Sunday 1 April 2012

XSS , OWASP Top 10, Verizon DBIR 2012

Last week, Verizon released their annual Verizon Data Breach Investigation Report (DBIR) 2012.

This report investigated 855 incidents involving "174 million compromised records".

XSS (Cross Site Scripting) is not mentioned in the document. (The 2011 edition at least mentioned it). This implies that Verizon has not found XSS to be a significant cause of the incidents that it investigated.

The conclusion seems to be that while XSS is regularly found in online applications, it does not seem to be exploited very much, so the risk associated with XSS is (relatively) low.

According to OWASP:
The OWASP Top 10 "presents a more concise risk focused list of the Top 10 Most Critical Web Application Security Risks."
The OWASP Top 10 currently has XSS as the number 2 risk, ahead of such issues related to credentials (passwords etc). The potential problem with this ranking is that organisations will prioritize their application security programs based on the OWASP Top 10. This means they could be placing too much emphasis on topics such as XSS and not enough emphasis on topics such as credential management.

It will be interesting to see the rankings in the next edition of the  OWASP Top 10 201?

Useful Links

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

No comments:

Post a Comment