The main discussion point at the chapter meeting was the value for Cross site scripting (XSS). According to the DBIR only 1% of data breaches are as a result of XSS vulnerabilites and less than 1% of stolen records. SQL injection accounts for 14% (and 24% of records stolen), That said, there is no direct mapping from the types of hacking to the OWASP Top 10.
The value for XSS seems low given the focus that the AppSec community and OWASP place on it. One question that arises is whether these figures are accurate. Verizon does talk about "Sample Bias", but it should be noted that much of the data comes from outside organisations.
A few thoughts:
- Based on these figures it would be difficult to persuade managers with a limited security budget to invest significantly in preventing XSS.
- Issues with authentication and passwords are much more prevalent according to DBIR. Does this indicate that XSS should fall a few places in the next version of OWASP Top 10 and that "A3: Broken Authentication and Session Management" should climb? This, especially as the OWASP Top 10 is meant to reflect actual risk.
- XSS vulnerabilities are prevalent in many web applications but are not actually exploited all that much to breach data.
Here is the DBIR chart. The quality isn't great. Best to see it in the original Verizon 2011 DBIR report on page 32. Figure 23 a few pages later is also interesting. It shows that Web Applications attacks were used in 22% of the breaches, but result in 38% of the records breached. So you get more bang for your buck if you attack an online application.