One of the things I’ve learned throughout my career is that many solutions to the problems we face in IT, security and software development can be solved if we simply turn to business leaders to see how it’s done. In particular, I’m talking about a practice called zero-based thinking. A tool that’s been around for centuries and more finely-tuned for business in the past few decades, zero based thinking is just that – going back to “zero” – and asking yourself, “knowing what I now know, would I still do the same things?”

In the context of web application security this means suspending critical judgment, letting go of your pre-conceived notions about how things “should” be and being open to some alternatives that may seem impossible but likely aren’t. The key questions to ask yourself are: What would I do less of? What would I do more of? What would I stop altogether? Maybe you could…

Do less of:

  • Performing sporadic web application security tests with no defined schedule
  • Ignoring the reality that all of your Web systems need to be tested eventually (focusing on the urgent and important first, of course)

Do more of:

  • Setting and following some clearly-defined goals for improving web application security in your business from this point forward
  • Developing a set of reasonable security policies or cleaning up your existing ones to include web application security throughout development, QA and ongoing maintenance

Stop altogether:

  • Relying on basic vulnerability scans as an assumed realistic representation of your web security flaws
  • Keeping information about security issues internal to IT or your development/QA team and isolating others in the business who could actually help

People see and hear what they want to see and hear. I believe the inability to stop doing things that are no longer working is the primary failure of web application security. If this cycle isn’t stopped – especially given what’s going on in and around web application security these days – it’ll only continue and this monster will grow.

You have to be open to the fact that what you’re doing today is no longer working or isn’t working the way it needs to. Making improvements in web application security is going to require re-examining your situation. Use zero-based thinking and discard known facts and assumptions and look at things in a new light. Think about how some new approaches could benefit your business. You’ll likely find there are numerous areas ripe for improvement.

Kevin Beaver

Kevin is an information security consultant with 30 years experience, providing independent security assessments and penetration tests, security consulting and virtual CISO services, writing and security content development, and speaking engagements keynotes, panel discussions, and webinars.