Web App Vulnerabilities Statistical Analysis WP

From: Imperva Application Defense Center (adc@imperva.com)
Date: Mon Jun 28 2004 - 11:28:21 EDT

• Next message: wirepair: "Re: SQL Injection Strings"
• Previous message: Daniel Staal: "Re: IE caching issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear List,

Imperva(tm)'s Application Defense Center (ADC) has released a new white
paper titled "How Safe is it Out There (Zeroing in on the
vulnerabilities of application security)".

The paper, written by Moran Surf and Amichai Shulman, presents a
statistical analysis of results obtained from numerous application level
penetration tests performed by Imperva experts for various customers
over the years 2000 - 2003.

The paper is available at http://www.imperva.com/adc/papers/safe as HTML
or PDF.

Paper Information
=================

Authors
-------
Moran Surf, Application Security Expert, Imperva(tm) Inc.
Amichai Shulman, CTO & Co-Founder, Imperva(tm) Inc.

Abstract
--------
The article presents a statistical analysis of results obtained from
numerous application level penetration tests performed by Imperva
experts for various customers over the years 2000 - 2003. The research
dives into the types of vulnerabilities found, their sources, the risk
they incur, and their effects. The institutions whose applications were
tested include banks, government institutions, telecommunication firms
and even information security vendors. The article presents a unique
opportunity to take a peek into the usually secluded data regarding the
actual risk posed to web applications. It shows a constant increase in
risk level over years and an overwhelming overall percentage of
applications susceptible to information theft (over 57%), direct
financial damage (over 22%), denial of service (11%) and execution of
arbitrary code (over 8%). The article analyses results of first time
penetration tests as well as repeat tests (retests) in order to evaluate
the evolution of application security within Web applications over time.
Our conclusion is that without proper application security devices and
secure software development education, the inherent risk to an
application does not decrease and may even increase over time. Taking
into consideration that the organizations whose applications are
included in this report are considered security aware (they showed the
insight to order costly penetration tests) the results paints a bleak
picture of the current state of Web application security.

Table of Contents
-----------------
- Table of Contents................2
- Abstract.........................3
- Introduction.....................4
- Methodology......................5
- Results..........................8
- Discussion......................10
- Conclusions.....................16
- Appendix........................17

---
Imperva's Application Defense Center
http://www.imperva.com/adc/

• Next message: wirepair: "Re: SQL Injection Strings"
• Previous message: Daniel Staal: "Re: IE caching issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT