Consortium to Target Web App Security

As part of an effort to crystallize the thinking and product-development around the nascent area of Web application security, a group of vendors will announce next week the formation of a new consortium meant to help define and promote standards concerning application security.

Founding members of the group include Application Security Inc., KaVaDo Inc., Sanctum Inc., SPI Dynamics Inc. and WhiteHat Security Inc. Known as the Web Application Security Consortium, the group will make its debut at the RSA Conference in San Francisco.

The groups initial goal is to create a classification system for application security vulnerabilities, attacks and other threats. Many of the attacks that are used against Web applications are quite complex and much of the terminology is outside of the realm of most security specialists expertise. The group hopes to simplify the explanation of things such as cross-site scripting that have become prevalent in recent years.

“Application security itself is very confusing. A lot of developers dont know exactly how these applications are threatened, which is why the applications are still woefully insecure,” said Jeremiah Grossamn, CEO of WhiteHat, based in Santa Clara, Calif. “The Web security area is so new, no one knows how to address all the issues.”

Cross said the group is approximately 80 percent finished with the classification system, and hopes to have it completed by late March or early April.

Another major focus of the consortiums efforts will be the establishment of industry best practices in several areas, particularly secure coding. Until very recently, most software developers received almost no instruction in college on secure coding practices, and as a result, had no concept of what it took to write a secure application. That state of affairs is changing, as more developers get security training as part of their educations, but there is little agreement among experts on what qualifies as secure coding.

The new consortium hopes to change that by developing guidelines for secure software development. The group also will look at establishing best practices for independent security reviews.