This has been making the rounds for the past few days but it was pretty amusing so I thought I would re-post here:
How to Suck at Information Security
The list is very broad based, but there were a few that were related to application security:
- Don’t review system, application, and security logs.
- Expect SSL to address all security problems with your web application.
- Act superior to your counterparts on the network, system admin, and development teams.
In the realm of application security I might add a few more:
- Assume your developers know how to design secure applications and write secure code
- “Manage” application-level vulnerabilities by emailing 400 page vulnerability reports to developers and then griping months later when nothing has been fixed
- Center your application security strategy around an automated web application scanning or code analysis tool
Anybody else seen any fun application security anti-patterns?
dan _at_ denimgroup.com