Web application security.

I'm in the middle of two technologies - software development and information security. In my grad school classes, my professors usually require us to write a term paper relating to security on each semester. My first paper dealt with creating an web application security plan for a software team. Looking back, I'm not sure if it was written with the best of knowledge - I went over things such as cross site scripting, buffer overflows, etc. but I really didn't know how to stop them - I was just listing common attacks.

So, when I found a video on www.csoonline.com that details Application Security from the experts at Gartner group, I decided to sign up to view the video.

Here are some highlights:

1) Even if your manager decides that security for your application is important, with the crappy economy for 2009, don't expect to receive any additional funding. Do with what you have.

2) Who's responsibility is it to do the application security testing? The development staff, outside security team? Then, where do you start? From the outside going in or starting on the inside of the application?

3) Should you be trying to break your application's security by testing against your production applications? Most organizations are scared to do this because customers are using the application and if you manage to break it, customers are affected. Using virtualization could be the answer to this problem: use virtualization to take a snapshot of your production application and test against that copy - not your actual production application.

4) Are there any automated testing tools, like JUnit, that is geared toward automating security tests?

5) How can you find an expert in the field of application security that will help you identify and isolate vulnerabilities? Over 150 new vulnerabilities are discovered each week so you need someone that knows how to be on top of these.

6) Trends include certifications from websites that they are secure - for example, PCI certifications from credit card companies.

7) White box or source code scanning for security issues only can catch about 5% of known attacks. It's good to do but don't rely on just this method.

8) Security software as a service - finally, companies trying to save money can use security testing and other software from the services cloud. Of course, you also have to worry about their security.