RE: Web App Vulnerabilities Statistical Analysis WP

["Imperva Application Defense Center" <adc () imperva com>]

Hi,

> Just a quick note,
> 1) I find it amusing that your company was founded in
> 2002, yet you publish results from 2000?! (yea yea,
> you had older reports from personal audits...sure).

Imperva(tm) was founded on the basis of a services company called eDvice
Security. eDvice was a small company who's founders and staff are the
core of Imperva. The services activities conducted by eDvice Security
has been continued by Imperva's ADC since the change. Therefore, despite
existing officially only since 2002, the group that does these pentests,
with the same methodologies and principle exists since early 2000.

> 2) Your attack classification system contains so many
> conflicts that I really don't understand how you
> managed to do the statistics. Isn't XSS a subset of
> Parameter Tampering? What about Session Hijacking,
> that is the result of a successful XSS attack...You
> are mixing apples with oranges...

You can easily classify ALL attacks under "Request Manipulation" or
"Input Manipulation". We chose to differentiate normal parameter
tampering attacks, where the attacker changes the VALUE of a parameter
to be of value of a different one (such as price change, db id change,
etc), and attacks such as SQL Injection, XSS, etc, where a parameter
change is used as the technique, yet the goal is a speciic different
attack. Session Hijacking does not refer to XSS attacks, but rather to
places where the session was easily gussed or otherwise available to the
attacker.

> Couldn't Imperva adopt an existing attack
> classification, such as OWASP, or stick to a simple
> clean/clear one? your results are all over the place.

Since our attack classifications exist since 2000, long before owasp has
had anything out, we remained with the attack classification which we
used during our pentests over the years. 

> 3) In general, such survey is useless, since anyone
> can fake numbers, especially when you're talking about
> a vendor from that specific space.

I agree that numbers can be faked, and I can do nothing to make you
believe in this without revealing confidential customer data. It is
important to note, however, that Imperva's ADC is a stand-alone division
inside Imperva which deals with services and research (as I already
said, as a continuation of edvice's services we used to provide), that
performs such penetration tests regularly.

> Bottom line, thanks for the nice graphs, and kudos for 
> publishing yet another useless paper...I am giving Imperva 
> the "Spammer of the year award".

I find that this type of response unrespectful. 
Having constructive criticism is legit, but this type of accusations,
especially when coming from an anonymous mail box, created today, shows
that this response is definitley motivated. Otherwise, why hide your
real identification? 


Sincerely,

Imperva's ADC