WebApp Sec mailing list archives
RE: Home - Web Application Security Consortium
From: "Arian J. Evans" <arian () anachronic com>
Date: Mon, 28 Jun 2004 20:44:42 -0500
Mads, see you found the newest '04 security consortium:
<http://www.webappsec.org/> I didn't know OWASP had competition :o) It seems very similar to the OWASP but more closed and less informative Comments?
Here's a guess...but I think the implied motivations of the two groups are going to be a bit different: OWASP:
From what I've seen of who's involved in/started/run OWASP,
it's predominantly consulting organizations offering security *services*. I'm excluding Foundstone since their software offerings are in the highly-commoditized network assessment space, and Teros makes a specialized web app 'firewall'. I suspect this group will be more focused on identifying and addressing the root cause of application security issues, and a bit less on product advocacy. WASC: Is founded and chartered by many meaningful players in the Web Application "Assessment Tool" or "Automated Assessment Service" space. Sanctum, SPI, AppSecInc, WhiteHats, Kavado, etc. My guess is this group will be more about pen testing and assessment, and making boilerplate "best practice" lists so you can run a scanner against your website and assuage yourself of the anguish that you might not be HIPAA or GLBA compliant. (humor) Or apply that template findings to your "Web Application Firewall". This is completely a guess; Caleb (or anyone from WASC) feel free to correct me. But otherwise, why not just use the seasoned vehicle OWASP provides? <OT><request_for_other_opinions> I think there's certainly a place for both approaches; mature dev shops should have standards, processes, peer review or pair coding, etc. to address quality, and still use automated solutions from vendors like Mercury Interactive for QA and availability ascertain. I have a great relationship with several of the WASC vendors...I'm very glad they make the tools they do. However, I don't think tools are going to help solve the long-term issue. I tend to lean towards process re-engineering and secure architecture as opposed to pushing simply pen test and tools, though it's quick and easy money, and easier to chart 'progress'. e.g.-having the latest and greatest network vulnerability scanner doesn't help you solve the problem that your staff can't manage the COTS software you already have. But it does give you some insight into your immediate problems, and catch accidental or repeated mistakes... I'm also irritated I missed the App Sec NYC conference, Arian
Current thread:
- Home - Web Application Security Consortium Mads Rasmussen (Jun 28)
- RE: Home - Web Application Security Consortium Arian J. Evans (Jun 29)
- Re: Home - Web Application Security Consortium Jeremiah Grossman (Jun 29)
- RE: Home - Web Application Security Consortium Arian J. Evans (Jun 30)
- Re: Home - Web Application Security Consortium Jeremiah Grossman (Jun 30)
- Re: Home - Web Application Security Consortium Jeremiah Grossman (Jun 29)
- RE: Home - Web Application Security Consortium Arian J. Evans (Jun 29)