RE: WebAppSec Training Courses in UK

Security Architect,

>>My point is that training should be about educating people about the
right things to do, not recounting or accepting that people don't do that today. Of course we need to be real but we need to educate executives thats its not good <<

Of course, this is accepted. Your job (and others) should be about identifying risks that are evident to YOU but to the owners or business sponsors of these sites/services fit within a priority order. Training is essential but so is the job of identifying the priority of business related risks that you can find out when conducting testing (it also serves as a validation of your efforts).

The point I think you are missing is that for many companies, training is either not an option or is not considered (app dev is outsourced).

For these companies, a rubbish pentest will accomplish nothing apart from giving an unrealistic sense of security or worry (depending on what they find). Here is where I agree completely with you on the 'scan and charge' mentality of a lot of security companies. They are not addressing the core problem and are probably not identifying the risks that are appropriate to the business owners of the site/service.

I guess we are going to agree here that education is more important than useless validation tests. I call it the same as an 'air guitar' except in this case the guitar is a flabby appendage attached to the site owners nether regions <grin>.

If half of the companies I've worked with were so concerned about their security, the world would be a better place. If only the money being spent was better directed, the web would be a more secure place to do business........

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Craig

                                                                                                                                       
                      securityarchitec                                                                                                 
                      t@hush.com               To:      Craig_Sullivan@Waitrose.co.uk                                                  
                                               cc:      dan@idsec.com, glyn.geoghegan@corsaire.com, webappsec@securityfocus.com        
                      04/12/02 17:02           Subject: RE: WebAppSec Training Courses in UK                                           
                                                                                                                                       
                                                                                                                                       

I don't disagree with most of what you and Glyn said. It was well put and a good debate. Thanks.

My point is that training should be about educating people about the right things to do, not recounting or accepting that people don't do that today. Of course we need to be real but we need to educate executives thats its not good enough to test at the end of a projects lifecycle. Thats a training course that really needs to happen in itself. If we say this is what happens in the real world (its always late, we never have money, no time etc) well never tackle the problem strategically and be in the same place next year.

Fucntional testing was in the same place a few years back but you look at any good dev shops unit test now and you can see how testing can be integrated into dev cycles pretty easily.

Of course there is a place for pen testing. But IMHO its nowhere near the place it is often perceived today. I think we agree on that. This list is frequentled by more pen test types as well I would muse so the responses are skewed. If you ask secprog (and the debate is going on there now) they have a very different focus and if you as CISSP lists I am sure it will be equally skewed.

My point and I think yours is that good training needs to encompass all aspects of web application security. It should be about teaching people the things they need to do, as well as teaching them the things they already do better.

On Wed, 04 Dec 2002 07:39:40 -0800 Craig_Sullivan@Waitrose.co.uk wrote:
>
>Hmmm,
>
>Methinks that security architect has possibly not had to work for
>a company
>that is the recipient of these services.
>
>>>Firstly there is little accountability. Its perceived as an art
>and not a
>science and therefore you really have little confidence that all
>of the
>things that should have been tested were<<
>
>Yes, but we accept these limitations when engaging a security firm
>to cover
>those areas where we may have limited experience or time. People
>accepting
>poor quality output from a security assessment are themselves to
>blame as
>much as the 'market' is for foisting solutions that may have limited
>applicability to reducing 'real risks' they are likely to encounter.
>
>
>>>Someone once used a great analogy. If you're testing for cancer
>would you
>take someone's temperature? <<
>
>This is a poor analogy for security and risk asessment. We don't
>test for
>temperature but instead try to reduce the patients desire to smoke,
> drink
>or otherwise ingest stuff that would increase the risk of cancer.
> If they
>have cancer, you are too late pal.....
>
>>>Assess strategically not tactically. Asses how security is baked
>into the
>development process and not just in a deployment scenario.<<
>
>It would be wonderful if I had the chance to build security in from
>the
>start of every development project. Whilst continuing to educate
>developers (who are often churning through new staff) about security
>best
>practice, I still have to rely upon assessments to catch transgressions.
>
>The usability industry is no stranger to this scenario; In many
>cases,
>clients ask usability consultants to find problems with an interface
>that
>has *already been developed*. The same situation exists with web
>application security - in many cases, I'm asked to identify problems
>that
>shouldn't have arisen in the first place. Whinging about this doesn't
>address the problems though - I have to educated developers but
>this
>doesn't obviate the need to perform some level of app security testing,
>
>often late in the development cycle (for late, read 1 week before
>release).
>
>In the abscence of security conscious developers, we have to rely
>upon
>education AND compliance testing during a project. I personally
>think that
>many of the services offered to 'assess' security from established
>companies are pretty lame these days. They cannot possibly understand
>the
>background that the developers have, understand 'bad practice' that
>has
>established itself within a company or provide assessments that
>leverage
>internal knowledge of where vulnerabilities may lie. We accept
>these
>limitations of any assessments that may be provided and direct them
>appropriately towards areas that we know are weak. It isn't that
>we
>suggest that you do only one or the other - there is a place for
>education
>and a need for verification.
>
>What I'm worried about is that many companies will seek to exploit
>app
>vulnerabilities to clients without addressing the underlying problems
>with
>the platforms and development approach.
>
>Craig.
>
>This is a poor analogy for security and risk asessment. We don't
>test for
>temperature but instead try to reduce the patients desire to smoke,
> drink
>or otherwise in
>
>
>
>
>
>
>
> securityarchitec
>
>
> t@hush.com To: dan@idsec.com,
> glyn.geoghegan@corsaire.com
>
> cc:
webappsec@securityfocus.com
>
> 03/12/02 19:08 Subject: RE: WebAppSec

Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Big $$$ to be made with the HushMail Affiliate Program:  https://www.hushmail.com/about.php?subloc=affiliate&l=427 Received on Wed Dec 4 15:22:10 2002