Recently I spent some phone time with Colleen Frye of SearchSoftwareQuality. We started off by taking about our new XSS Attacks book, but one good subject lead to another. During the interview we also chatted about the changing vulnerability discovery/disclosure landscape, SDLC, WAFs, and various other timely industry topics. Below is quick snippet and the rest turned up some good content.
You've been beating the drum about Web application security for some time now. Where has the industry made progress, and where is it still lacking?
Jeremiah Grossman: While the Web is still an insecure place, and most Web sites are still insecure, Web site owners now have the knowledge at hand to secure their Web sites should they choose to. Not totally secure, of course, but to improve the "hackability." It would be nice if the bad guys had to work really hard to find that one fatal flaw. Right now it's just shooting fish in a barrel. We have the tools, the knowledge, and the methodologies and best practices are there. Now it's the job of the other side to implement. On the security vendor side, our job is to make implementing those practices or developing solutions around those practices easier and cheaper.