As part of its Application Security MythBusters series, Cenzic interviewed Tom Parker of SecurIcon during the RSA 2009 Conference in San Francisco. Mr. Parker is the Director of Commercial Security Services at this boutique security consulting firm based in Alexandria, VA. Cenzic’s Chief Marketing Officer, Mandeep Khera, asks Mr. Parker why there isn’t more of a focus on Web application security in the market today. Tom answers by saying it’s a classic trifecta problem: lack of education, no standards, and perceived high expense. - The lack of education is primarily centered around not knowing about automated tools out there than can make Web application security testing easier.
- Due to the fact that there aren’t any compliance regulations directly related to Web application security, it’s easy to ignore the issue until a breach occurs. Even though PCI is a step in the right direction, it’s not robust enough to protect data from the average hacker attack, much less from ones more sophisticated in their approach.
- And because there are over 400 new vulnerabilities every month, there is a perceived high expense to ensure security of all Web app data. However, there are cost-effective ways of getting started and developing a process for continuous compliance throughout the software development lifecycle.
As Tom summarizes, your efforts will be worth it in the end, as it's estimated that 70% of attacks are from insider threats. By creating a proactive security approach, you'll protect your data from the inside as well as from outside attackers. If you have any other questions or topic suggestions about the latest myths out there, send an email to: MythBusters@cenzic.com by
Erin Swanson, Marketing
Eswanson@cenzic.com |
