|
WebApp Sec
mailing list archives
Re: Top Ten Web App Sec Problems
From: Alex Russell <alex () netWindows org>
Date: Mon, 2 Dec 2002 12:19:53 -0600
On Saturday 30 November 2002 13:21, Mark Curphey wrote:
What we were looking at is more of a report like page 4 of this
excellent paper by Andrew Jaquith
http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf
In it you can see they say 79% of application reviewed have serious
session management flaws, and 73% have serious paramater manilpulation
flaws.
That doesn't suprise me in the slightest, consdiering the ammount of
confusion just on this list (and those on this list are actually interested
in doing the right thing) about session management and it's kin.
Is this accurate in your opinion ?
Couple of things to note about the paper:
* only 45 samples were taken. presumeably, each of these companies agreed to
participate, meaning that the worst (or the most press averse) are not
likely represented, despite the anonymous nature of the sample set.
* tools are downplayed in the analysis, yet no hard numbers are provided to
substantiate this. All that is said is that components are interchangeable
and should be treated this way. I'm not sure I'd buy this line, even if it
had numbers to back it up.
Overall, I think the paper is a good start, but needs more substiation for
many of it's claims. As for whether or not it reflects the real world, I'd
be inclined to say that if a company is hiring @stake, they're probably
already on the right track, so things are probably even worse than they
look.
--
Alex Russell
alex () netWindows org
alex () SecurePipe com
 By Date 
By Thread
Current thread:
| 
Intro
