http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/tags/holistic+security/default.aspxTags: holistic securityenCommunityServer 2008.5 SP1 (Build: 31106.3070)http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2008/06/11/misunderstanding-the-purpose-of-automated-tools.aspxWed, 11 Jun 2008 02:29:00 GMT94bda21f-7d63-4095-85de-7c2a68fb172c:83208RafalLos1http://www.communities.hp.com/securitysoftware/blogs/rafal/rsscomments.aspx?PostID=83208http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2008/06/11/misunderstanding-the-purpose-of-automated-tools.aspx#comments<p>&nbsp; Let&#39;s get this out in the open - <u>there is a misunderstood purpose of automated tools in web application security</u>.&nbsp; Based on my personal experiences&nbsp;in front of&nbsp;both management and engineering teams in the last few months, I feel this needs to be addressed, and addressed now.</p> <p>&nbsp; I know that as a vendor of tools, we would like everyone to use our wares to find and mitigate their web application security vulnerabilities - but no one here is dilusional.&nbsp; No one here in the HP ASC will ever tell you that buying/implementing our tools&nbsp;will give you&nbsp;total security for your web applications.&nbsp; No one here will ever advocate our tools as the sole solution to an enterprise web application security strategy.</p> <p>&nbsp; So why do other vendors do it?&nbsp; More to the point - why is it that I am often asked the question... &quot;<em>So can you tell me if we implement (the HP ASC Security Suite, or some subset thereof) we will have secure web applications?</em>&quot;&nbsp; Still scarrier - why do people get upset at me when I answer them with a stout &quot;<em>No... our tools are but one part of a holistic strategy</em>&quot;.&nbsp; Before you think that this can&#39;t possibly be anyone you know, or any manager you work for... think again.&nbsp; The list of places and teams that have posed this question starts in government, leads to the education sector and trails into large enterprises just the same.</p> <p>&nbsp; I know there is some level of education that has to happen, and to some degree vendors are to blame for trying to sell &quot;Magic Bullet&quot; solutions at times to make the sale but the reality is no one piece of software will fix your web security woes holistically.&nbsp; Let me elaborate, and explain my case.</p> <p>&nbsp; First, tools are just one piece of the security pyramid (People -&nbsp;Process -&nbsp;Tools).&nbsp; I&#39;ve had that slide in my presentations as far back as I can remember presenting, and it&#39;s served me well but I do think it&#39;s time to preach that a little more emphatically.&nbsp; People and Process are the other two key factors to a successful web-app-sec strategy - without them the tools are of very little use.&nbsp; It&#39;s like having a 500Hp sports car with a nice manual gearbox and not being able to drive a manual and having no gas in the tank.&nbsp; Building a successful&nbsp;practice takes all 3 pieces of the pyramid to be well-established in order to function.&nbsp; While the *people* are the foundation of the whole pyramid, the processes and tools keep the pyramid from collapsing on itself.&nbsp; Without the other 2, no one piece can stand alone... </p> <p>&nbsp; I&#39;m writing a piece on the P-P-T (People/Process/Tools), but in the mean time ... this should give you something to think about.&nbsp; Let&#39;s just be clear one more time... no &quot;tools&quot; can solve the web application security problem holistically... but I will continue to argue that HP&#39;s ASC Suite provides the most comprehensive, most complete lifecycle solution out there, bar-none.</p><div style="clear:both;"></div><img src="http://www.communities.hp.com/securitysoftware/aggbug.aspx?PostID=83208" width="1" height="1">processholistic securityweb application securityautomated toolsautomated testing