Untangling the Acronyms of Web Application Security
Posted: February 10th, 2009 | Filed under: IIS & HTTP, Web Security ToolsOWASP, WAFEC, CVE… An excellent post from Jeremiah Grossman just caught my eye, where he tried to untangle the mess of acronyms that is Web application security. In his words, he was trying to “organize and describe some of the more focused [Web security] terminology/standard/framework public initiatives.” In his usual way, he brings clarity to an industry that could use it… a worthwhile read.
Since so many of the Port80 software tools are focused on security issues, we’re constantly keeping an eye on the organizations and efforts he mentions:
- We just did a blog post last month on the Top 25 Most Dangerous Programming Errors.
- Port80 has looked to the Web Application Security Consortium’s Threat Classification project as a baseline for our WAF development - it is, as he says, a very clear and cogent taxonomy of Web App threats.
- We even have to pat ourselves on the back a bit for being mentioned as a resource under the WASC Fingerprinting threat description - Port80 has been preaching the gospel of Server Anonymization since before ServerMask was even born in 2002.
I’d be interested to hear whether you think we’re on the right track, and what headaches you’re having trying to deal with all the varying WAF and security options. And as always, please let us know how we can make your job easier.
Cheers!
Jenny @ Port80
{follow us on Twitter @port80software.com}
Jenny
Thanks for the article from Jermiah. It is an alphabet soup out there some times.