tag:blogger.com,1999:blog-13756280.post1074619933473077747..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: We don' know what we don't knowJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13756280.post-42317520849717859492006-11-23T07:47:00.000-08:002006-11-23T07:47:00.000-08:00Heya Davi!
> Excellent graphic.
Trying to flex ...Heya Davi!<br /><br />> Excellent graphic. <br /><br />Trying to flex my meager creative talents.<br /><br />> Although there is no master agreed-upon list of vulns in the app space, surely there are buckets that we can (and do) divide the unknown into?<br /><br />Scan/Assessment methodologies will look for all the XSS/SQLInj/BizLogic/etc vulnerabilities it can find. After we find a vuln, we can toss it into the well-known and agreed upon buckets. What we don't know is how many of these issues are actually present in a given custom web application. <br /><br />That's the problem. We can always measure who finds more than the next guy, but its hard to measure against the unknown overall vuln total, which really matters most.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89355559006492746082006-11-22T17:18:00.000-08:002006-11-22T17:18:00.000-08:00Excellent graphic. Although there is no master agr...Excellent graphic. Although there is no master agreed-upon list of vulns in the app space, surely there are buckets that we can (and do) divide the unknown into?Anonymousnoreply@blogger.com