"Whew! This is our final post in this series on Building a Web Application Security Program (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7),
and it’s time to put all the pieces together. Here are our guidelines
for designing a program that meets the needs of your particular
organization. Web application security is not a “one size fits all”
problem. The risks, size, and complexity of the applications differ,
the level of security awareness among team members varies, and most
importantly the goals of each organization are different.
In order to offer practical advice, we needed to approach program
development in terms of typical goals. We picked three use cases to
represent common challenges organizations face with web app security,
and will address those use cases with appropriate program models. We
discuss a mid-sized firm tackling a compliance mandate for the first
time, a large enterprise looking to improve security across
customer-facing applications, and a mid-to-large organization dealing
with security for internal applications. Each perspective has its own
drivers and assumptions, and in each scenario different security
measures are already in place, so the direction of each program will be
different. Since we’ve been posting this over a series of weeks, before
you dig in to this post we recommend you review Part 4: The Web Application Security Lifecycle
which talks about all tools in all phases. First we describe the
environment for each case, then overall strategy and specific
recommendations."
