In network scanning the list of “well-known” vulnerabilities is large, but also finite. Databases such as OSVDB, SecurityFocus, MITRE (CVE), and others catalog the known universe of issues. Vulnerability coverage by network scanners is likely close to 100%. In “custom” web applications the luxury of well-known vulnerabilities or database repositories vanishes. Each new vulnerability identified is more or less a one-off / zero-day issue. Just as with bugs in application code, we truly never know how many vulnerabilities exist in a web bank, e-commerce store, payroll system, or any other custom web application. The upper bound in an unknown. Therefore we can never know for sure if any scan/assessment found them all. Vulnerability coverage could be as low as 10-20% or higher in the range of 80-90% or more. The point is we don’t know, its difficult to measure, and changes with each website.
CEO of Bit Discovery, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, Off-Road Race Car Driver, Founder of WhiteHat Security, and Maui resident.
Wednesday, November 22, 2006
We don' know what we don't know
In network scanning the list of “well-known” vulnerabilities is large, but also finite. Databases such as OSVDB, SecurityFocus, MITRE (CVE), and others catalog the known universe of issues. Vulnerability coverage by network scanners is likely close to 100%. In “custom” web applications the luxury of well-known vulnerabilities or database repositories vanishes. Each new vulnerability identified is more or less a one-off / zero-day issue. Just as with bugs in application code, we truly never know how many vulnerabilities exist in a web bank, e-commerce store, payroll system, or any other custom web application. The upper bound in an unknown. Therefore we can never know for sure if any scan/assessment found them all. Vulnerability coverage could be as low as 10-20% or higher in the range of 80-90% or more. The point is we don’t know, its difficult to measure, and changes with each website.
Subscribe to:
Post Comments (Atom)
2 comments:
Excellent graphic. Although there is no master agreed-upon list of vulns in the app space, surely there are buckets that we can (and do) divide the unknown into?
Heya Davi!
> Excellent graphic.
Trying to flex my meager creative talents.
> Although there is no master agreed-upon list of vulns in the app space, surely there are buckets that we can (and do) divide the unknown into?
Scan/Assessment methodologies will look for all the XSS/SQLInj/BizLogic/etc vulnerabilities it can find. After we find a vuln, we can toss it into the well-known and agreed upon buckets. What we don't know is how many of these issues are actually present in a given custom web application.
That's the problem. We can always measure who finds more than the next guy, but its hard to measure against the unknown overall vuln total, which really matters most.
Post a Comment