Saturday, August 18, 2007

Web Application Security Scanners

Jeff Williams over at OWASP (Chairman) / Aspect Security (CEO) posted a very insightful monologue about the State of Web Application Security Scanners to several of the OWASP eLists, and I thought it was so crucial to those of us who care about Web App Security that I placed a copy at http://www.owasp.org/index.php/Web_Application_Scanning.

The takeaway from this is that you just cannot buy a web app scanner from one of the big three (spi, cenzic, watchfire) and use that as the foundation to your application security process. Web app security scanners do not pick up a large class of errors including business logic, access control and deeper application security problems that are not easily exposed from the endpoints. For that you need manual review by an expert, and architectural review by an expert.

Security Awareness

It's my belief that you cannot write a secure application without security awareness deeply rooted within the minds, souls and software development life-cycle practices of your software developers.

If you are trying to go from a developer team that contains no awareness to total developer security awareness and practices, the cost is prohibitive. But if security awareness training for developers becomes a regular part of your software development life cycle, the cost to train goes down dramatically over time. Continuing education is cheaper than full blown re-training.

- Jim