tag:blogger.com,1999:blog-13756280.post7079943036368321130..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Website Security Statistics Report (2010) - Industry BechmarksJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-13756280.post-77205210207734179132010-09-30T06:53:43.717-07:002010-09-30T06:53:43.717-07:00@Aaron Correct, the data is exclusively ours. Alth...@Aaron Correct, the data is exclusively ours. Although we do contribute to the WASC Statistics project, which is separate from this report. <br /><br />Yes, zero-vulnerabilities, MIGHT be possible, but is going to be seriously expensive and time consuming to pull off. Secondly, it is probably not necessary anyway. When good enough software security is achieved, better to invest resources after that to get attack visibility and improve ones ability to respond quickly.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-46420826530047903612010-09-29T14:08:44.804-07:002010-09-29T14:08:44.804-07:00These statistics are based on the data that WhiteH...These statistics are based on the data that WhiteHat has collected from its customers, correct? Very neat information. I like how you are very real about the fact that is not feasible for a company to pursue or believe they can achieve "zero vulnerabilities". It really is a matter, of "are we secure enough" and how much risk they are willing to accept. I just had this talk with a client the other day. Their goal was to refine their SDLC (soft dev life cycle) such that they will have no vulnerabilities, and possibly ever need 3rd party consulting (if they get really good at security).Aaron Brysonnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-11068813945939222412010-09-24T04:24:07.666-07:002010-09-24T04:24:07.666-07:00good post. thanks for sharing. really helping in m...good post. thanks for sharing. really helping in my work. keep it up.Bhima shankarhttp://bhimashankar.co.in/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-55316443547072232452010-09-24T04:23:23.634-07:002010-09-24T04:23:23.634-07:00really ironic score for the IT industry. thanks fo...really ironic score for the IT industry. thanks for sharing.Jhon smithhttp://www.mdwinsurance.com/Hospitality-Insurance.phpnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44182098834993425442010-09-23T14:20:43.801-07:002010-09-23T14:20:43.801-07:00@Dan I'd have to double check, but PCI may be ...@Dan I'd have to double check, but PCI may be doing some good in certain areas, like remediation or time-to-fix. But one thing is for sure, it is not night & day.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-41815741967062402822010-09-23T13:12:19.886-07:002010-09-23T13:12:19.886-07:00The "scores" for the IT industry are a b...The "scores" for the IT industry are a bit ironic if not surprising...<br /><br />Retail is interesting too - looking at your report from last year - it's not totally clear but it doesn't look like PCI 6.6 is doing much to help on this front (even if you tighten your scope for what is PCI - I would have expected some improvement if only from education and cross-pollination).<br /><br />Thanks for publishing this.Dannoreply@blogger.com