Saturday, January 12, 2008

selectively deaf?

I'm not going to make it a habit to post lame rants ... I'm actually going to make an attempt to not be that boring; however, I really had an interesting Friday and wanted to throw this up out.

While meeting with a client, we had a long, boring discussion about their companies general readiness, approach, road-map and general web application security posture. Keep in mind that this company (which you have heard of) puts more money into sticky notes every year than your company (probably) grosses annually.

So....I was meeting with a person from their Information Security team and we starting chatting about the general dismissive nature of their developers when it comes to remediation of web application vulnerabilities. The person I met with is one of the companies ethical hackers and he mentioned that while performing penetration tests across multiple applications, they continued to find the same vulnerabilities over and over again (XSSSQL Injection, administrative problems, etc). Remediation information had been presented to these developers multiple times (along with the ramifications of the exploits) and the development teams continued to make no charge towards any secure development path.

Enter Rant...

What is it going to take to make companies really start to pay attention to what is going on out there? With groups like GartnerSymantec and a ton of others barking that 70-ish% of all vulnerabilities are now in the web application layer -- when are CEO's, CIO's and all of the other C-men (heh) going to wake up and start paying attention? What is it that makes "network security" so much more sexy. Seriously...I was building infrastructures with that defense-in-depth crap back in the late 90's and 00's ... i think it's about time we start paying attention to the real war. So seriously, folks....what's it really going to take? I'll throw in my own thought of why this is the way it is -- take it for what it's worth....but as long as companies continue to operate with "functionality before security" ... we are never going to get rid of this dirty imposition. Honestly? From my's pathetically sad and while it does appear to be getting a bit better (IBM picking up WatchfireHPpicking up SPI Dynamics) -- it does appear that we are starting to make a move towards the positive side of things.

Who knows. I'll climb down off of my box now ....