Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Website Security Statistics Reports Abound

From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Fri, 24 Sep 2010 17:16:01 -0700
This is a really awesome time to be involved with web application
security, and software security in general! Real metrics are finally
being published in our industry. This will help us move away from the
Anecdotal Evidence powering competing Security Risk Religions that
folks have been selecting between by coin-toss, when choosing
application security initiatives. Facts rule.

Cool reports so far this year:

+ Verizon DBIR (tells us who is hacking what)
+ Veracode's stats reports
+ WhiteHat's stats reports

BSIMM has some promise here, too.

WhiteHat Security just published their 10th stats report -
remediation-timeline stats from 2,000 websites. This should be
interesting to SC-L given the degree of SDL zealotry here.

Quote from WASC list:

Many in the industry eager to receive new and timely webappsec
statistics. Yesterday we released "WhiteHat Website Security Statistic
Report - Industry Benchmarks." Now over 2,000 websites worth of
vulnerability data collected over the last several years.

This report is meant to help answer the question, “How are we doing?”
I uploaded all the data to my slideshare account for easy viewing.
Enjoy!

Slides
http://www.slideshare.net/jeremiahgrossman/website-security-statistics-report-2010-industry-bechmarks

Full Report
http://www.slideshare.net/jeremiahgrossman/w-pstats-fall1010th

/Quote

---

Veracode also published a stats report around the same time that looks
interesting, though I haven't managed to chew all the way through it
yet:

It appears Veracode observes different remediation times. Why?

(I ask here since the Veracoders haunt this list)

---
Arian Evans
Software Security Scanning Sophisticate

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: