My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Friday, March 5, 2004
« DevDays Comments - Session & Cookie Hija... | Main | Getting things Done! »

The following information was recently posted to the SC-L Mailing list by Chris Wysopal of Vulnwatch in response to a question. Interesting and relevant information.

@stake published its first application security metrics report in April 2002.  It is an analysis of 45 "e-business" applications that @stake assessed for its clients.  Most are web applications.

The Security of Applications: Not All Are Created Equal
http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf

@stake found that 70% of the defects analyzed were design flaws that could have been found using threat modeling and secure design reviews before the implementation stage of development.

62% of the apps allowed access controls to be bypassed
27% had no prevention of brute force attacks against passwords
71% had poor input validation

@stake lists the top 10 categories of application defects found.  The list predates the OWASP Top 10 by eleven months and is largely the same.  The data has percentage of applications effected and is ranked, so it is not anecdotal.

The is a follow-up of the first application defect study done 15 months later in July, 2003.  This was done to see if application security is improving.

The Security of Applications, Reloaded
http://www.atstake.com/research/reports/acrobat/atstake_app_reloaded.pdf

The results found that security is improving overall but that there is a widening gap between the security quality of the top quartile of applications and the bottom quartile.

There is another article that 3 @stake authors wrote for IEEE Security and Privacy Magazine which contains elements from both reports.

Information Security: Why the Future Belongs to the Quants
http://www.atstake.com/research/reports/acrobat/ieee_quant.pdf

Tags:: Security
3/5/2004 1:48 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.