Yesterday I was in Houston running a Microsoft CSO Roundtable. The topic was Application Security and we had a great discussion among several Houston-area Chief Security Officers. One of the really valuable insights coming out of the discussion was that application security standards need to be practical and achievable if security groups are going to expect application developers to actually follow them. Half page to one page standards documents were recommended. This is a huge departure from a lot of industry secure coding standards we have seen in the past, but for some organizations that seems to be all that works.
The adoptability of standards has been a long-time concern at Denim Group. We have seen far too many overly-academic security recommendations documents that over-address very subtle security points. In a perfect world these types of things would be addressed, but for starters there are a couple of things that all organizatoins need to do in order to improve the security of their applications. Focusing on secure coding idioms to reduce or eliminate SQL injection and cross-site scripting (XSS) attacks along with watching how form parameters and cookies are used go a long way toward addressing many major security concerns.
This was a great discussion and I will try to get the slide deck posted online at the Denim Group Knowledge site shortly.
–Dan
dan _at_ denimgroup.com