Predicting The Future, or Counting on Code-based Security

There are some topics that warrant the occasional revisit as time goes on, and application security is certainly one of those. As long as we have applications being developed and deployed, it seems we will have bad guys looking to exploit them. While I do believe that the Internet, like the Old West, will eventually need to be cleaned up and a set of common rules enforced, still there will be bad-guys, some people never learn that you can’t just do whatever you want and expect to get away with it.

So we need application security. At this point, I cannot imagine a web app being deployed without it in one form or twenty. Developers have gotten more astute (in general) about securing their code over the years, and the tools they have available to discover vulnerabilities have gone way up in quality since the 90s. And yet, our systems are still being compromised. There are a lot of reasons for this situation, and others have covered it much better than I have.

Related Articles and Blogs

• Let’s Talk Web Application Firewalls (WAFS)
• When is More Important Than Where in Web Application Security
• 4 Reasons We Must Redefine Web Application Security
• PCI DSS Information Supplement: Application Reviews and Web Application Firewalls Clarified (pdf)
• The Web App Security Consortium – WebApp Firewall Evaluation Criteria