WebApp Sec mailing list archives
Re: Top Ten Web App Sec Problems
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Wed, 4 Dec 2002 10:57:39 -0500
Steven M. Christey wrote:
It sounds like you're advocating a "top ten" that's based on other criteria besides "the most frequently occurring" types of issues. The basic question is, what would be the proper criteria for such a top ten list, and what would be the goals?
The problem with "most frequently occurring" is that our instruments for measuring are so poor that I don't believe they represent reality. The public vulnerability databases don't list problems with individual websites (although there's at least an argument that they should). Companies don't release information about vulnerabilities in their sites, assuming that they even uncover them. I'd like to see a top ten list that helps to crystallize the issue for government and industry. I'm not a huge fan of the SANS list, but it has made a tremendous impact on security spending -- even starting a whole market for SANS scanning. Roughly how big do you think the risk from web application vulnerabilties is? Equal to the risk from "network" vulnerabilties like SANS lists? Half? Quarter? Whatever you think, web application security spending is only a tiny fraction of the huge dollars spent on network security. Why? Because it's currently easy to ignore -- and a top ten list is easy to focus on and manage to. I think we should select the vulnerabilities that pose the greatest aggregate risk to government and industry (in terms of likelihood and impact). It doesn't have to be perfect, just our best guess at what is likely to be a big problem over the course of the next year. We can update it periodically (like SANS). --Jeff Jeff Williams Aspect Security, Inc. www.aspectsecurity.com
Current thread:
- Re: Top Ten Web App Sec Problems, (continued)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 02)
- Re: Top Ten Web App Sec Problems Jeff Williams @ Aspect (Dec 02)
- RE: Top Ten Web App Sec Problems Craig, Scott (Dec 03)
- RE: Top Ten Web App Sec Problems Steven M. Christey (Dec 03)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 03)
- RE: Top Ten Web App Sec Problems b0iler _ (Dec 03)
- Re: Top Ten Web App Sec Problems Jeff Williams @ Aspect (Dec 04)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 04)