[WEB SECURITY] stats on how web app vulns are identified

Will Jefferies wjefferies at fncinc.com
Tue Jun 7 14:24:24 EDT 2005


I do not have any hard statistical data at the moment, but I review many many installations and have found that 100% of the time I have needed to do by-hand inspection in addition to the automated variety.

Will

-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
Sent: Tuesday, June 07, 2005 12:34 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] stats on how web app vulns are identified

There are many security consultants and service providers, including myself, who perform black-box web application vulnerability assessments. In order to speed the identification of vulnerabilities, people use a variety of open-source/commercial scanners and proxy utilities.  In my field experience, I've tested websites where it's possible to find all vulnerabilities with a scanner (because manual testing revealed nothing else);  websites where every vulnerability needed to be found by hand (because the scanner reported zero); and, other websites where different vulnerabilities were found by the tester and the scanner. I'm sure others on the list have experienced similar results.

What I haven't seen discussed in the industry, probably due to lack of hard data, is what the statistical breakdown looks like. For example, if we analyze assessment results on a website-by-website basis, how are vulnerabilities typically identified? What does the average website require as a testing methodology? I'd like to present our data (WhiteHat Security) in hopes that others will share their data/thoughts/experiences on the subject as well.

Based on the last 100 websites that WhiteHat Security has assessed (using the WASC Threat Classification as a baseline), below are the statistical results, using both automated scanning and human testing:

In 36% of websites, humans identified zero vulnerabilities beyond the scanner.
In 17% of websites, humans identified all vulnerabilities and scanner identified zero.
In 47% of websites, the experts and the scanner were complementary, identifying different vulnerabilities.


Regards,

Jeremiah Grossman


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.5 - Release Date: 6/7/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.5 - Release Date: 6/7/2005
 

Confidentiality Notice:  This message is for the sole use of the intended recipient(s).  It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections.  If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets.  If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message.  If you have received this message in error, please notify the sender by reply e-mail and delete this message. Thank you.




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list