Over the past year many organizations are noticeably starting to "get" the importance of web application security and studying up on the issues, but experience doesn’t come overnight. At WhiteHat we meet a lot of different people possessing a variety of views on the webappsec world. So a couple days ago, I was sanity checking some of Bill Pennington’s (VP of Services) slides on "Five Things Every Security Professional Should Know about Website Security". For some reason the way the advice was laid out it reminded me of the Five Stages of Grief (if your familiar) because it closely mimicked the attitudes of those we encounter depending on their degree of webappsec sophistication.
Bill re-did the stages, webappsec style, and it came out pretty funny actually.
"We have firewalls, IDS, and SSL. We are Secure."
"How the heck did this get so bad?!?!?"
"We can solve this with frameworks, developer education and some scanners."
"We have so many websites and the code is changing all the time. Maybe if I leave now no one will notice."
"I guess my job just got a lot more interesting."
Bill says he’s in the Anger stage. Though, that could just be the way he is. Heh. I’d place myself in the optimistic Bargaining stage having left Anger about a year back. However, I’m starting to slowly gravitate towards Depression as I witness and write about the enormous scale of the problem. From time to time I believe I’ve encountered those farther along than I, but probably pass them off as overly cynical.
So, what stage are you at?