Secure Coding mailing list archives

Need some numbers about application security

From: mcgegick at ncsu.edu (Michael Gegick)
Date: Tue, 21 Nov 2006 12:44:50 -0500

Try this:
http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml (you'll need to fill out
the form)

michael

-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
On Behalf Of sc-l-request at securecoding.org
Sent: Tuesday, November 21, 2006 12:00 PM
To: sc-l at securecoding.org
Subject: SC-L Digest, Vol 2, Issue 202

Send SC-L mailing list submissions to
        sc-l at securecoding.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://krvw.com/mailman/listinfo/sc-l
or, via email, send a message with subject or body 'help' to
        sc-l-request at securecoding.org

You can reach the person managing the list at
        sc-l-owner at securecoding.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of SC-L digest..."


Today's Topics:

   1. Re: Need some numbers about application security (Roman H.)


----------------------------------------------------------------------

Message: 1
Date: Mon, 20 Nov 2006 09:39:03 -0800 (PST)
From: "Roman H." <ref66 at yahoo.com>
Subject: Re: [SC-L] Need some numbers about application security
To: Ravid L <ravid.work at gmail.com>, SC-L at securecoding.org
Message-ID: <20061120173903.59399.qmail at web32414.mail.mud.yahoo.com>
Content-Type: text/plain; charset="us-ascii"

Ravid,

We would all love to get the data you are asking for.  However, most
organizations aren't willing to publicize their security problems, so this
kind of data is hard to obtain.  That said, there are nuggets of information
here and there if you are willing to do some work.  A couple of things that
come to mind:
 
Compilations of public vulnerabilities that probably represent only the
tiniest fraction of the tip of the iceberg:
http://www.webappsec.org/projects/whid/
 http://www.us-cert.gov/cas/bulletins/SB2005.html

For actual dollar amounts, the Chipotle Prospectus discusses security
breaches and regulatory compliance starting on page 27.  If you are looking
for purely risk-based numbers rather then compliance issues, this won't help
you.  Plus this is only a single source:
 http://www.chipotleexchange.com/Prospectus.pdf
 
Look around for more things like these and you can start compiling numbers.
Keep in mind that when you are done, you will have a collection of anecdotes
rather than meaningful data.  For example, calculating the "frequency of
application based attacks" would require that all application based attacks
are actually reported to some central authority, which they are not.  With
the recent "security breach notification" laws that are being passed in the
United States, perhaps some useful data will begin to surface.  Even that
will be limited to incidents in which personal data was lost or stolen, and
will also include non-application-based attacks like laptop theft.  

You might also skim the first chapter of any of the recent books on
application and software security, which generally address the questions you
have.

Hope this helps, 
 Roman

----- Original Message ----
From: Ravid L <ravid.work at gmail.com>
To: SC-L at securecoding.org
Sent: Monday, November 20, 2006 4:41:40 AM
Subject: [SC-L] Need some numbers about application security

Hi everyone!
  
 I am looking for some numbers about application security for a
presentation.
 I need data about how many organization experienced application based
attack recently?
 What is the frequency of application based attacks?
 How many application in the real Internet environment will need this kind
of protection?
 What is the financial damage in real numbers for companies that has been a
target to such attacks? (damage in numbers and damage to stock for example).
  
 If anyone has any data (from reliable sources) about this questions i will
be so grateful...
  
 Thanks,
 Ravid.



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://krvw.com/pipermail/sc-l/attachments/20061120/06c03df0/attachment-0001
.html 

------------------------------

_______________________________________________
SC-L mailing list
SC-L at securecoding.org
http://krvw.com/mailman/listinfo/sc-l


End of SC-L Digest, Vol 2, Issue 202
************************************

Current thread:

Need some numbers about application security Ravid L (Nov 20)
- Need some numbers about application security Gunnar Peterson (Nov 20)
- Need some numbers about application security ljknews (Nov 20)
- <Possible follow-ups>
- Need some numbers about application security Roman H. (Nov 20)
- Need some numbers about application security Michael Gegick (Nov 21)
  - Need some numbers about application security Julie Ryan (Nov 21)