Defining a New WebAppSec Role
Posted by hyperguard on May 27, 2010
As a recent WhiteHat and Ponemon Institute report points out, Web application security is a mess today. In part, this is due to miss-ownership of key technologies such as the WAF. Organizational change is needed – a new role needs to emerge that blends IT, networking and development experience – as WebAppSec ‘lives’ across each of these departments, who often compete for resources and exacerbate the issues. In fact, it takes nearly 67 days to fix a vulnerability today. So, what should this new role look like?
OWASP’s paper on best practices for the use of WAF, says the role model should be implemented primarily when the WAF carries out tasks in the context of whitelisting, in order to protect the web applications, in addition to functioning as a second line of defence and basic security. It should therefore be configured as closely as possible to the functionality of the web application.
The WAF application manager should be responsible for the infrastructure-related aspects of the WAF and will serve as a bridge between the WAF and the specialist application. The person fulfilling this role will have excellent knowledge of WAFs that he / she are able to configure and monitor it for each individual application; they must know the application well to be able to classify and interpret messages coming from the WAF. A WAF application manager will normally maintain the WAF configuration for multiple applications.