Linux Today: Linux News On Internet Time.

More on LinuxToday

WASC Announcement: 2008 Web Application Security Statistics Published

Oct 16, 2009, 20:32 (0 Talkback[s])


Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers

[ Thanks to WASC for this link. ]

"As a result, we now have 4 data sets:

"Overall statistics by all kinds of activities;
Automatic scanning statistics;
Black box method security assessment statistics;
White box method security assessment statistics.

"Automatic scanning data is collected in fully automated scanning process without any preliminary settings (with standard profile) of hosting provider sites. Remember that not all the sites include interactive elements, and additional settings made by an expert considering certain Web application, allows to greatly improve the efficiency of vulnerability detection.

"Black box method security assessment statistics includes the results of manual and automated Web application analysis without any preliminary known data about the application. As a rule, this includes scanning with standard settings and manual search of vulnerabilities unavailable for automatic scanners.

"White box method security assessment statistics includes the results of the deep Web application analysis which contains application analysis done as an authorized user. It also includes static source code and binary analysis. Detected vulnerabilities are classified according to Web Application Security Consortium Web Security Threat Classification (WASC WSTCv2) early draft. Vulnerability risk level is determined by contributors or assessed according to CVSSv2 (Common Vulnerability Scoring System version 2). Then the level was brought to PCI DSS (Payment Card Industry Data Security Standard) risk levels as described in the methodology (see appendix 1)."

Complete Story

Related Stories: