Penetration Testing mailing list archives
Web App Vulnerabilities Statistical Analysis WP
From: "Imperva Application Defense Center" <adc () imperva com>
Date: Mon, 28 Jun 2004 17:28:21 +0200
Dear List, Imperva(tm)'s Application Defense Center (ADC) has released a new white paper titled "How Safe is it Out There (Zeroing in on the vulnerabilities of application security)". The paper, written by Moran Surf and Amichai Shulman, presents a statistical analysis of results obtained from numerous application level penetration tests performed by Imperva experts for various customers over the years 2000 - 2003. The paper is available at http://www.imperva.com/adc/papers/safe as HTML or PDF. Paper Information ================= Authors ------- Moran Surf, Application Security Expert, Imperva(tm) Inc. Amichai Shulman, CTO & Co-Founder, Imperva(tm) Inc. Abstract -------- The article presents a statistical analysis of results obtained from numerous application level penetration tests performed by Imperva experts for various customers over the years 2000 - 2003. The research dives into the types of vulnerabilities found, their sources, the risk they incur, and their effects. The institutions whose applications were tested include banks, government institutions, telecommunication firms and even information security vendors. The article presents a unique opportunity to take a peek into the usually secluded data regarding the actual risk posed to web applications. It shows a constant increase in risk level over years and an overwhelming overall percentage of applications susceptible to information theft (over 57%), direct financial damage (over 22%), denial of service (11%) and execution of arbitrary code (over 8%). The article analyses results of first time penetration tests as well as repeat tests (retests) in order to evaluate the evolution of application security within Web applications over time. Our conclusion is that without proper application security devices and secure software development education, the inherent risk to an application does not decrease and may even increase over time. Taking into consideration that the organizations whose applications are included in this report are considered security aware (they showed the insight to order costly penetration tests) the results paints a bleak picture of the current state of Web application security. Table of Contents ----------------- - Table of Contents................2 - Abstract.........................3 - Introduction.....................4 - Methodology......................5 - Results..........................8 - Discussion......................10 - Conclusions.....................16 - Appendix........................17 --- Imperva's Application Defense Center http://www.imperva.com/adc/
Current thread:
- Web App Vulnerabilities Statistical Analysis WP Imperva Application Defense Center (Jun 28)