Re: Top Ten Web App Sec Problems

Steven M. Christey wrote:
> It sounds like you're advocating a "top ten" that's based on other

The problem with "most frequently occurring" is that our instruments for measuring are so poor that I don't believe they represent reality. The public vulnerability databases don't list problems with individual websites (although there's at least an argument that they should). Companies don't release information about vulnerabilities in their sites, assuming that they even uncover them.

I'd like to see a top ten list that helps to crystallize the issue for government and industry. I'm not a huge fan of the SANS list, but it has made a tremendous impact on security spending -- even starting a whole market for SANS scanning.

Roughly how big do you think the risk from web application vulnerabilties is? Equal to the risk from "network" vulnerabilties like SANS lists? Half? Quarter? Whatever you think, web application security spending is only a tiny fraction of the huge dollars spent on network security. Why? Because it's currently easy to ignore -- and a top ten list is easy to focus on and manage to.

I think we should select the vulnerabilities that pose the greatest aggregate risk to government and industry (in terms of likelihood and impact). It doesn't have to be perfect, just our best guess at what is likely to be a big problem over the course of the next year. We can update it periodically (like SANS).

--Jeff

Jeff Williams
Aspect Security, Inc.
www.aspectsecurity.com Received on Wed Dec 4 10:59:16 2002