Six Steps to Pull App Security Back to the Future
Talk to members of the Open Web Application Security Project (OWASP) and all will agree that app security is half a decade behind where it should be, especially at the government level. For examples of why that is, read Jeremiah Grossman's CSOonline column Web Application Security Today - Are We All Insane?
The organization routinely holds events designed to turn the trend around, including the 2009 OWASP Application Security Conference (AppSec DC) in the nation's capital Nov. 10-13. In advance of the conference, CSOonline touched base with OWASP member Matt Fisher, CEO and AppSec contractor at Piscis Security, about some of the key problems with app security today and six ways to turn things around. We begin with some questions and answers on the current state of affairs, then move to the six steps.
See also: How to Evaluate (and Use) Web Application Security Scanners
CSO: Where are organizations most out of sync in terms of how they use Web 2.0 apps and what the greatest security risks are as a result?Matt Fisher: Well, the term "web 2.0" is a bit like "cloud computing." One of the challenges there is defining it. "Web 2.0" can refer to the programming technologies and certainly the increase in browser plug-ins and client-side techs used for rich internet apps has seen their share of vulnerabilities. It can also refer to collaboration and awareness applications such as internal wikis and blogs. The risk there -- particularly on a wiki -- is that you don't have any control over the content being supplied. If that wiki is open to the entire organization then you're subject to anyone in your organization posting confidential or inappropriate content. Now, if by "web 2.0" one means social networking applications, then the risk goes up tremendously. They make good marketing platforms in that they're opt-in, and let you generate direct impressions without the cost of an e-mail campaign, and they can even be used for inbound information gathering. It's important to realize though that many of these applications have a long history of insecurity and are subject to worms and worse, all of which have the potential to damage your online brand.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Software
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
