I have been known to take the web application security community to task for a myopic focus on web and web only. Being constrained by HTTP does serve to make things pretty easy! Lately, I have adjusted my thinking.
Jeremiah Grossman and I cross paths out there on the evangelism circuit pretty often and have talked about web app security versus software security many times. Jeremiah is a great guy, and always willing to listen and think carefully. It was only natural that he would end up as a Silver Bullet victim.
Episode 32 of the Silver Bullet Security Podcast features a chat with web security guru Jeremiah. Among other things, we talk about the relationship between web app security and software security.
Near the end of our conversation, we raised the idea of whether all web security problems have analogs in the software security space and what that might mean. After thinking more about that issue, I made it the subject of this month’s InformIT column.
In the end, web application security is important, but we must be careful not to overemphasize the solutions that work only for web apps and forget about the rest of software out there. In the meantime, we have plenty to learn from each subdomain.