Comments on The Balkanization of Web Application Security

Bill Pennington, a contributor for the SecurityCatalyst blog, framed the debate over web application firewalls this way:
The first thing you must understand is no single solution will solve your web security issues, each has it’s strengths and weaknesses. In order to have a comprehensive solution you need to be doing all of them in some capacity. This comes as a shock to most people I speak with who think web application security is just one more thing that needs just one solution.
The single solution idea is one that easily appeals to IT and security folks, as well as their management. Often based on marketing hype, it is amplified by a lack of appreciation for the complexity of the problem and the piecemeal information provided by the vendor about the inner workings of a particular solution.
Business[es] need to properly assess the risk to their companies['] assets in order to match the security spend[ing] with the value of the asset. This is not always easy as many web application assets have grown out of the view of information security. Ask yourself how many web sites does your company have, what do they do (business wise), what data they have access to and how valuable that is. Now double the number of web sites because I can guaranty you have underestimated, even the most mature programs still have big gaps in their knowledge of their web assets.
I also agree with this statement and have witnessed, during various information security assessments, that the IT department is often unaware of the IT-based solutions other departments have implemented without the knowledge of the IT department. Sadly, this is often due to one too many "No!" replies from IT, which sends the offending business unit to look for its own solution, thereby circumventing IT altogether.

IT departments need to have a yes-can-do attitude towards their constituents, or at the very least take the time to explain the business (i.e. security) concerns around various request. As the saying goes, what you do not know, you cannot control.

Src: The Balkanization of Web Application Security | The Security Catalyst

No comments: