tag:blogger.com,1999:blog-13756280.post1979544526910582962..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: webappsec is hard, because it takes so manyJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-13756280.post-69924557575226620112007-05-28T08:51:00.000-07:002007-05-28T08:51:00.000-07:001) Separating distinct disciplines like nework sec...1) Separating distinct disciplines like nework security, web application security, A/V, authentication, encryption, OS security, etc. helps make the problem sets easier to understand and address. Few people have really good cross disciplinary skills to tackle several of these problems effectively. And as for HTTP proxies, terminology changes over time. Today there are not 3 ways to deploy WAFs. Reverse proxies, web server software modules, and out-of-band network devices.<BR/><BR/>2) "Application security, or secure programming is not so new." I'd agree with you about 90% or the core fundamentals. However, the web development environment has significantly changed the landscape with regard to new attacks and attack variants... new solutions and solution implementations. Not to mention the sheer scale out there. CAPTCHA is a good example of defending against bots. XSS and the aspects of DOM trust across domains is certainly a new concept as well.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-20578890264396532512007-05-27T17:33:00.000-07:002007-05-27T17:33:00.000-07:00mistake #1 differentiating application security fr...mistake #1 differentiating application security from "network" security. Those of us who have done security for a while know that layer 7 is defensible within the R&R's of netsec. What gets called "web application firewalls" nowadays, we used to call HTTP Proxies.<BR/><BR/>mistake #2 calling it "webbapp security" at all. Just because its in vogue to tunnel everything through port 80 nowadays doesnt make application programming special, or really different at all. Application security, or secure programming is not so new.<BR/><BR/>Just my grumpy 2 Yen.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-80546335128470956572007-05-25T17:13:00.000-07:002007-05-25T17:13:00.000-07:00There is a large lack of senior people in this ind...There is a large lack of senior people in this industry at the moment. When I use the term "senior" I mean the ability of someone to take a web application and REALLY understand the risk and security issues within that application, without using some automated tool.<BR/><BR/>One worrying aspect about all these new people starting to do web security is their lack of development experience or knowledge. When I started doing network vuln research, you needed to know the low-level languages and c (not c++, that was for the weird kids). Todays post grads have very little experience to how most common dev shops work, hence they don't know where most corners are cut and security issues introduced<BR/><BR/>Webappsec still needs time to mature, but you are right, it's getting thereAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-29656660327708788312007-05-25T14:44:00.000-07:002007-05-25T14:44:00.000-07:00As a guy slightly more involved in the network, I ...As a guy slightly more involved in the network, I can say that those observations seem correct. Just some more tidbits of thoughts...<BR/><BR/>- When I look at web app sec, it is one thing to scan a site with WebScarab, another thing to have a few ways to poke at XSS/SQL Injection, but to then convey solutions on a code level takes more knowledge than it would to change a config on a network device. <BR/><BR/>- I agree with ntp on the maturity too, that helps.<BR/><BR/>- But in relation to both of those points, networking devices won't be changing as rapidly as code techniques. We could get really flippin good about securing php and maybe even javascript...but by then what will everyone be using? We have to start all over much quicker. And let's face it...so many designers/developers like creating new stuff and playing with new stuff, not shoring up yesterday's products. :\ (unfair generalization, I know!)Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-8989881706334129992007-05-25T13:00:00.000-07:002007-05-25T13:00:00.000-07:00Agreed on one of those fancy Gartner technology cu...Agreed on one of those fancy Gartner technology curve charts I'm sure it's on the lower part of the up-curve.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-21799311543204536492007-05-25T11:17:00.000-07:002007-05-25T11:17:00.000-07:00this has to do with the maturity of the industry a...this has to do with the maturity of the industry and the social, individual, and instructional capital surrounding it.<BR/><BR/>when webappsec has the equivalent of groupstudy (social), jon postel (individual), and ccna bootcamp (instructional) - then you'll know it's at a similar level of maturity.Anonymousnoreply@blogger.com