Musings on Web Application Security

I “grew up” surrounded by web application security – from a time when Achilles was the only useful proxy and everything was done by hand, to the current state of affairs, where automated tools and proxies are used on a regular basis. OWASP and WASC have been formed, and web application security is taken seriously. However, there are still many web applications that existed before this explosion in security awareness, and they’re still out “in the wild”.

Unlike the thick client area where the majority of “major” applications are controlled by larger development firms (Windows, Oracle, etc) with security departments, web applications are written by everyone and their brother Joe. There are some large development houses writing web apps, but a good majority are developed “in-house” by developers that may have not have any kind of security training. I suspect that this will start to change as it did with thick client development as well. Until then, at least security is on people’s radar and most development groups have at least one person who is familiar with security, or they hire companies that are familiar to help them with the development.

The landscape has certainly changed as I’ve “grown” along with it.