February 20

The Balkanization of Web Application Security

By Bill Pennington

balkansRecently on the Web Security mailing list a bit of a holy war broke out over web application firewalls. For those new to the web security space this might be the first time they have seen this occur but as someone who has been in this space for over nine years now this is nothing new, and that troubles me. After all this time we are still fighting petty battles while the bad guys run amok exploiting web application vulnerabilities left and right.

Why all the fighting, can’t we all get along? What is the cause of this fracture?

My opinion is that a majority of experts in web application security are only experts in web application security. Few have run a business, had to work with in a budget or make tough trade-offs between securing the code you have today or investing in securing the code you might have tomorrow.

In addition to a rather narrow focus that general excludes any business experience, most people in the web application security space are specialist in one particular area, source code review, black box testing, web application firewalls or developer training. This lack of knowledge of the other solutions generally breeds fear and contempt.

So what is a business to do? The first thing you must understand is no single solution will solve your web security issues, each has it’s strengths and weaknesses. In order to have a comprehensive solution you need to be doing all of them in some capacity. This comes as a shock to most people I speak with who think web application security is just one more thing that needs just one solution. The reality is that web application security is a very complex problem with some rather simple solutions and some very complex and expensive solutions.

The business need to properly assess the risk to their companies assets in order to match the security spend with the value of the asset. This is not always easy as many web application assets have grown out of the view of information security. Ask yourself how many web sites does your company have, what do they do (business wise), what data they have access to and how valuable that is. Now double the number of web sites because I can guaranty you have underestimated, even the most mature programs still have big gaps in their knowledge of their web assets.

Once you have a decent grasp of your assets and their value then you can properly assess what to do in order to protect them and at what level. The web site that 90% of your revenue flows through you are going to want to do everything you can to project it and make sure it is developed securely. The web site that 20 business partners use that was written by the CFO’s son as a class project and no one has any idea how to fix (because it is written in seaside )  requires a different approach all together.

Bottom line don’t get too wrapped up in the rhetoric and I would not trust anyone that is only touting a single one size fits all solution. Pick the solutions that best fit the security required for a given asset at the time and understand that the solutions you pick today may need rethinking tomorrow. The web application security space is still a relatively young discipline and growing everyday.


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. You hit the nail on the head. I think we security people sometimes get too bogged down in hash collisions and what I call “academic security” when we really need to simply take a step back and look at the big picture.

  2. The single solution idea is one that easily appeals to IT and security folks, as well as their management. Often based on marketing hype, it is amplified by a lack of appreciation for the complexity of the problem and the piecemeal information provided by the vendor about the inner workings of a particular solution.

    I also agree with this statement and have witnessed, during various information security assessments, that the IT department is often unaware of the IT-based solutions other departments have implemented without the knowledge of the IT department. Sadly, this is often due to one too many “No!” replies from IT, which sends the offending business unit to look for its own solution, thereby circumventing IT altogether.

    IT departments need to have a yes-can-do attitude towards their constituents, or at the very least take the time to explain the business (i.e. security) concerns around various request. As the saying goes, what you do not know, you cannot control.

  3. I think this is endemic of a greater problem in our field – binary mentality. We are either off or on, a zero or a one, black or white. What people don’t get is that there is actually more that are shades of grey than there is that is black and white.

    I always have tried to argue this issues as a classic example of deploying defense in depth and point out three different levels – the WAP, the website itself, and the database back end. Each has an important part to play and to put total reliance in any one part to hold up security across all three just isn’t realistic.

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!