Web Application Security Today is Inadequate

This is a real nice piece from CSO last week about the state of web application security. It was written by Jeremiah Grossman, founder and CTO of WhiteHat Security, a web vulnerability testing firm.

Basically, in a nutshell, Grossman says we're at the same place today with application security that we were at with network security ten years ago. Back then, firewalls were new, not widely used and patch management was an afterthought. Today, the world is different. It would be hard to find any company or organization without a firewall or patching program.

As a result, network attacks are pretty rare, while application attacks are all the rage. Grossman cites a Gartner study saying that 75 percent of breaches are due to application flaws, yet 90 percent of security spending is still on traditional perimeter security.

None of what Grossman is saying is news. Everybody in IT security has already heard this. But I liked his article because it did an outstanding job of summarizing the issue, highlighting application security threats, explaining how it's not being addressed fully and then offering some solutions.