The Balkanization of Web Application Security
By Bill Pennington
Recently on the Web Security mailing list a bit of a holy war broke out over web application firewalls. For those new to the web security space this might be the first time they have seen this occur but as someone who has been in this space for over nine years now this is nothing new, and that troubles me. After all this time we are still fighting petty battles while the bad guys run amok exploiting web application vulnerabilities left and right.
Why all the fighting, can’t we all get along? What is the cause of this fracture?
My opinion is that a majority of experts in web application security are only experts in web application security. Few have run a business, had to work with in a budget or make tough trade-offs between securing the code you have today or investing in securing the code you might have tomorrow.
In addition to a rather narrow focus that general excludes any business experience, most people in the web application security space are specialist in one particular area, source code review, black box testing, web application firewalls or developer training. This lack of knowledge of the other solutions generally breeds fear and contempt.
So what is a business to do? The first thing you must understand is no single solution will solve your web security issues, each has it’s strengths and weaknesses. In order to have a comprehensive solution you need to be doing all of them in some capacity. This comes as a shock to most people I speak with who think web application security is just one more thing that needs just one solution. The reality is that web application security is a very complex problem with some rather simple solutions and some very complex and expensive solutions.
The business need to properly assess the risk to their companies assets in order to match the security spend with the value of the asset. This is not always easy as many web application assets have grown out of the view of information security. Ask yourself how many web sites does your company have, what do they do (business wise), what data they have access to and how valuable that is. Now double the number of web sites because I can guaranty you have underestimated, even the most mature programs still have big gaps in their knowledge of their web assets.
Once you have a decent grasp of your assets and their value then you can properly assess what to do in order to protect them and at what level. The web site that 90% of your revenue flows through you are going to want to do everything you can to project it and make sure it is developed securely. The web site that 20 business partners use that was written by the CFO’s son as a class project and no one has any idea how to fix (because it is written in seaside )Â requires a different approach all together.
Bottom line don’t get too wrapped up in the rhetoric and I would not trust anyone that is only touting a single one size fits all solution. Pick the solutions that best fit the security required for a given asset at the time and understand that the solutions you pick today may need rethinking tomorrow. The web application security space is still a relatively young discipline and growing everyday.