Monday, May 12, 2008

Trifecta of WebAppSec Posts

I remember a time not so long ago where good web application security content was extremely rare and difficult to come by. These days it seems every week something new is posted that’s worth taking the time to read. It’s hard to keep up with all of it and analyzing the details, so I’ll post what I can.

1) Dancho Danchev is masterful at noticing and analyzing what nefarious bag guys are up to, especially in the web security environment. In his most recent post, Stealing Sensitive Databases Online - the SQL Style, he talks about economies of scale in the recent massive SQL injection hacks. Essentially he asks rather opening if these massive attacks are attempts to pull smaller data sources together or generally just leverage them as a mass platform for attack. Good question, could go either way in my opinion.

2) C. Warren Axelrod posted something rather interesting, Metrics Revisited – Application Security Metrics, where he comes right out and says:

“I have recently been giving some thought to, and doing some research into, application security metrics, and I have determined, quite simply, that there aren’t any good ones.”

Then check out his next question...

“One application has 100 inherent vulnerabilities, of which 10 are discovered and patched. Another application has 1000 inherent vulnerabilities, of which 900 are known and fixed. The former has 90 residual vulnerabilities, and there are 100 remaining in the latter application. Which application is more secure?”

A damn fine question and an answer he digs into.

3) Ready to rip into PCI-DSS 6.6? If you haven’t done so already or have an still don't know what to do -- WhiteHat’s own Trey Ford posts Deconstructing PCI 6.6 inside SC Magazine. Trey takes the “Find, fix, prove(n)” model which really makes things simple.

“With a clear understanding of PCI Requirement 6.6, compliance is not only achievable, but can provide great value to web application owners and users. This requirement creates a need for visibility into the lifecycle for vulnerability detection and correction, and will serve to mature web application security. Applying metrics to the efficiency of detection, the cost of producing vulnerable code, and the associated costs of correction will only serve to advance the goal of total web application security.”

No comments: