tag:blogger.com,1999:blog-13756280.post8369007791314739975..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: What is WebAppSec defense-in-depth?Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-13756280.post-33601978896581774602006-12-10T22:04:00.000-08:002006-12-10T22:04:00.000-08:00I think a lot of defense in depth that goes into w...I think a lot of defense in depth that goes into web application security is already existing, but people don't think about "defense in depth" as soon as they hear about them. One example would be requiring re-authentication for high-risk tasks. It's an effective mechanism to defend against a variety of attacks (session hijacking, XSRF, people wandering away from their desks, etc). Another example is logging. A good logging system, perhaps with some agents flagging transactions, is an excellent general-purpose backup. Credit card companies love this strategy.<br /><br />Some of these are going to be general, some are going to be very specific. (Specific: user education + "is this your picture?" on login to mitigate phishing.) Un/fortunately, the application layer is much more difficult to secure, so we'll have jobs for the foreseeable future.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44254698616451360412006-11-26T19:40:00.000-08:002006-11-26T19:40:00.000-08:00I would prefer a WAF on using a scanner and code r...I would prefer a WAF on using a scanner and code review, as a security officer, I don’t trust my developers and I’d like to have one place to control and audit the security of the sites I’m in charge of. We do use scanners during development, however, protecting the business logic is something that only good WAF can do.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-25612887997070223462006-11-20T14:42:00.000-08:002006-11-20T14:42:00.000-08:00i prefer vulnerability management to defense-in-de...i prefer vulnerability management to defense-in-depth. mcgraw's "building security in" model is a classic example of what needs to be done in both camps. i saw it recently better described as "baking security in rather than icing it on".<br /><br />web application vulnerability management has a lot of unknowns and fill-in-the-blanks right now. i almost feel as if web vulnerabilities have not been classified correctly, completely, and properly to any extent.<br /><br />i like vulnerability management because it's a process. defense-in-depth sounds like a bunch of line items for optional products/solutions that don't end up working anyways because they can be circumvented. aka classic IPS.<br /><br />i don't know about 3 items to protect a website, but i can give you one good one: security awareness.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-51298753488381899452006-11-20T14:06:00.000-08:002006-11-20T14:06:00.000-08:001) Secure coding during development
2) Security a...1) Secure coding during development<br /><br />2) Security as a part of the QA process (using automated tools, and a security-educated QA team)<br /><br />3) Periodical security audits on post-production systems.Anonymousnoreply@blogger.com