Hyperguarding your Web Applications

Posts Tagged ‘Application Secuirty’

‘Tis the Season for Overflow Help (look to the Cloud?)

Posted by hyperguard on November 18, 2009

The holiday season is upon us and the weight has potential to crush under-resourced e-commerce dependent companies. 100,000’s of visitors per day can turn into a mad rush of millions, bringing online sales crashing down. Amazon Web Services (AWS), Google and other cloud providers are preparing to provide overflow capacity for those in need.

The world is not all roses, however, and companies should understand that beyond their secure network perimeter lay security threats (ahem, OWASP’s new Top 10) targeting the application itself. Since it takes a company an average of 67 days to fix a common webapp issue such as Cross-site Scripting, the holiday season could spell trouble for these companies without adequate security measures in place to provide protection such as a ‘virtual patch’ (like a cloud-based WAF), until the real patch can be developed.

Just imagine all the lost revenue in the 67 days it would take to fix the problem at the code level without shoring up the vulnerability in the meantime.

Don’t agree with the 67-day estimate? Javed Ikbal of zSquad illustrated why this is common (even the possibility 67 aren’t enough!) in a painfully humorous way:

Day 1-10: Denial. We don’t have that problem
Day 11-20: Management: Must we do this? Why couldn’t you do it right the first time
Day 21-25: Finger-pointing phase. Who is going to pay for this? Is this funded? Who is the project manager?
Day 26-35: Project plan developed. Resource not allocated
Day 36-45: Pre-meetings and meetings. Project still not funded
Day 46: CTO chews out VP of software engineering
Day 47: Project is funded
Day 48-49: Research
Day 50: Vulnerability fixed
Day 51-55: Regression testing. The fix broke 10 other things.
Day 56-60: Fix the new items
Day 61-65: More regression testing
Day 66: Meeting where VP of engineering tries to take all credit
Day 67: Promoted to Production

Posted in Post | Tagged: , , , | Leave a Comment »

Weekly Industry Round-up: Week of November 2nd

Posted by hyperguard on November 6, 2009

Online Security Authority…
Building Security Into Your Organizations Web Applications to Begin With
This post discusses the importance of Web application protection being the chief component in the Web application development process and having it integrated from the ground up. It suggests the essential trick is a modification of attitude and awareness among the company software developers. Security imperfections should be viewed as only another category of application defect. During the entire process of software development, the focus must be on addressing the ever-changing potential for deficiencies, and the perception of new vulnerabilities and exploitation strategies.

CIO…
Six Steps to Pull App Security Back to the Future
Bill Brenner speaks with fellow OWASP member Matt Fisher about some of the key problems with app security today and together they drive in to six different ways to change these. Bill wrote this article in conjunction with the upcoming OWASP show, AppSecDC. This is a great read; provides helpful background information and links to other app security articles.

Dark Reading…
Tech Insight: Managing Vulnerability In The Cloud
Writer, Curt Franklin explores the common issue, how do you manage vulnerabilities in your IT infrastructures when it is in the cloud? Although this is in your provider’s hand, Curt provides readers with some best practices and tips for controlling it.

Posted in Highlights | Tagged: , , , , | Leave a Comment »