Comments on: Application Security: A Tool Cannot Solve What Fundamentally is a Process Problem

By: More Application Security Goodness From OWASP

More Application Security Goodness From OWASP — Thu, 14 Jan 2010 14:13:05 +0000

[...] the beginning. Many of the clients I talk with are highly focused on the ‘produce’ part – improving their development processes to ensure that more secure code is produced and that security testing is incorporated in the [...]

By: Security Thought for Thursday: DLP Should be a Process, not a Product

Security Thought for Thursday: DLP Should be a Process, not a Product — Thu, 10 Sep 2009 22:28:03 +0000

[...] one of the DLP vendors such as McAfee, Symantec, EMC/RSA and so on. Much like I talked about in this post on application security, a product cannot solve what first and foremost is a process problem. The [...]

By: Byte Code Analysis is not the same as Binary Analysis

Byte Code Analysis is not the same as Binary Analysis — Fri, 24 Jul 2009 18:28:59 +0000

[...] posted many times on the importance of application security. Recently, my colleague Joseph Feiman and I published a magic quadrant for static application [...]

By: James

James — Sat, 13 Jun 2009 14:20:07 +0000

I am surprised that the research didn’t contain additional guidance such as referring readers to organizations such as OWASP. Would be curious to know why this was left out?

By: Beware New Malware in Web Apps | Computer Security

Beware New Malware in Web Apps | Computer Security — Tue, 14 Apr 2009 19:50:46 +0000

[...] vendors aren’t ready either. It’s pretty simple. If we don’t proactively start efforts now to produce more secure applications and demand the same from our software providers, the bad guys will find the vulnerabilities for [...]

By: Shrinking Budgets: Application Security Tools vs Process Tradeoff « noFUD - No Fear Uncertainty or Doubt

Fri, 10 Apr 2009 19:44:33 +0000

[...] is given to how to integrate this in existing into development lifecycles. Application security is fundamentally a process problem and you can’t solve it just by using [...]

By: Neil MacDonald

Neil MacDonald — Tue, 17 Mar 2009 00:12:25 +0000

Thanks!

We’ve been talking about building more secure applications for years. And talking. And talking. But, there’s some hope. You are right – we’ve come a long way in understanding the problem. We’ve got several successful companies that we can point to to start to understand the best practices.

That’s why I like the study cited in my post above from Fortify and Cigital. It provides at least a framework for starting the discussion. Even if you have started, you could use the study to compare to what you are doing and see what might be missing.

By: Ashish Popli

Ashish Popli — Mon, 16 Mar 2009 17:08:29 +0000

This is a great post!

After several years of working in application security domain and reading this post just by chance, I felt a lot of data points are nicely amalgamated.

I am happy that we have come a long way in understanding the problem – the first step in solving it.

By: Yet another big company with SQL Injection problems (British Telecom) | N-Stalker Web Security Community

Fri, 13 Mar 2009 23:59:22 +0000

[...] good post that we read today really fit this problem: “Application Security: A Tool Cannot Solve What Fundamentally is a Process Problem“ that simply agrees with that. Companies aren’t making their home work: scanning [...]

By: Mandeep Khera

Mandeep Khera — Fri, 13 Mar 2009 03:38:22 +0000

Neil

I couldn’t agree with you more. As we have talked before a few times , throwing just the technology at a problem is a bad idea. Without a sound process, all automation attempts can fail regardless of whether it’s ERP, App Security, or any other business process. Process defines the clear path to your goal, automation gets you there faster than manual efforts.

Thanks!