Re: Top Ten Web App Sec Problems

[Alex Russell <alex () netWindows org>]

On Saturday 30 November 2002 13:21, Mark Curphey wrote:
> What we were looking at is more of a report like page 4 of this
> excellent paper by Andrew Jaquith
>
> http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf
>
> In it you can see they say 79% of application reviewed have serious
> session management flaws, and 73% have serious paramater manilpulation
> flaws.

That doesn't suprise me in the slightest, consdiering the ammount of 
confusion just on this list (and those on this list are actually interested 
in doing the right thing) about session management and it's kin.

> Is this accurate in your opinion ?

Couple of things to note about the paper:

* only 45 samples were taken. presumeably, each of these companies agreed to 
participate, meaning that the worst (or the most press averse) are not 
likely represented, despite the anonymous nature of the sample set.

* tools are downplayed in the analysis, yet no hard numbers are provided to 
substantiate this. All that is said is that components are interchangeable 
and should be treated this way. I'm not sure I'd buy this line, even if it 
had numbers to back it up.

Overall, I think the paper is a good start, but needs more substiation for 
many of it's claims. As for whether or not it reflects the real world, I'd 
be inclined to say that if a company is hiring @stake, they're probably 
already on the right track, so things are probably even worse than they 
look.

-- 
Alex Russell
alex () netWindows org
alex () SecurePipe com