Houston Microsoft CSO Roundtable Wrap Up

Yesterday I was in Houston running a Microsoft CSO Roundtable.  The topic was Application Security and we had a great discussion among several Houston-area Chief Security Officers.  One of the really valuable insights coming out of the discussion was that application security standards need to be practical and achievable if security groups are going to expect application developers to actually follow them.  Half page to one page standards documents were recommended.  This is a huge departure from a lot of industry secure coding standards we have seen in the past, but for some organizations that seems to be all that works.

The adoptability of standards has been a long-time concern at Denim Group.  We have seen far too many overly-academic security recommendations documents that over-address very subtle security points.  In a perfect world these types of things would be addressed, but for starters there are a couple of things that all organizatoins need to do in order to improve the security of their applications.  Focusing on secure coding idioms to reduce or eliminate SQL injection and cross-site scripting (XSS) attacks along with watching how form parameters and cookies are used go a long way toward addressing many major security concerns.

This was a great discussion and I will try to get the slide deck posted online at the Denim Group Knowledge site shortly.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *