tag:blogger.com,1999:blog-456496077409731969.post799028190228114173..comments2024-03-26T11:46:50.339+01:00Comments on Web Application Security - from the start: XSS and Verizon DBIRalexisfitzghttp://www.blogger.com/profile/11125069272250693078noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-456496077409731969.post-18473297151437610382012-01-08T10:32:32.505+01:002012-01-08T10:32:32.505+01:00Clerkendweller,
I think it's only a breach if...Clerkendweller,<br /><br />I think it's only a breach if the XSS vulnerability is exploited. And that's the main point of the Verizon DBIR - if you accept it. While it is prevalent, how often is it exploited? That is the risk factor.<br /><br />Then the question for me is whether too much too much emphasis is placed on XSS at the expense of the other types of problems as presented in the Verizon DBIR chart.<br /><br /><br />Alexisalexisfitzghttps://www.blogger.com/profile/11125069272250693078noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-14789137473328442132012-01-06T22:39:45.169+01:002012-01-06T22:39:45.169+01:00A few more thoughts:
1. Would many organisations ...A few more thoughts:<br /><br />1. Would many organisations count XSS as a "Breach"?<br /><br />2. Would many organisations even know they had an XSS problem?<br /><br />3. Would the organisations care, especially if the effects were more significant for individual users than for the organisation?<br /><br />If we look at the impact from the user's perspective (and some organisations in the government and not-for-profit sectors might do this), the impact ranking would be different.Clerkendwellerhttps://www.blogger.com/profile/14182662648041782532noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-70319728713963189612011-12-30T07:53:18.920+01:002011-12-30T07:53:18.920+01:00RiskPundit,
I agree that the figures should be t...RiskPundit, <br /><br />I agree that the figures should be taken with caution. I was originally thinking of calling this post "Lies, Damn Lies and XSS". <br /><br />Alexisalexisfitzghttps://www.blogger.com/profile/11125069272250693078noreply@blogger.comtag:blogger.com,1999:blog-456496077409731969.post-39379678096402503572011-12-30T00:40:16.716+01:002011-12-30T00:40:16.716+01:00A couple of points to note:
The Verizon DBIR is v...A couple of points to note:<br /><br />The Verizon DBIR is very oriented to PCI DSS. In fact 96% of the records lost from the 761 cases are Payment card numbers/data. The number for lost intellectual property is 0%.<br /><br />Also, of the 761 companies involved, 522 had fewer than 101 or an unknown number of employees.<br /><br />So I would be cautious when drawing conclusions.RiskPundithttps://www.blogger.com/profile/07829413010928581199noreply@blogger.com