Upload
denim-group
View
1.339
Download
1
Embed Size (px)
DESCRIPTION
Dan Cornell shares corporate stories about those painful lessons learned during web application security projects: what works, doesn't work and why.
Citation preview
What I Wish I Knew Before Starting a Web
Application Security Project
February 4th, 2010
1
Thoughts
• Windsurfing Is Hard (Application Security Is Harder)
• Savagely Unavoidable Fact of Life
• Anti-Patterns
• Contact
Windsurfing Is Hard
2
Application Security Is Harder
3
Savagely Unavoidable Fact of Life
Features > Performance > Security
4
Why?
• Short-term economic thinking
• Multi-disciplinary problem
• Changing landscape
5
Anti-Patterns
6
Anti-Patterns
• Compliance-only
• Tools-only
• Training-only
7
Compliance
8
Compliance
• Checkbox mentality
• Optimize on immediate cost
• Failure to focus on risk
9
Tools
10
Tools
Dan: What is your application security strategy
A: We bought Scanner XYZ
Dan: Cool! Have you started using it?
A: Yes. The analyst who wanted us to buy it ran a bunch of scans when we got
the license key.
Dan: All right! Did you find anything?
A: Oh yeah! We found all sorts of scary stuff.
Dan: Well what did you do about it?
A: We sent the PDF report to the development team and told them to fix the
problems.
Dan: Were they successful?
A: I don’t know. I guess I should check in on that…
11
Tools
• Tools do not find everything
• Tools do not run themselves
• They are worthless if you do not use them
• A fool with a tool is still a fool
12
Training
13
Training
• “Our people are our greatest asset…”
• True, but…
• Knowing what you should do and doing it are two
different things
14
Contact
Dan Cornell
(210) 572-4400
@danielcornell
Web: www.denimgroup.com
Blog: blog.denimgroup.com
15