One of the things I’ve learned throughout my career is that many solutions to the problems we face in IT, security and software development can be solved if we simply turn to business leaders to see how it’s done. In particular, I’m talking about a practice called zero-based thinking. A tool that’s been around for centuries and more finely-tuned for business in the past few decades, zero based thinking is just that – going back to “zero” – and asking yourself, “knowing what I now know, would I still do the same things?”

In the context of web application security this means suspending critical judgment, letting go of your pre-conceived notions about how things “should” be and being open to some alternatives that may seem impossible but likely aren’t. The key questions to ask yourself are: What would I do less of? What would I do more of? What would I stop altogether? Maybe you could…

Do less of:

  • Performing sporadic web application security tests with no defined schedule
  • Ignoring the reality that all of your Web systems need to be tested eventually (focusing on the urgent and important first, of course)

Do more of:

  • Setting and following some clearly-defined goals for improving web application security in your business from this point forward
  • Developing a set of reasonable security policies or cleaning up your existing ones to include web application security throughout development, QA and ongoing maintenance

Stop altogether:

  • Relying on basic vulnerability scans as an assumed realistic representation of your web security flaws
  • Keeping information about security issues internal to IT or your development/QA team and isolating others in the business who could actually help

People see and hear what they want to see and hear. I believe the inability to stop doing things that are no longer working is the primary failure of web application security. If this cycle isn’t stopped – especially given what’s going on in and around web application security these days – it’ll only continue and this monster will grow.

You have to be open to the fact that what you’re doing today is no longer working or isn’t working the way it needs to. Making improvements in web application security is going to require re-examining your situation. Use zero-based thinking and discard known facts and assumptions and look at things in a new light. Think about how some new approaches could benefit your business. You’ll likely find there are numerous areas ripe for improvement.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.