So over the year and a half(almost) of doing my security series, I have learned a lot. I have been reading a lot, doing research, digging through ColdFusion, attending security-related event, creating presentations, preparing training (soon to be delivering), and there is still SO MUCH that I need to learn.
But one thing I have been learning about recently, are some of the principles of application security. There is more to application security then just learning about threats and countermeasures. A LOT more.
So in my security series, we are going to take a little trip back to the beginning and start learning about some of the other pieces of application security that have been getting neglected. Please don't think of these as "the basics", because that is not how I look at it. I see them as important information that should be used in every project.
When I ask the rhetorical question 'What is Security?' I am trying to lay down the model of what I am trying to accomplish with this series. I think we are trying to learn what security is, but also to really answer some other questions, like 'Why do it?' and 'Am I really at risk?' and 'Is all of this rigmarole really necessary? Can't I just make all of my application secure and not worry about this extra work?'.
Some of the things I want to look at in the #0 series are:
- Threat Risk Modeling
- Threat Agents
- Security Policies
- Positive Security Models
- Objective Identification
- Response Plans
Please keep in mind that I am learning these things too. I am perfectly capable of getting things wrong, underselling the importance of something, or skipping important details. So I am always open to feedback, clarification and corrections.
I hope this topic will be useful and interesting to others. Please speak up and let me know what you think, whether or not you think this will be useful and if there is anything else, on this topic, you would like to see me write about.