You can't secure what you don't acknowledge.SM

Saturday, May 18, 2013

Web security answers are changing - a frustrating, challenging, and humbling journey

In reading one of Brian Tracy's books, Brian discusses a story of Albert Einstein and an exam he gave to his graduate physics class at Princeton University. After the exam, Dr. Einstein was approached by a student who asked: "Dr. Einstein, wasn't that the same exam that you gave to this physics class last year?" Dr. Einstein replied "Yes, it was the same exam as last year." The student then asked "But Dr. Einstein, how could you give the same test two years in a row?" Dr. Einstein replied "Because, in the last year, the answers have changed."

This story illustrates the complexities around web application security: how much it changes, how complex it can be, and, most certainly, how no one has all the answers.

I've been fortunate to have the opportunity to test the security of many websites and web applications over the past decade. It's what I love doing the most in my work because every new site/application is a new experience. Of course, some of the security flaws are the same across the board but every new project brings unique challenges. The enormity of the matter is very humbling.

The things that defined web application security flaws (and fixes) last year may not be true this year. The answers are continually changing. Given these factors, I wanted to share with you some of my recent experiences and ideas on how you can get a better grip on this ever-changing target:

Your Scanning Experience Determines Your Scanning Success

What can Developers do to Better Protect PII?

Finding Web Flaws is not Point and Click

Responding to DoS attacks at the web layer

Should you Test Development, Staging or Production?