Confidentiality, compensating controls, risk transference are just a few of the core information security concepts covered by the CISSP exam – concepts that also happen to impact Web application security. Having recently completed the technical edits for a CISSP exam prep book, these principles are all too fresh in my mind. I know many of you can appreciate what’s covered (and not covered) by the CISSP exam as well. While going through this book, I had a deep thought about the CISSP body of knowledge. It applies directly to web application security and goes something like this.
Why is it, with all of these security certification programs and core information security principles that we know we need to have in place, we continue to have web vulnerabilities issues? Be it for basic websites all the way to the most complex cloud applications, if we applied just 10 percent of the principles covered in the CISSP security certification, we’d be light-years ahead of where we are today. From Access Control to Security Operations to Physical (Environmental) Security, a mere smidgen of each of these fundamental concepts would allow us to have pretty impressive web environments that are much more resilient to attack.
This all sounds good in theory...Then reality sets in.
As predictable as the ocean’s tide, politics, bureaucracy, self-interests, culture, information systems complexities and a slew of other intangible barriers get in the way and keep us from reaching our true potential with web security. It’s just how the world works. But it still doesn’t make things right.
I’m a strong believer that we need to focus on what matters in the context of our own environments, not what an outside group of security certification experts or, in the case of compliance, government bureaucrats, thinks is best for us. Therein lies the weakness of the CISSP body of knowledge or any other security certification. It looks good on paper but we all have businesses to run and people to deal with.
So what can we do? As we’ve discovered, there’s no magic solution for minimizing Web risks. We must strike a balance between security and reason. I still think the spirit of the CISSP security certification – among others – should be respected. There’s a lot to be learned from these core concepts - especially the ones that have been around for decades. In the end, do the best you can with what you’ve got. Most importantly (the thing that so many people ignore), just do something.