Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Web Application Security Consortium Project Announcements

From: contact () webappsec org
Date: Mon, 4 Apr 2005 15:22:04 -0400 (EDT)
The Web Application Security Consortium (WASC) is pleased to present 
two project announcements, and a document update.  



1) "Web Application Security Statistics" Project
http://www.webappsec.org/projects/statistics/

The WASC Statistics Project is the first attempt at an industry wide
collection of application vulnerability statistics in order to identify
the existence and proliferation of application security issues on 
enterprise websites. Anonymous data correlating vulnerability numbers 
and trends across organization size, industry vertical and geographic 
area are being collected and analyzed to identify the prevalence of 
threats facing today's online businesses. Such empirical data aims to
provide the first true statistics on application layer vulnerabilities.

Using the Web Security Threat Classification 
(http://www.webappsec.org/projects/threat/)
as a baseline, data is currently being collected and contributed by 
more than a half dozen major security vendors with the list of contributors 
growing regularly.


We are actively seeking others to contribute data.

If you would like to be involved with the project, please contact Erik
Caso  (ecaso AT ntobjectives DOT com)



2) "Distributed Open Proxy Honeypot" Project
http://www.webappsec.org/projects/honeypots/

The WASC solution is to use one of the web attacker's most trusted
tools against him - the Open Proxy server.  Instead of being the target
of the attacks, we opt to be used as a conduit of the attack data in
order to gather our intelligence.  By deploying multiple, specially
configured open proxy server (or proxypot), we aim to take a birds-eye
look at the types of malicious traffic that traverse these systems.
The honeypot systems will conduct real-time analysis on the HTTP
traffic to categorize the requests into threat classifications outlined
by the Web Security Threat Classification 
(http://www.webappsec.org/projects/threat/)
and report all logging data to a centralized location.

If you would like to be involved with the project, please contact Ryan

Barnett ( rcbarnett AT hushmail DOT com)



3) Web Security Threat Classification is now available in HTML format 
to make referencing and using the information easier.
http://www.webappsec.org/projects/threat/
Previous By Date Next
Previous By Thread Next

Current thread: