Building a Web Application Security Program
2009-12-29 11:17
260 查看
"Whew! This is our final post in this series on Building a Web Application Security Program (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7), and it’s time to put all the pieces together. Here are our guidelines for designing a program that meets the needs of your particular organization. Web application security is not a “one size fits all” problem. The risks, size, and complexity of the applications differ, the level of security awareness among team members varies, and most importantly the goals of each organization are different.
In order to offer practical advice, we needed to approach program development in terms of typical goals. We picked three use cases to represent common challenges organizations face with web app security, and will address those use cases with appropriate program models. We discuss a mid-sized firm tackling a compliance mandate for the first time, a large enterprise looking to improve security across customer-facing applications, and a mid-to-large organization dealing with security for internal applications. Each perspective has its own drivers and assumptions, and in each scenario different security measures are already in place, so the direction of each program will be different. Since we’ve been posting this over a series of weeks, before you dig in to this post we recommend you review Part 4: The Web Application Security Lifecycle which talks about all tools in all phases. First we describe the environment for each case, then overall strategy and specific recommendations."
Read more: http://securosis.com/2009/01/06/building-a-web-application-security-program-part-8-putting-it-all-together/
In order to offer practical advice, we needed to approach program development in terms of typical goals. We picked three use cases to represent common challenges organizations face with web app security, and will address those use cases with appropriate program models. We discuss a mid-sized firm tackling a compliance mandate for the first time, a large enterprise looking to improve security across customer-facing applications, and a mid-to-large organization dealing with security for internal applications. Each perspective has its own drivers and assumptions, and in each scenario different security measures are already in place, so the direction of each program will be different. Since we’ve been posting this over a series of weeks, before you dig in to this post we recommend you review Part 4: The Web Application Security Lifecycle which talks about all tools in all phases. First we describe the environment for each case, then overall strategy and specific recommendations."
Read more: http://securosis.com/2009/01/06/building-a-web-application-security-program-part-8-putting-it-all-together/
相关文章推荐
- Grendel Scan: Open Source Web Application Security Scanner
- web application security scanner :skipfish 站点漏洞扫描器安装
- VS2005web应用程序项目教程(1)Building Your First Web Application Project
- Spring Web Application Security
- Cheat Sheet: Web Application Security Frame
- VS2005web应用程序项目教程(3)Building Pages with VS 2005 Web Application Projects
- skipfish - web application security scanner
- Building an AJAX Based Web Chatting Application using ASP.NET 2.0(转载)
- Java EE 6: Web Application Security made simple !
- Web application security
- Building Web Application
- java.lang.SecurityException: Filter of class org.apache.catalina.ssi.SSIFilter is privileged and cannot be loaded by this web application
- Building a Web Application->Working with Server Controls
- Arachni - Web Application Security Scanner Framework
- ratproxy - passive web application security assessment tool
- Hacking the Code: ASP.NET Web Application Security
- 让浏览器进行跨域访问, 开发阶段需要跨域访问的测试方案 chrome的快捷方式里面 加 "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --args --disable-web-security
- The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd
- Building a Web Application->Introduction to ASP.NET Pages