tag:blogger.com,1999:blog-13756280.post8329283733435475889..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Website Security Strategies that WorkJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-13756280.post-18593333647260227292016-10-12T05:26:41.820-07:002016-10-12T05:26:41.820-07:00Yes agree with you. But we need to update our know...Yes agree with you. But we need to update our knowledge of IT regularly. Thanks for sharing this.John Paulsonhttp://www.miracleworx.netnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-42301746983199120332009-05-09T06:10:00.000-07:002009-05-09T06:10:00.000-07:00Use a ckecklist for website-security: http://www.c...Use a ckecklist for website-security: http://www.cafewebmaster.com/how-do-i-secure-my-web-sitesecure_masterhttp://www.cafewebmaster.com/how-do-i-secure-my-web-sitenoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-13668810185411850882009-03-11T01:36:00.000-07:002009-03-11T01:36:00.000-07:00Hello Jeremiah, this is an interesting post. And I...Hello Jeremiah, this is an interesting post. And I agree that its difficult to keep pace with new security threats, unless one dedicates effort ongoing basis, which will actually help those who depend on their websites for revenues. You have a very informative blog, and I will get in touch with you for something win-win.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16207829752860248792008-03-17T20:31:00.000-07:002008-03-17T20:31:00.000-07:00@chris, good question. In addition to the contact ...@chris, good question. In addition to the contact language the only way I've managed to pull it off is during the software acceptance phases. As the code comes in you test it for security (static and/or dynamic analysis) with your internal team or an independent third-party. If the code is insecure or not up to specification, send it back with the results. rinse repeat. Over time the developers self-learn because its shorter that way. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-64055173114648607772008-03-17T07:18:00.000-07:002008-03-17T07:18:00.000-07:00I'm that guy in the enterprise, and your descripti...I'm that guy in the enterprise, and your description of my situation is spot on.<BR/><BR/>How do you handle situations where those developers are contract workers? In my view, simply writing "must know how to write secure code" into your vendor agreement won't get you anywhere.<BR/><BR/>Any suggestions on how to accomplish that and get buy-in for educating the contract workforce?Anonymoushttps://www.blogger.com/profile/11205607217794908439noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-72875029954743823972008-03-13T14:06:00.000-07:002008-03-13T14:06:00.000-07:00Don't get me wrong Jeremiah, I'm not saying the en...Don't get me wrong Jeremiah, I'm not saying the entire blame belongs on the developer. Security issues can arise anywhere, such as servers, network, even in the frameworks we use. But when the issue is developer created, such as poor input validation. The blame, for the most part, belongs on them, but generally in my experience the developer is disassociated from the issue, as if the one didn't have anything to do with the other. Obviously, everyone involved needs to do their part to ensure the security of the application. However, it seems the developer has usually been the overlooked piece of the appsec puzzle.S3Jensenhttps://www.blogger.com/profile/06169833355986909704noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-34873434167670762952008-03-11T06:10:00.000-07:002008-03-11T06:10:00.000-07:00@Mephisto, while I don't dispute anything you've s...@Mephisto, while I don't dispute anything you've said, I just can't help but think genie is already out of the bottle. Basically its tough to get developers to code defensively against attacks we don't know exist yet. As an example, output filtering against XSS as a best practices is a relatively new things. Plus, I wouldn't lay 100% of the blame on developers, I've seen plenty of system misconfigs and general carelessness that either comes from design or implementation.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-17942526819287848052008-03-11T00:17:00.000-07:002008-03-11T00:17:00.000-07:00I think developer education is extremely important...I think developer education is extremely important. Educated developers are the first line of defense for secure applications. I feel the industry is seriously overlooking this aspect, the consensus seems to be developers are already overloaded with development issues and attempting to throw security into the SDLC is just too much of a load for them to carry. The current mindset is, we don't expect developers to write secure applications. If we did, then we would need to hold them accountable for their failings. In the end who is to blame for a vulnerable application? Generally, we point the finger at the company as a whole, but in reality the company is failing itself in not properly educating/training developers to write secure applications.S3Jensenhttps://www.blogger.com/profile/06169833355986909704noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76172230913114061722008-03-10T12:06:00.000-07:002008-03-10T12:06:00.000-07:00Marcin, actually I don't know a lot of "AOP", in f...Marcin, actually I don't know a lot of "AOP", in fact never heard of it. Though it sounds like something I should start getting familiar with. When the video/slides get posted, please do comment them here. I'd like to review them.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-90079172401083639962008-03-09T21:35:00.000-07:002008-03-09T21:35:00.000-07:00I think the best intermediate strategy between the...I think the best intermediate strategy between the two solutions you propose is Aspect Oriented Programming. AOP is a step forward towards a more secure, maturer SDLC. I'm sure you're familiar with the concepts behind Aspects and AOP, but if not, Rohit Sethi and Nish Bhalla's "Using Aspect Oriented Programming to Prevent Application Attacks" talk at ShmooCon 2008 was great. I recommend checking it out as soon as the videos are made available. The WAF is just ugh... applying almost 20 year old strategies to ever-more evolving vulnerabilities. 2 steps forward, 3 steps back with that one.Marcinhttps://www.blogger.com/profile/02403324596880195518noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-57038780144098322112008-03-09T15:49:00.000-07:002008-03-09T15:49:00.000-07:00Indeed, I think Web Application Security is new. T...Indeed, I think Web Application Security is new. The solutions you stated are factually great for any business. In all honesty, the strategies you explained should all be used for maximum change in terms of business and security, both operating at a safe and reliable interval. Also, since the media has been playing a rather repetitive role in introducing web security insight, importance, and the ever danger, solutions will begin to integrate and businesses will soon have to participate in conducting every-day operations with security in mind. I'm not saying security has to be their main priority, but it should be a factor that shall be initiated throughout the entire process of development, as a care cycle to both customers and self-credibility for the brand.Yousif Yaldahttps://www.blogger.com/profile/17130171565447829176noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-2042332464848216162008-03-09T15:47:00.000-07:002008-03-09T15:47:00.000-07:00This comment has been removed by the author.Yousif Yaldahttps://www.blogger.com/profile/17130171565447829176noreply@blogger.com