RE: Home - Web Application Security Consortium

["Arian J. Evans" <arian () anachronic com>]

Mads, see you found the newest '04 security consortium:

> <http://www.webappsec.org/>
> I didn't know OWASP had competition :o)
> It seems very similar to the OWASP but more closed and less 
> informative
>
> Comments?

Here's a guess...but I think the implied motivations of the two
groups are going to be a bit different:

OWASP:

> From what I've seen of who's involved in/started/run OWASP,
it's predominantly consulting organizations offering security
*services*. I'm excluding Foundstone since their software
offerings are in the highly-commoditized network assessment
space, and Teros makes a specialized web app 'firewall'.

I suspect this group will be more focused on identifying and
addressing the root cause of application security issues,
and a bit less on product advocacy.

WASC:

Is founded and chartered by many meaningful players in
the Web Application "Assessment Tool" or "Automated
Assessment Service" space. Sanctum, SPI, AppSecInc,
WhiteHats, Kavado, etc.

My guess is this group will be more about pen testing
and assessment, and making boilerplate "best practice"
lists so you can run a scanner against your website
and assuage yourself of the anguish that you might
not be HIPAA or GLBA compliant. (humor) Or apply
that template findings to your "Web Application Firewall".

This is completely a guess; Caleb (or anyone from WASC)
feel free to correct me. But otherwise, why not just use
the seasoned vehicle OWASP provides?

<OT><request_for_other_opinions>

I think there's certainly a place for both approaches;
mature dev shops should have standards, processes,
peer review or pair coding, etc. to address quality, and
still use automated solutions from vendors like Mercury
Interactive for QA and availability ascertain.

I have a great relationship with several of the WASC
vendors...I'm very glad they make the tools they do.
However, I don't think tools are going to help solve
the long-term issue. I tend to lean towards process
re-engineering and secure architecture as opposed
to pushing simply pen test and tools, though it's quick
and easy money, and easier to chart 'progress'.

e.g.-having the latest and greatest network vulnerability
scanner doesn't help you solve the problem that your
staff can't manage the COTS software you already have.
But it does give you some insight into your immediate
problems, and catch accidental or repeated mistakes...

I'm also irritated I missed the App Sec NYC conference,

Arian