WebApp Sec mailing list archives
Re: Top Ten Web App Sec Problems
From: Alex Russell <alex () netWindows org>
Date: Mon, 2 Dec 2002 12:19:53 -0600
On Saturday 30 November 2002 13:21, Mark Curphey wrote:
What we were looking at is more of a report like page 4 of this excellent paper by Andrew Jaquith http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf In it you can see they say 79% of application reviewed have serious session management flaws, and 73% have serious paramater manilpulation flaws.
That doesn't suprise me in the slightest, consdiering the ammount of confusion just on this list (and those on this list are actually interested in doing the right thing) about session management and it's kin.
Is this accurate in your opinion ?
Couple of things to note about the paper: * only 45 samples were taken. presumeably, each of these companies agreed to participate, meaning that the worst (or the most press averse) are not likely represented, despite the anonymous nature of the sample set. * tools are downplayed in the analysis, yet no hard numbers are provided to substantiate this. All that is said is that components are interchangeable and should be treated this way. I'm not sure I'd buy this line, even if it had numbers to back it up. Overall, I think the paper is a good start, but needs more substiation for many of it's claims. As for whether or not it reflects the real world, I'd be inclined to say that if a company is hiring @stake, they're probably already on the right track, so things are probably even worse than they look. -- Alex Russell alex () netWindows org alex () SecurePipe com
Current thread:
- Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems Matt Curtin (Nov 30)
- Re: Top Ten Web App Sec Problems bt (Nov 30)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Andrew Jaquith (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- <Possible follow-ups>
- FW: Top Ten Web App Sec Problems Keith T. Morgan (Dec 02)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)