RE: Web App Vulnerabilities Statistical Analysis WP

[Frank Knobbe <frank () knobbe us>]

On Mon, 2004-06-28 at 11:57, Imperva Application Defense Center wrote:
> > Bottom line, thanks for the nice graphs, and kudos for 
> > publishing yet another useless paper...I am giving Imperva 
> > the "Spammer of the year award".
>
> I find that this type of response unrespectful. 

Perhaps it would be better if it were titled "Imperva WebAppSec
Scorecard" or "Status Report" or something like that.

Whitepapers used to deal with technical issues. Nowadays they seem to
carry more marketing than technical detail. 

Frankly, I didn't get any useful info out of it either, except noting
the volume of work you guys have done. It does sadden me to see that
some scores in the retest still show significant issues. I would have
hoped that, after you guys worked with the client, that his security
posture improved a bit more. Perhaps I was reading it wrong or confused
by the graphs and charts.

I'm curious, though, if you guys look at source code at all. From the
categories, it all appears to be focused on remote testing, and you
mentioned Penetration Testing a few time. Shouldn't categories like weak
database handling or logic errors (or anything else that hints on weak
programming practices) be included in the report as well? Do you do
source code review during your engagements?

(Since you are reporting on the issues you guys found during your tests,
perhaps you should elaborate more on your testing process and
methodology. Understand that I'm not slamming you here, but what you
listed under "Methodology" doesn't describe the one you used for the
test. You need to describe your testing process a bit more
scientifically.)

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part