tag:blogger.com,1999:blog-13756280.post116285951234506200..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Web Application Security Professionals Survey (Nov)Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-13756280.post-64088951449245323622006-11-16T07:40:00.000-08:002006-11-16T07:40:00.000-08:00Hi Dharmesh, glad you liked the data. Overtime we ...Hi Dharmesh, glad you liked the data. Overtime we should see some interesting trends as we repeat some of the more interesting questions.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-48955867318375239512006-11-16T07:38:00.000-08:002006-11-16T07:38:00.000-08:00Hi Daniel,
From what I gathered people find the s...Hi Daniel,<br /><br />From what I gathered people find the severity of web app sec vulns dependent on the organization they are working with, the website, and the specific vulnerability found. No one has yet made a generic and meaningful method to classify these. Probably because its really hard to do so. I think PCI might be a model worth considering, but I'd also modify their definitions to suit web app sec better. Its the route WhiteHat is traveling down and seems to be doing ok.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89177757283174062342006-11-16T07:30:00.000-08:002006-11-16T07:30:00.000-08:00Walter, thank you, glad you enjoyed it. I think yo...Walter, thank you, glad you enjoyed it. I think you touched upon the same issue that Jeremiah and Jeremiah (read above) were discussing. I think was trying to get two answers with one question and it became a little muddled. Next time I'll phrase it in such where I can find out what "solution" people feel are working and what "caused" people to implement web application security in the first place. We'll see how that works.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-49546447225361444632006-11-15T21:31:00.000-08:002006-11-15T21:31:00.000-08:00Hi Jeremiah,
First of all, awesome information co...Hi Jeremiah,<br /><br />First of all, awesome information collected. I am a regular reader of ur blog. Good Stuff...:)Dharmesh Mehtahttps://www.blogger.com/profile/04847749655714276870noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-30565293544978645812006-11-15T21:17:00.000-08:002006-11-15T21:17:00.000-08:00This comment has been removed by a blog administrator.Dharmesh Mehtahttps://www.blogger.com/profile/04847749655714276870noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-64588408840620990812006-11-15T19:56:00.000-08:002006-11-15T19:56:00.000-08:00#5 (Risk)
Interesting to see a massive chunk of p...#5 (Risk)<br /><br />Interesting to see a massive chunk of people using their own risk rating systems. What is it that people don't like about DREAD/TRIKE? Where are the weaknesses in using those systems and how can we build upon then?<br /><br />Putting on the OWASP hat, would people feel happier if we came up with a better rating system which could be adopted by the community and easier for clients to understand?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-31567143300159928812006-11-15T18:39:00.000-08:002006-11-15T18:39:00.000-08:00It's very interesting! Good work! "Compliance to i...It's very interesting! Good work! "Compliance to industry regulations" only got 2% in improving security of web site. I think, from a practical standpoint, it implies the compliance report generated by automatic assessment tool probably doesn't necessary. And the most important thing might be to solve those critical and obvious problems like SQL Injection, XSS, PHP File Inclusion. <br /><br />Again, I really like this survey.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-13888362520029774602006-11-15T11:04:00.000-08:002006-11-15T11:04:00.000-08:00Nice collection of data good work!Nice collection of data good work!Tom Brennanhttps://www.blogger.com/profile/17763780984670281558noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76834662460569448872006-11-15T09:29:00.000-08:002006-11-15T09:29:00.000-08:00Hi Jeremiah, (good name) :)
Comment #1
I think yo...Hi Jeremiah, (good name) :)<br /><br />Comment #1<br />I think your right on. I was trying to get two answers with one question and it probably didn't come out right. I'll see if I can word this better for the december survery, maybe like web application assessment drivers, and we'll see what the results are. <br /><br />Comment #2<br />Again, right on. Viewing in the format I supplied is a bit awkard and could use improvement. I'll be making use of your feedback on the next go round. This is a learning process for me as well since this is my first time doing survey reports. :)<br /><br />Thanks for the kind words and feedback, much appreciated.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-84701483989332525692006-11-15T08:49:00.000-08:002006-11-15T08:49:00.000-08:00Interesting stuff! I feel that the "what makes sit...Interesting stuff! I feel that the "what makes sites more secure" question is a little problematic. Regulations never make sites more secure. They might motivate management to cause their IT folks to use some method to makes their sites more secure, though. It seems like you're conflating two questions:<br />* What organizational activity MOST improved the security of their websites?<br />* What prompts these activities?<br />a) Incident<br />b) Regulation<br />c) Risk analysis<br /><br />Or something like that.<br /><br />Putting on my copy editor hat, you hat the 40% label selected when you took the screen shot for #10, and your legends are terrible. Put the answers in the legend (or at least to the right of the legend), and have the legend be in the same order as the pie slices. I think the best way to do it is to get rid of the a/b/c entirely and just put the answers in the legend, sorted from most to least common.<br /><br />I criticize because your blog is awesome. If it wasn't I wouldn't care.Anonymousnoreply@blogger.com