"Are we secure?...."
A major issue with enterprises is "are we secure?" (what does that even mean...). If you are asked by the CEO whilst sharing a lift to the 10th floor,what do you answer??? eh..em yes..er no...well sort-of.....
A few important aspects in attempting to figure out "Are we secure?" from an web security standpoint are
(1) How do we make sure the security of our current public facing Internet web landscape is *pretty* robust (not 100% secure)? - Test, maintain, patch, measure, observe.....
(2) So how do we make sure systems in design/development are not going to introduce new risk to your business? - Security: Design, Dev,Test, Review, Deploy, Maintain, Patch.
..........So how do we track ongoing assurance efforts, prioritization of technical issues, appoint appropriate risk, track remediation, identify root cause, technology adoption weakness, mixed with securing new deployments (1) & (2) above? - Excel Spreadsheets, Memory, Belief, Faith, Luck.....
"Risk comes from not knowing what you're doing." - Warren Buffet
Inputs into (1) & (2) above are generally in the form of technical reports and an appointed risk context defined by the consultant. Enterprises with many business units (BU's) may use different consultants, varying reports styles and format, variance in risk and in effect the overall organisation faces a challenge in pulling all this information together
10 Business Units
30 Security Staff
200 Web Applications
1000 Web Servers
2000 Data bases
100,000 Client records
1000000 Potential hackers, Worms, Trojans (and infected users)
.......So all you got to do is make sure we have no security vulnerabilities which may give rise to a data breach or damage the reputation of the organisation..got it?"
Convergence of information:
We are getting towards consolidation of risk using GRC solutions but not quick enough in the web application space.
Many solutions are available in both the commercial and open source arena. We have for example Archer etc on the commercial side. We have some small orgs with great potential such as Onformonics ,We have Open source contributions such as The Denim Groups Threadfix and integrated solutions such as WhiteHat Sentinel (DAST) which provide a portal solution and integration via an open XML API.
Basically, "If you can not measure it, you can not improve it."
The idea behind ESI is the ability to track, be informed, measure, prioritize, visualize, appoint contextual risk of your enterprise technology stack and deployments as a whole. Regardless of all the problems we have with application security we certainly cant get off this moving train of vulnerability, it continues to move on. All we can do it identify meaningful issues with our environment and attempt to fix and prevent. With ESI at least we can see the state of our landscape for what it is and try to improve it.