I love your blog but I have a very very quick comment. Code scanning tools are very very ineffective at providing a picture of true “acceptable risk” ayt the application layer. As we have seen numerous times, some of the most egregious injection, session theft, and parameter hacks have come at the expense of AD teams that coddled themselves with a false sense of security that a code scanner told them all they need to know. In fact scanners are a jumping off point for surface level issues.

As web hacking becomes the prominent form of bypassing enterprise DMZ’s to get to the goodies, the logic used in the application development process is oft times not able to be detected as a flaw or vulnerability by a mere scanner. What has to happen is that early in the SDLC practices have to be implemented.

The wrong culture in AD says that, “oh we have an app going live in two weeks, is it secure? I dunno, I guess we should run a scan and patch”. Then version two of that app comes out six months later and guess what? The same vulnerabilities are back. Why is that? Because developers by and large don’t view application security as a part of SDLC, its just something we have to do that slows us down.

The same applies for web app firewalls. Great tools, but they simply cannot replace secure development practices as a part of the SDLC from beginning to end. Web apps should be assessed with sound methodologies ( I am biased on this obviously but I believe it) and practices should be honed away from poor logic, unnecessary information, black lists, and “patch and go” approaches etc.

again, my humble opinion