Thursday, April 19, 2007

Here come the statistics!

Finally, hard data is being made available so we don’t have to speak in pure theoretical terms anymore about the importance of our work. We’ve been waiting to get to this point in the industry for years. I’ve been talking about the need for statistics on “how websites can be broken into” and also “how are they attacked or compromised”. This is importance stuff to have at the ready. So today I was very happy to have the opportunity to host a popular webinar (slides) and release our in-depth Web Application Security Risk Report (reg req.). Mind the marketing-fu:

“Through our flagship service, WhiteHat Sentinel, we perform rigorous and ongoing vulnerability assessments on hundreds of (public-facing) production and development websites each month. Our work gives us a one-of-a-kind perspective into website vulnerability trends across financial, e-commerce, healthcare and high-tech industries. WhiteHat Security can accurately identify which issues are currently the most prevalent and severe. As the only company with access to this depth of cumulative data, we are sharing our findings to provide enterprises with a clearer picture of the vulnerability management issues affecting their websites. This quarter’s report represents a more than three-fold sample increase over the last, and is based on data obtained between January 1, 2006 and March 31, 2007. “

Then just last week the Web Application Security Statistics Project, which we contributed along with three other companies, released a combined set of data. Sure there were a few gripes about the value of the data, but this is just a starting point for progress and people recognize that. Over time, the data will become larger and more representative. Good stuff for the community at large. Get involved if you can.

“This initial round of statistics was compiled from data provided by four vendors - Whitehat Security, SPI Dynamics, Positive Technologies and Cenzic. We would like to thank all of the initial contributors for their participation. Our goal is to have the project grow over time with data from an increasing number of sources as this will improve the overall quality of the data. Statistical biases will be lessened as more entities contribute to the initiative so we would encourage those vendors engaged in web application scanning work to contact us if they are interested in participating in the project.“

And also, The Web Hacking Incidents Database has been updated at long last, which is an excellent resource to research news stories relevant to web application security.

“The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database to targeted attacks only.”

No comments: