Gary McGraw, CTO of Cigital and oracle of all things software security, and I routinely find ourselves conversing via mailing list threads, serving as experts opinion makers for the media, or presenting at an InfoSec conference around the world. While our time together is short we always have thought provoking discussions where, I at least, learn a good deal. You see, Gary has been around the block once or twice with probably every software security strategy/tactic and is willing to share keen insights on exactly why something will work, not work, or somewhere in between. One particular subject we thought it would be fun to turn the discussion into a podcast.
Last week I became Gary’s most recent “victim” (Episode 32 of the Silver Bullet Security Podcast) where we discuss the differences and similarities between Software Security and Web Application Security. Is WebAppSec just a subset of Software Security? It certainly could be. Are all the “new” Web attacks we “discover” already documented a decade or more ago? I’m not quite there yet, but it would be unnerving if so. It would also seem that Web Application Security could be considered a subset of Website security, because certainly not all vulnerabilities on a website can be found in the code.
Gary went on to publish an article where he raises the question, “Is Web application security commanding too much attention at the expense of other security issues?” I think we all know where I land on the subject, however this is definitely a worthwhile read.