Re: Top Ten Web App Sec Problems

On Monday 02 December 2002 17:23, Andrew Jaquith wrote:
> Alex,

I was kinda hoping they were. I was very interested in the paper and the research behind it. Not many people have been able to get entre into webapp insecurity statistics (not to mention other types of intrusions). I really enjoyed the paper.

> > * tools are downplayed in the analysis, yet no hard numbers are

that's completely valid, and given the sample size, I kind of expected that this would be your response. I don't really have any criticisms of the paper, I'm just kind of hoping to see a larger study. Although you can only do analysis on data you've got, right? = )

> Your point about component (non)interchangeability is well taken. We did

I realize that there are serious confidentiality and competitive issues, but the thought crossed my mind after reading your paper that there might be other firms with which @stake could pool their scrubbed data (if only for a single study like this). There are the obvious concerns about quality of assessment and bias, but perhaps data from a larger cross-section of the web app risk assessment feild would help provide more concrete information about the need for what you do? Just a thought. I'm sure you've already considered (and probably dismissed) it.

> > As for whether or not it reflects the real world, I'd

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Then maybe we can convince them (and underwriters) that it's a good idea to insure their investments.

> To my knowledge, @stake may be the first company to do a serious

I'm glad you guys are doing it. It's overdue.

Hope my earlier comments didn't sound to critical. I liked the paper, it's a good thing, and I hope you continue to gather more information which can be analyzed like this. It'd be great to see larger sample sets.

-- 
Alex Russell
alex@netWindows.org
alex@SecurePipe.com