Wednesday, December 13, 2006

Looking back at my predictions for 2006

First, lets look at how I did for 2006.

Research in 2006
1) I think their is going to be a lot of research, on the white hat and black hat side, in the area of web- based worms. Lots of creating and trading of JavaScript exploit code once an XSS issue is found.

Right on the money. Of course this might have been a self-fulfilling prophecy. :) Those are the best kind.

Commercial landscape in 2006
Personally I think compliance, specifically PCI, is going to be a big driver to improve web application security.

Blech, way off. PCI is a good standard with decent web application security components, but the enforcement of validation of compliance leaves something to be desired. When network scanning vendors can meet the minimum webappsec criteria with only the most rudimentary checks, then clearly there is improvement required. Checkbox != security. Maybe PCI will be a real driver by 2008. Time will tell.

To meet the requirements, I expect vendors will combine various types of vulnerability assessment products through innovation or acquisition. Current product/service offerings separate network, cgi, and web application assessment layers. Some combine 2, but not all three.

Off again yet again. I stil think this will happen, just don't know exactly when. I thought it would have taken place already.

To pass PCI quickly, we'll see people looking for simple solutions or hacks to clean up their vulnerabilities. Not everyone has the resources available to fix their web app code the right way. As a result, I expect new web server add-ons (or WAF's) and configuration set-ups will be employed as band-aids to prevent the identification of vulnerabilities. This is create an interesting challenge for the industry.

Let's call this a 50/50, I was correct about a huge increase in web application firewall deployments in the market led by ModSecurity and other commercial players. Way more WAF's on the Web than there were in 2004 and 2005. However, this didn't have anything to do with meeting PCI or a band-aid approach as I guessted. Most deployments I've seen have been towards defense-in-depth, bravo, but I was wrong in the prediction. :)

Then a few other predictions:
* a variety of different product/service standards

Nope. Wrong.

* certifications web application security professionals

Wrong again!

* other industries begin implementing PCI-like security standards

Sheesh, way off.

I'm no Nostradamus thats for sure.


Anonymous said...

so when to expect the 2007 predictions? or have I missed them somehow?

Jeremiah Grossman said...

I'm debating on that. Think I might take another approach with 2007.