security Is Harder) • Savagely Unavoidable Fact of Life • Anti-Patterns • Contact 1
  3. 3. Windsurfing Is Hard 2
  4. 4. Application Security Is Harder 3
  5. 5. Savagely Unavoidable Fact of Life Features > Performance > Security 4
  6. 6. Why? • Short-term economic thinking • Multi-disciplinary problem • Changing landscape 5
  7. 7. Anti-Patterns 6
  8. 8. Anti-Patterns • Compliance-only • Tools-only • Training-only 7
  9. 9. Compliance 8
  10. 10. Compliance • Checkbox mentality • Optimize on immediate cost • Failure to focus on risk 9
  11. 11. Tools 10
  12. 12. Tools Dan: What is your application security strategy A: We bought Scanner XYZ Dan: Cool! Have you started using it? A: Yes. The analyst who wanted us to buy it ran a bunch of scans when we got the license key. Dan: All right! Did you find anything? A: Oh yeah! We found all sorts of scary stuff. Dan: Well what did you do about it? A: We sent the PDF report to the development team and told them to fix the problems. Dan: Were they successful? A: I don’t know. I guess I should check in on that… 11
  13. 13. Tools • Tools do not find everything • Tools do not run themselves • They are worthless if you do not use them • A fool with a tool is still a fool 12
  14. 14. Training 13
  15. 15. Training • “Our people are our greatest asset…” • True, but… • Knowing what you should do and doing it are two different things 14
  16. 16. Contact Dan Cornell dan@denimgroup.com (210) 572-4400 @danielcornell Web: www.denimgroup.com Blog: blog.denimgroup.com 15

×