On Thursday, January 6, 2005, at 01:55 PM, Benjamin Livshits wrote:
> Looking at the OWASP's top ten list, are there any recent studies as to
> what fraction of vulnerabilities accounts for each of the top ten
> categories?
The only thing resource I am aware of that comes close is a statistical
analysis by Imperva. I found much of the information interesting and
useful. However, it also highlights the need for something more
extensive across the board.
http://www.imperva.com/application_defense_center/papers/
how_safe_is_it.html
Speaking for myself, we using the WASC Threat Classification to
categorize our vulnerability findings.
http://www.webappsec.org/threat.html
Discounting severity and going only by the total number of discovered
vulnerabilities, the two most commonly identified issues are XSS (~60%)
and SQL Injection (~20%). Matching up against A4 and A6 in the OWASP
TOP-10 respectively. The remaining (%20~) of the vulnerabilities fall
mixed into the other classes and also heavily dependent on the
particular web sites in question.
> What about the percentage of vulnerabilities caused by coding errors vs
> configuration flaws?
Specifying the culprit for a web security flaw may really depend on
where you place your defenses. As the webapp attack enters the
infrastructure, many layers of security may stand in the way.
(Defense-in-Depth) Here is one way to look at the traffic flow between
security layers:
Application Firewall -> Reverse HTTP Proxy -> Web Server Security
Module/Configuration -> Web Application Input Validation -> Database
Configuration -> Web Application Output Filtering.
When talking about attacks types like XSS and SQL Injection, often
times they can be defended against using any number of these security
layers. Circling back, when an flaw is identified, you need to find the
spot in your infrastructure where the attack should have been blocked.
Whether its a security add-on or at the web application. Hope this
helps.
Regards,
Jeremiah-
Received on Jan 07 2005
Intro
