Secure Coding mailing list archives
Re: Looking for good software security stats
From: Chris Wysopal <weld () vulnwatch org>
Date: Thu, 04 Mar 2004 00:32:00 +0000
@stake published its first application security metrics report in April 2002. It is an analyis of 45 "e-business" applications that @stake assessed for its clients. Most are web applications. The Security of Applications: Not All Are Created Equal http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf @stake found that 70% of the defects analyzed were design flaws that could have been found using threat modelling and secure design reviews before the implementation stage of development. 62% of the apps allowed access controls to be bypassed 27% had no prevention of brute force attacks against passwords 71% had poor input validation @stake lists the top 10 categories of application defects found. The list predates the OWASP Top 10 by eleven months and is largely the same. The data has percentage of applications effected and is ranked, so it is not anecdotal. The is a follow-up of the first application defect study done 15 months later in July, 2003. This was done to see if application security is improving. The Security of Applications, Reloaded http://www.atstake.com/research/reports/acrobat/atstake_app_reloaded.pdf The results found that security is improving overall but that there is a widening gap between the security quality of the top quartile of applications and the bottom quartile. There is another article that 3 @stake authors wrote for IEEE Security and Privacy Magazine which contains elements from both reports. Information Security: Why the Future Belongs to the Quants http://www.atstake.com/research/reports/acrobat/ieee_quant.pdf Cheers, Chris On Wed, 3 Mar 2004, Kenneth R. van Wyk wrote:
Hi all, I'm looking for published reports on software vulnerabilities with regard to the software development process. With a bit of googling, I've found some good starting points (e.g., www.securitytracker.com/ learn/securitytracker-stats-2002.pdf), that provide stats on vulnerabilities by type. I'm particularly interested in stats that provide insight into where in the software development process the vulnerabilities were introduced. Anyone have some good citations to share? Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Looking for good software security stats Kenneth R. van Wyk (Mar 03)
- Re: Looking for good software security stats Chris Wysopal (Mar 03)
- <Possible follow-ups>
- Re: Looking for good software security stats Greenarrow 1 (Mar 04)
- Re: Looking for good software security stats Pascal Meunier (Mar 08)
- RE: Looking for good software security stats Gary McGraw (Mar 08)