How to Suck at Information Security

January 19, 2009
Dan Cornell

This has been making the rounds for the past few days but it was pretty amusing so I thought I would re-post here:
How to Suck at Information Security

The list is very broad based, but there were a few that were related to application security:

  • Don’t review system, application, and security logs.
  • Expect SSL to address all security problems with your web application.
  • Act superior to your counterparts on the network, system admin, and development teams.

In the realm of application security I might add a few more:

  • Assume your developers know how to design secure applications and write secure code
  • “Manage” application-level vulnerabilities by emailing 400 page vulnerability reports to developers and then griping months later when nothing has been fixed
  • Center your application security strategy around an automated web application scanning or code analysis tool

Anybody else seen any fun application security anti-patterns?

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Information Security Security Programs Web Application Security

One Response to “How to Suck at Information Security”

Leave a Reply

Your email address will not be published. Required fields are marked *