Web Application Security - from the start: December 2011

Thursday, 29 December 2011

XSS and Verizon DBIR

I recently gave a short talk at OWASP Switzerland. One of the slides I showed was a figure taken from the Verizon 2011 Data Breach Investigations Report. (DBIR) (below) which was published in April 2011. The chart shows the type of hacking used as a percentage. The DBIR report looked at approximatelay 761 data breaches - not only those caused by web application vulnerabilities. It's worth reading.

The main discussion point at the chapter meeting was the value for Cross site scripting (XSS). According to the DBIR only 1% of data breaches are as a result of XSS vulnerabilites and less than 1% of stolen records. SQL injection accounts for 14% (and 24% of records stolen), That said, there is no direct mapping from the types of hacking to the OWASP Top 10.

The value for XSS seems low given the focus that the AppSec community and OWASP place on it. One question that arises is whether these figures are accurate. Verizon does talk about "Sample Bias", but it should be noted that much of the data comes from outside organisations.

A few thoughts:

Based on these figures it would be difficult to persuade managers with a limited security budget to invest significantly in preventing XSS.
Issues with authentication and passwords are much more prevalent according to DBIR. Does this indicate that XSS should fall a few places in the next version of OWASP Top 10 and that "A3: Broken Authentication and Session Management" should climb? This, especially as the OWASP Top 10 is meant to reflect actual risk.
XSS vulnerabilities are prevalent in many web applications but are not actually exploited all that much to breach data.

Here is the DBIR chart. The quality isn't great. Best to see it in the original Verizon 2011 DBIR report on page 32. Figure 23 a few pages later is also interesting. It shows that Web Applications attacks were used in 22% of the breaches, but result in 38% of the records breached. So you get more bang for your buck if you attack an online application.

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Wednesday, 7 December 2011

Veracode State of Software Security Report

I downloaded the Veracode State of Software Security Report Volume 4

Very useful reading for anybody interested in the state of software security.

One thing that struck me was the actual download process. To download the report, you have to register giving your contact details. Fair enough, Veracode wants to see who is reading their reports. However a few security related thoughts on this process:

The registration process does not use SSL, so my contact details travel in clear text.
The information is posted to:

http://app-d.marketo.com/index.php/leadCapture/save

Who is Marketo? I can see no privacy statement to say what happens to my contact details.

You can argue that if I was so worried about these points, why did I register? Good question....and I actually did give accurate details.

I have to ask myself whether am I over the top? Maybe, then again....

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot