« Speaking at OWASP Twin Cities | Main | Book Review: Brave New War »


Andre Gironda

Have you seen Samoa?


Many people rely on web server logs, WAF logs, and some basic tools that parse those looking for specific security-related events. SecureScience InterScout (open-source) and (commercial) have both existed for quite some time and provide some application IDS and application forensic abilities.


Iang (GP essays)

It is kind of dogma that security has to be built in from the very beginning to be worthwhile.

But, empirically, this never seems to happen. It might be a nice idea, but generally we are faced with a lot of historical evidence that security is always a catch up game.

In a series of rants called GP I explore the idea that security should not be built in from the beginning, and instead look for the right time to add it. In a sense, I say that business comes before security, and security is just another of those add-ons that has to be done once the business model is proven; but put it in before the right point, and you'll kill the business.

Sure, a dead business is secure, but what's the point of that?

PS: the blog's built in security knocks out URLs with https in them ... go figure


Ian - I certainly agree that you cannot start by saturating the entire SDL with all things security. You have to phase it in. I also explored some approaches - top down, start at the end, start in the middle here:


As to your "dead business" problem - our jobs would be _so_ much easier if we could just do c and i and not have to worry about a.

Arnon Rotem-Gal-Oz

Hi Gunnar,
I think that it is important for services to do this in a wider scope and also watch for technical and other problems.
I called this pattern "blogjecting watchdog" and it means that a service monitors itself, tries to heal itself if it can and notifies the world if it identifies any problem


The comments to this entry are closed.