« SANS Security Laboratory | Main | Credit card numbers, asset valuation, and PCI backlash »

Web App Security vs. Software Security

Jeremiah Grossman's tweet drew my attention to Gary McGraw's article on web apps and software security. Mr. McGraw assumes that web apps and software security are different things. At one point he states:

...by understanding how particular Web attacks work, we can both uncover particular versions of such problems in real software, and we can also learn to avoid certain particular problems. [italics added]

The distinction about "real software" is a strange bias, and just because a piece of software can be attacked over HTTP does not make it less "real." It's all software. Advances in securing web software are advances in the overall field of software security. 

Other than revealing a strange bias against web applications, the article makes the point that techniques effective in one software security domain may or may not be effective in another domain. There is not a one true way to do software security.

This point was also made recently by Microsoft's Bryan Sullivan in discussing how they've streamlined their security development lifecycle for agile development, particularly for web apps. Microsoft found that the techniques used for securing desktop applications with longish development efforts was not suitable for the rapid turnaround environment of web software. So they made adjustments to their security process. 

I'm reminded of a saying (I'm not sure where I picked it up), that best practices are what you do when you don't have the time or flexibility to do what's right. Blind adherence is never good. Stay flexible and adapt.

Kevin Kenan on November 14, 2008 in Software Security |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83420496153ef010535f5f526970c

Listed below are links to weblogs that reference Web App Security vs. Software Security:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

About

  • A blog by Kevin Kenan about technology, security, and the ancient craft of programming.

    You might also be interested in checking out TeXTARIUM, where I chat about fiction, music, and the pursuit of the perfect shot of espresso.

My Book

  • Cryptography in the Database: The Last Line of Defense

    My book on using cryptography to protect information stored in a database. Published by Addison-Wesley and Symantec Press. Read more at the book's site. The source code is available for download.

Categories

Dedication

  • My grandfather had a wonderful shop in his basement. To me, it was a place of mystery and fascination, and I would spend hours wandering through it, looking at all the tools and projects in various states of completion. Not being much of a wood worker, I've never had the need for such a shop (not to mention that I lack a basement), but recently it occurs to me that my gear, computers, and software are my shop. This site is for my late grandfather and everyone else who takes personal pride in carefully executed work.
Subscribe to this blog's feed