I had the distinct pleasure today of moderating a discussion among a number of CSOs from some of the largest organizations in San Antonio. The event was sponsored by Microsoft and was part of their CSO Roundtable series.
We started out with a brief presentation about web application security and why it is important. The slide deck is available here from the Denim Group Knowledge site. That was great for getting things started, but the real point of the lunch session was to get CSOs talking to one another. We had a great and spirited discussion about what organizations had done, what worked and what didn’t. Some key points coming out of the discussion were:
- For CSOs, black box scanning tools like WebInspect from SPI Dynamics are slowly becoming a “must have” and the developer plugins like DevInspect are also gaining in popularity. Leading organizations require that an application pass these scans with flying colors before builds can be placed in production. These tools are getting more mature, but they are unfortunately unable to find certain classes of application vulnerabilities (logic-level vulnerabilities related to many design and architecture flaws). In order to find these flaws knowledgable personnel have to examine applications.
- The “standard” development stack from Microsoft (Visual Studio, IIS, SQL Server) has made it easier for application security tool vendors to jump on the bandwagon and created integrated plugins. J2EE tools are certainly available, but the many incompatible development tool sets has hurt the availability of tools seamlessly integrated into the development environment.
- Organizations that want to avoid constantly paying for consultants to come in and do the dirty work need to invest in training their developers and QA personnel and addressing security throughout the SDLC. The earlier security is taken into account the cheaper the total solution will be.
- Now that the PCI standard mandates compliance with the OWASP Top 10 even more organizations are going to have to take note. It is still up in the air as to how seriously Visa and associated audit firms will be watching. This is yet another case where the Top 10 is being used as a standard, even though it is actually just a list of common web application vulnerabilities. But I suppose that anything that gets organizations thinking about web application security is a “good thing.”
I would like to thank all of the participants in today’s event. There was a lot of great discussion and it was fantastic to get a number of San Antonio CSOs together to share ideas and experiences. Also – I will be in Oklahoma City, OK on Wednesday June 14th, 2006 to host another Application Security CSO Roundtable. Any interested security personnel are invited to register. Hope to see you there.
dan _at_ denimgroup.com