Fighting Web flaws is futile

Do you ever find yourself driving down the road in an unfamiliar place and you get that gut feeling that you’re headed in the wrong direction? Well, I feel that’s exactly where we are with application security – heading in the wrong direction.
First off, with application security, most things are reactive: “Let’s just get it out and we’ll fix the security stuff later” is the mode of operation. Why is this still the mantra more than 10 years after we started talking about it in the dot-com days? I don’t get it.
Secondly, we’re going about application security for all the wrong reasons. It seems to me we’re not working on the right problem when we spend time, money, and effort on application security so we can say we’re “compliant” or simply to please other people – especially the auditors, regulators, and business partners who are doing nothing more than strong-arming us into submission.
So often I see people in IT, security, development, and compliance working all out on things that aren’t going to make that much of a difference towards minimizing application security risks. Sometimes it’s laziness. Other times its ignorance. Quite often, it’s IT and security vendors who are driving the bus making promises about how their firewalls, encryption, server monitoring, or database security (continue reading...)