Web Application Security is an incredibly difficult undertaking, and one of the papers we are most proud of is this one: Building a Web Application Security Program (attached below). Web Applications not only have many of the same threats and issues as traditional applications, but by their nature, have a whole additional set of issues to worry about as well. They require a different approach and analysis, and we hope that you will follow the use cases and adapt the technologies and process improvements suggested to meet your organizational needs. As the science of web application security is advancing very quickly, and as the attacks against web applications and platforms continues to evolve, our approach and recommendations will change. As we anticipate periodic updates to the content, we recommend that you periodically re-visit this section for alterations and amendments.

This pages is provided to allow you a place to participate with comments, recommendations or critiques in the comment fields below.

As always, we research and write the content, and sponsors choose to participate only after the content was made publicly available on the blog. We would like to thank Core Security, Imperva and Qualys for their sponsorship of this paper.

(Version 1.0, July 2009)

Building a Web Application Security Program. (PDF)