Misunderstanding the Purpose of Automated Tools - Following the White Rabbit

Misunderstanding the Purpose of Automated Tools

Published 06-11-2008 2:29 AM | RafalLos

  Let's get this out in the open - there is a misunderstood purpose of automated tools in web application security.  Based on my personal experiences in front of both management and engineering teams in the last few months, I feel this needs to be addressed, and addressed now.

  I know that as a vendor of tools, we would like everyone to use our wares to find and mitigate their web application security vulnerabilities - but no one here is dilusional.  No one here in the HP ASC will ever tell you that buying/implementing our tools will give you total security for your web applications.  No one here will ever advocate our tools as the sole solution to an enterprise web application security strategy.

  So why do other vendors do it?  More to the point - why is it that I am often asked the question... "So can you tell me if we implement (the HP ASC Security Suite, or some subset thereof) we will have secure web applications?"  Still scarrier - why do people get upset at me when I answer them with a stout "No... our tools are but one part of a holistic strategy".  Before you think that this can't possibly be anyone you know, or any manager you work for... think again.  The list of places and teams that have posed this question starts in government, leads to the education sector and trails into large enterprises just the same.

  I know there is some level of education that has to happen, and to some degree vendors are to blame for trying to sell "Magic Bullet" solutions at times to make the sale but the reality is no one piece of software will fix your web security woes holistically.  Let me elaborate, and explain my case.

  First, tools are just one piece of the security pyramid (People - Process - Tools).  I've had that slide in my presentations as far back as I can remember presenting, and it's served me well but I do think it's time to preach that a little more emphatically.  People and Process are the other two key factors to a successful web-app-sec strategy - without them the tools are of very little use.  It's like having a 500Hp sports car with a nice manual gearbox and not being able to drive a manual and having no gas in the tank.  Building a successful practice takes all 3 pieces of the pyramid to be well-established in order to function.  While the *people* are the foundation of the whole pyramid, the processes and tools keep the pyramid from collapsing on itself.  Without the other 2, no one piece can stand alone...

  I'm writing a piece on the P-P-T (People/Process/Tools), but in the mean time ... this should give you something to think about.  Let's just be clear one more time... no "tools" can solve the web application security problem holistically... but I will continue to argue that HP's ASC Suite provides the most comprehensive, most complete lifecycle solution out there, bar-none.

Filed under: , , , ,

Comments

# coder said on June 16, 2008 1:50 AM:

You can never "be secure"!

You can, with some effort, "be secure from attempted SQL injection that follow known/expected bahaviour".

It's all about the definition of the bounds within which one refers when talking about "being secure". Anyone that refers to open-ended boundaries clearly doesn't understand the nature of the beast.

Leave a Comment

Name:  
Website:

Type the numbers and letters above: