I like stats, they help to confirm observations and measure progress (or degradation) over time. Software is extremely abstract, most people have a hard time making good decisions about software managment and usage. Security is even more abstract, and from the web to meatspace it is hard for people to get traction on making good security decisions. So software security combines two very nebulous things. If we can make things more quantifiable and concrete, so that people make better decisions, we can likely influence a more positive direction for software security.
Stephanie Fohn and Jeremiah Grossman published these findings on Web App
Security stats about a week ago:
Summary-
80% of web apps have a vulnerability (that is identifiable with White Hat's
tools/methods)
XSS is the runaway leader with 71% likelihood ( Try turning off Javascript and see how well the web works), the next highest is information leakage at 30%.
For high severity vulns, SQL Injection is pegged at 18%. I am not sure if this is just SQL injection or a whole host of attacks that rely on malicious input like LDAP injection, XPath injection, and so on.
The top performers who were classed as "more secure" exhibited the following
At least some security involvement in the SDLC (awareness training, threat modeling, QA testing, etc.)
Website asset tracking with assigned responsible parties
Regular vulnerability assessment process
Vulnerability remediation prioritized by severity level (i.e. High: 1 - 7 days, Medium: < 30 days, Low: Next Update)
Use of modern web application development frameworks (.NET, Java J2EE, Ruby on Rails, etc.)
Read the whole report.
Comments