WebApp Sec mailing list archives
Re: Vulnerability statistics
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Fri, 7 Jan 2005 09:38:31 -0800
On Thursday, January 6, 2005, at 01:55 PM, Benjamin Livshits wrote:
Looking at the OWASP's top ten list, are there any recent studies as to what fraction of vulnerabilities accounts for each of the top ten categories?
The only thing resource I am aware of that comes close is a statistical analysis by Imperva. I found much of the information interesting and useful. However, it also highlights the need for something more extensive across the board. http://www.imperva.com/application_defense_center/papers/ how_safe_is_it.html
Speaking for myself, we using the WASC Threat Classification to categorize our vulnerability findings.
http://www.webappsec.org/threat.htmlDiscounting severity and going only by the total number of discovered vulnerabilities, the two most commonly identified issues are XSS (~60%) and SQL Injection (~20%). Matching up against A4 and A6 in the OWASP TOP-10 respectively. The remaining (%20~) of the vulnerabilities fall mixed into the other classes and also heavily dependent on the particular web sites in question.
What about the percentage of vulnerabilities caused by coding errors vs configuration flaws?
Specifying the culprit for a web security flaw may really depend on where you place your defenses. As the webapp attack enters the infrastructure, many layers of security may stand in the way. (Defense-in-Depth) Here is one way to look at the traffic flow between security layers:
Application Firewall -> Reverse HTTP Proxy -> Web Server Security Module/Configuration -> Web Application Input Validation -> Database Configuration -> Web Application Output Filtering.
When talking about attacks types like XSS and SQL Injection, often times they can be defended against using any number of these security layers. Circling back, when an flaw is identified, you need to find the spot in your infrastructure where the attack should have been blocked. Whether its a security add-on or at the web application. Hope this helps.
Regards, Jeremiah-
Current thread:
- XSS or HTTP Response Splitting? Joxean Koret (Jan 02)
- <Possible follow-ups>
- Re: XSS or HTTP Response Splitting? Amit Klein (AKsecurity) (Jan 06)
- Vulnerability statistics Benjamin Livshits (Jan 06)
- Re: Vulnerability statistics Jeremiah Grossman (Jan 07)
- Vulnerability statistics Benjamin Livshits (Jan 06)