Gary McGraw, CTO of Cigital and oracle of all things software security, and I routinely find ourselves conversing via mailing list threads, serving as experts opinion makers for the media, or presenting at an InfoSec conference around the world. While our time together is short we always have thought provoking discussions where, I at least, learn a good deal. You see, Gary has been around the block once or twice with probably every software security strategy/tactic and is willing to share keen insights on exactly why something will work, not work, or somewhere in between. One particular subject we thought it would be fun to turn the discussion into a podcast.
Last week I became Gary’s most recent “victim” (Episode 32 of the Silver Bullet Security Podcast) where we discuss the differences and similarities between Software Security and Web Application Security. Is WebAppSec just a subset of Software Security? It certainly could be. Are all the “new” Web attacks we “discover” already documented a decade or more ago? I’m not quite there yet, but it would be unnerving if so. It would also seem that Web Application Security could be considered a subset of Website security, because certainly not all vulnerabilities on a website can be found in the code.
Gary went on to publish an article where he raises the question, “Is Web application security commanding too much attention at the expense of other security issues?” I think we all know where I land on the subject, however this is definitely a worthwhile read.
When I was teaching myself webappsec way back in the day (the late 90's), and when I was writing the OWASP Guide 2.0, I used first principles from a software engineering perspective to come up with the controls for webappsec, including the application security model to think about potential attacks and defenses.
In particular, I looked at ISO 17799 to decide on particular controls, and at the still useful security principles laid out in 1975, which I am sure come from earlier times than even then.
I consider webappsec a superset of the application security realm, with a very large intersection.
Post a Comment