Re: Top Ten Web App Sec Problems

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

Steven M. Christey wrote:
> It sounds like you're advocating a "top ten" that's based on other
> criteria besides "the most frequently occurring" types of issues.  The
> basic question is, what would be the proper criteria for such a top
> ten list, and what would be the goals?

The problem with "most frequently occurring" is that our instruments for
measuring are so poor that I don't believe they represent reality. The
public vulnerability databases don't list problems with individual
websites (although there's at least an argument that they should).
Companies don't release information about vulnerabilities in their sites,
assuming that they even uncover them.

I'd like to see a top ten list that helps to crystallize the issue for
government and industry.  I'm not a huge fan of the SANS list, but it has
made a tremendous impact on security spending -- even starting a whole
market for SANS scanning.

Roughly how big do you think the risk from web application vulnerabilties
is? Equal to the risk from "network" vulnerabilties like SANS lists? Half?
Quarter?  Whatever you think, web application security spending is only a
tiny fraction of the huge dollars spent on network security. Why? Because
it's currently easy to ignore -- and a top ten list is easy to focus on
and manage to.

I think we should select the vulnerabilities that pose the greatest
aggregate risk to government and industry (in terms of likelihood and
impact). It doesn't have to be perfect, just our best guess at what is
likely to be a big problem over the course of the next year. We can update
it periodically (like SANS).

--Jeff

Jeff Williams
Aspect Security, Inc.
www.aspectsecurity.com