CSI Annual Conference - Highlights on Web App Security

Date November 20, 2008

From a post on the webappsec mailing list (see – I do read it!), Rafal Los writes up some of his notes.

Nothing too unusual there, but I still think a fair amount of FUD.  In a lot of cases I agree with his notes, and it’s worthy of a lot longer post.  You can really see some people’s fingerprints on these notes if you know what you are looking for and are well versed in certain "talking points" that are out there, but generally it reflects quite well the feeling that a lot of us "in the trenches" have.

I especially like the "from the audience" section – we really should listen more to what our customers are pleading for.  A large number of the points we can’t do all that much about; they are outside a lot of our scope (as consultants, 3rd party vendors, etc), and up to the people inside a given company, but that doesn’t mean we can’t be providing advice in the form of blog posts, whitepapers or speaking engagements. 

One of the advantages we have over people that work in a specific company is that we see a lot of different ways things such as outsourcing, tool integration into SDL, compliance, metrics, vuln management, outsourcing of security service, etc, etc, are being done inside a variety of places and which ones are "successful".

I’m going to keep this article on my desktop and come back to try and put my thoughts to each of these over upcoming posts.

Category Posted in Security


Leave a Reply

XHTML: You can use these tags: <b> <blockquote> <br> <code> <em> <i> <strike> <strong>