WebApp Sec mailing list archives
RE: Web App Vulnerabilities Statistical Analysis WP
From: "Imperva Application Defense Center" <adc () imperva com>
Date: Mon, 28 Jun 2004 18:57:24 +0200
Hi,
Just a quick note, 1) I find it amusing that your company was founded in 2002, yet you publish results from 2000?! (yea yea, you had older reports from personal audits...sure).
Imperva(tm) was founded on the basis of a services company called eDvice Security. eDvice was a small company who's founders and staff are the core of Imperva. The services activities conducted by eDvice Security has been continued by Imperva's ADC since the change. Therefore, despite existing officially only since 2002, the group that does these pentests, with the same methodologies and principle exists since early 2000.
2) Your attack classification system contains so many conflicts that I really don't understand how you managed to do the statistics. Isn't XSS a subset of Parameter Tampering? What about Session Hijacking, that is the result of a successful XSS attack...You are mixing apples with oranges...
You can easily classify ALL attacks under "Request Manipulation" or "Input Manipulation". We chose to differentiate normal parameter tampering attacks, where the attacker changes the VALUE of a parameter to be of value of a different one (such as price change, db id change, etc), and attacks such as SQL Injection, XSS, etc, where a parameter change is used as the technique, yet the goal is a speciic different attack. Session Hijacking does not refer to XSS attacks, but rather to places where the session was easily gussed or otherwise available to the attacker.
Couldn't Imperva adopt an existing attack classification, such as OWASP, or stick to a simple clean/clear one? your results are all over the place.
Since our attack classifications exist since 2000, long before owasp has had anything out, we remained with the attack classification which we used during our pentests over the years.
3) In general, such survey is useless, since anyone can fake numbers, especially when you're talking about a vendor from that specific space.
I agree that numbers can be faked, and I can do nothing to make you believe in this without revealing confidential customer data. It is important to note, however, that Imperva's ADC is a stand-alone division inside Imperva which deals with services and research (as I already said, as a continuation of edvice's services we used to provide), that performs such penetration tests regularly.
Bottom line, thanks for the nice graphs, and kudos for publishing yet another useless paper...I am giving Imperva the "Spammer of the year award".
I find that this type of response unrespectful. Having constructive criticism is legit, but this type of accusations, especially when coming from an anonymous mail box, created today, shows that this response is definitley motivated. Otherwise, why hide your real identification? Sincerely, Imperva's ADC
Current thread:
- Web App Vulnerabilities Statistical Analysis WP Imperva Application Defense Center (Jun 28)
- <Possible follow-ups>
- RE: Web App Vulnerabilities Statistical Analysis WP yea right (Jun 28)
- RE: Web App Vulnerabilities Statistical Analysis WP Imperva Application Defense Center (Jun 28)
- RE: Web App Vulnerabilities Statistical Analysis WP Frank Knobbe (Jun 29)