Secure Coding mailing list archives

Re: Looking for good software security stats

From: Chris Wysopal <weld () vulnwatch org>
Date: Thu, 04 Mar 2004 00:32:00 +0000

@stake published its first application security metrics report in April
2002.  It is an analyis of 45 "e-business" applications that @stake
assessed for its clients.  Most are web applications.

The Security of Applications: Not All Are Created Equal
http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf

@stake found that 70% of the defects analyzed were design flaws that
could have been found using threat modelling and secure design reviews
before the implementation stage of development.

62% of the apps allowed access controls to be bypassed
27% had no prevention of brute force attacks against passwords
71% had poor input validation

@stake lists the top 10 categories of application defects found.  The list
predates the OWASP Top 10 by eleven months and is largely the same.  The
data has percentage of applications effected and is ranked, so it is not
anecdotal.

The is a follow-up of the first application defect study done 15 months
later in July, 2003.  This was done to see if application security is
improving.

The Security of Applications, Reloaded
http://www.atstake.com/research/reports/acrobat/atstake_app_reloaded.pdf

The results found that security is improving overall but that there
is a widening gap between the security quality of the top quartile of
applications and the bottom quartile.

There is another article that 3 @stake authors wrote for IEEE Security and
Privacy Magazine which contains elements from both reports.

Information Security: Why the Future Belongs to the Quants
http://www.atstake.com/research/reports/acrobat/ieee_quant.pdf

Cheers,
Chris

On Wed, 3 Mar 2004, Kenneth R. van Wyk wrote:

Hi all,

I'm looking for published reports on software vulnerabilities with regard to
the software development process.  With a bit of googling, I've found some
good starting points (e.g., www.securitytracker.com/
learn/securitytracker-stats-2002.pdf), that provide stats on vulnerabilities
by type.  I'm particularly interested in stats that provide insight into
where in the software development process the vulnerabilities were
introduced.

Anyone have some good citations to share?

Cheers,

Ken van Wyk
--
KRvW Associates, LLC
http://www.KRvW.com

Current thread:

Looking for good software security stats Kenneth R. van Wyk (Mar 03)
- Re: Looking for good software security stats Chris Wysopal (Mar 03)
- <Possible follow-ups>
- Re: Looking for good software security stats Greenarrow 1 (Mar 04)
  - Re: Looking for good software security stats Pascal Meunier (Mar 08)
- RE: Looking for good software security stats Gary McGraw (Mar 08)