'What is Security?' and other important questions - Security Series #0

So over the year and a half(almost) of doing my security series, I have learned a lot. I have been reading a lot, doing research, digging through ColdFusion, attending security-related event, creating presentations, preparing training (soon to be delivering), and there is still SO MUCH that I need to learn.

But one thing I have been learning about recently, are some of the principles of application security. There is more to application security then just learning about threats and countermeasures. A LOT more.

So in my security series, we are going to take a little trip back to the beginning and start learning about some of the other pieces of application security that have been getting neglected. Please don't think of these as "the basics", because that is not how I look at it. I see them as important information that should be used in every project.

When I ask the rhetorical question 'What is Security?' I am trying to lay down the model of what I am trying to accomplish with this series. I think we are trying to learn what security is, but also to really answer some other questions, like 'Why do it?' and 'Am I really at risk?' and 'Is all of this rigmarole really necessary? Can't I just make all of my application secure and not worry about this extra work?'.

Some of the things I want to look at in the #0 series are:

  • Threat Risk Modeling
  • Threat Agents
  • Security Policies
  • Positive Security Models
  • Objective Identification
  • Assets
  • Vulnerabilities
  • Prioritization
  • Response Plans

Please keep in mind that I am learning these things too. I am perfectly capable of getting things wrong, underselling the importance of something, or skipping important details. So I am always open to feedback, clarification and corrections.

I hope this topic will be useful and interesting to others. Please speak up and let me know what you think, whether or not you think this will be useful and if there is anything else, on this topic, you would like to see me write about.

Comments
CreativeNotice's Gravatar I'm looking forward to these topics. I had some introductory network security classes in collage, but application security would be been more useful.
# Posted By CreativeNotice | 9/21/09 8:12 AM
Pete Freitag's Gravatar Jason, I'm also looking forward to the series.

One thing I like to say about security, is that anyone who claims to know everything about security, knows nothing about security!
# Posted By Pete Freitag | 9/21/09 10:28 AM
Ben Nadel's Gravatar @Jason,

Sounds awesome. Looking forward to reading it. Now, I just need to go back and catch up on all your jQuery / AIR / SQL Lite posts :)
# Posted By Ben Nadel | 9/21/09 4:02 PM
Jason Dean's Gravatar Thanks for the comments guys.

@Peter, thanks for saying that. Sometimes I feel that because I blog about security that some people see me as an expert. But I am just a web developer with an interest in security. Maybe someday I will be an expert, but in the meantime, it is fun to learn about this stuff.

@Ben, get reading!
# Posted By Jason Dean | 9/22/09 7:29 AM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner