Secure Coding mailing list archives

Need some numbers about application security

From: ref66 at yahoo.com (Roman H.)
Date: Mon, 20 Nov 2006 09:39:03 -0800 (PST)

Ravid,

We would all love to get the data you are asking for.  However, most organizations aren't willing to publicize their 
security problems, so this kind of data is hard to obtain.  That said, there are nuggets of information here and there 
if you are willing to do some work.  A couple of things that come to mind:
 
Compilations of public vulnerabilities that probably represent only the tiniest fraction of the tip of the iceberg:
http://www.webappsec.org/projects/whid/
 http://www.us-cert.gov/cas/bulletins/SB2005.html

For actual dollar amounts, the Chipotle Prospectus discusses security breaches and regulatory compliance starting on 
page 27.  If you are looking for purely risk-based numbers rather then compliance issues, this won't help you.  Plus 
this is only a single source:
 http://www.chipotleexchange.com/Prospectus.pdf
 
Look around for more things like these and you can start compiling numbers.  Keep in mind that when you are done, you 
will have a collection of anecdotes rather than meaningful data.  For example, calculating the "frequency of 
application based attacks" would require that all application based attacks are actually reported to some central 
authority, which they are not.  With the recent "security breach notification" laws that are being passed in the United 
States, perhaps some useful data will begin to surface.  Even that will be limited to incidents in which personal data 
was lost or stolen, and will also include non-application-based attacks like laptop theft.  

You might also skim the first chapter of any of the recent books on application and software security, which generally 
address the questions you have.

Hope this helps, 
 Roman

----- Original Message ----
From: Ravid L <ravid.work at gmail.com>
To: SC-L at securecoding.org
Sent: Monday, November 20, 2006 4:41:40 AM
Subject: [SC-L] Need some numbers about application security

Hi everyone!
  
 I am looking for some numbers about application security for a presentation.
 I need data about how many organization experienced application based attack recently?
 What is the frequency of application based attacks?
 How many application in the real Internet environment will need this kind of protection?
 What is the financial damage in real numbers for companies that has been a target to such attacks? (damage in numbers 
and damage to stock for example).
  
 If anyone has any data (from reliable sources) about this questions i will be so grateful...
  
 Thanks,
 Ravid.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20061120/06c03df0/attachment.html

Current thread:

Need some numbers about application security Ravid L (Nov 20)
- Need some numbers about application security Gunnar Peterson (Nov 20)
- Need some numbers about application security ljknews (Nov 20)
- <Possible follow-ups>
- Need some numbers about application security Roman H. (Nov 20)
- Need some numbers about application security Michael Gegick (Nov 21)
  - Need some numbers about application security Julie Ryan (Nov 21)