Thursday, 6 January 2011


Something I am a firm believer in is the community learning something and everyone else benefiting. For instance, we don't all have to discover electricity because others have come before us and we all benefit.
In the world of software applications, particularly web applications, the security weaknesses that we all face are very similar and are known - people have done the work for us and we know where vulnerabilities lie so why do we not design these protections in from the start of our systems?
Well there are of course several reasons. Maybe we didn't write the system, maybe it is open source, maybe we are not very well trained or experienced, maybe we mistakenly believe that our site would not be the target of any type of attack.
Whatever the reasons, OWASP has made great progress in defining an industry standard specification which describes fixed levels of web security and provides an objective means to measure both the security of our own applications (meaning that we can prove government compliance for critical web apps) but also a way of measuring the quality of a security tool that we might use to test our code.
The link is here: Application Security Verification Standard Project and as they say, even if you can't follow all of it, anything is better than nothing. Having an incomplete code-review checklist is better than no checklist.
It is worth spending time reading through the materials (owasp also have the free esapi security framework for use in applictions) and if you are a large organisation, probably worth investing in some training. The principles are not difficult but they are also not all obvious and having someone to analyse your processes and point out areas of weakness is usually easier than trying to learn ASVS and analyse your own processes.
Let's hope that one day these kinds of things just become the de-facto standard and that by standardising and learning from each other, we can kiss goodbye to most web-based attacks.
Post a Comment