Jeremiah Grossman and Bil Corry have created a nice visual mapping between the OWASP Top Ten and the WASC Threat Classification v2. More Information: http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasp-top.html
WASC Announcement: 2008 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. The statistics was compiled from web application...
More companies seek third-party Web app code review, survey finds
"The OWASP Security Spending Benchmark Report surveyed about 50 organizations to determine their spending on secure coding; OWASP found that 61% of those surveyed had an independent third-party security review of software code to find flaws before Web applications are used live. The percentage surprised Boaz Gelbord, executive director of information security...
Web Application Security Spending Relatively Unscathed By Poor Economy
"First the good news: Despite the global recession, two-thirds of organizations either have no plans to cut Web application security spending, or they expect their spending to increase this year. Now the bad news: Spending for security applications is less than 10 percent of the overall security budget in 36 percent of...
Application Security Vendors Need Help With Reporting
I've been reading web application vulnerability reports from tools and services for 6-7 years and found that 99% of these reports are geared towards security engineers or system administrators. Many of the reports I see focus on The type of flaw and what it its impact is The URL affected Links to...
Security metrics on flaws detected during architectural review?
I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics...
Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones
"German researchers have discovered more than 300 cybercrime servers full of stolen credentials on more than 170,000 people -- and it is only the tip of the iceberg, they say. Researchers at the University of Mannheim's Laboratory for Dependable Distributed Systems were able to access nearly 100 so-called "dropzone" machines, and say...
WASC Announcement: 2007 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are...
Malware honeypots wait for '08
"An innovative malware honeypot project backed by a leading consortium of IT security experts is preparing to re-launch its global sensor network after Jan. 1 in an effort to dupe more cyber-criminals into handing over information about their latest attack methods. Project link: The Web Application Security Consortium's Distributed Open Proxy Honeypot...
Average zero-day bug has 348-day lifespan, exec says
"The average zero-day (0day) bug has a lifespan of 348 days before it is discovered or patched, and some vulnerabilities live on for much longer, according to security vendor Immunity Inc.'s chief executive officer. Zero-day bugs are vulnerabilities that have not been patched or made public. When discovered and not disclosed, these...
MPack Reveals Stingy Web Hosts
"According to reports, thousands of Web sites, predominantly in Italy, were recently compromised using the MPack malware kit, which contained iframe tags that pointed surfers towards hacker-controlled Web sites. A security researcher at the SANS Institute's Internet Storm Centre says that only one of the Web sites hosted on the machine had...
Nearly 30,000 Malicious Web Sites Appear Each Day
"The number of malicious Web sites has skyrocketed over the past few months, going from 5,000 new ones a day in April to nearly 30,000 a day now. "This certainly is a huge increase," said Carole Theriault, a senior security consultant with Sophos, Inc., in an e-mail to InformationWeek. "In June, we...
Stats on Month of X bugs published
Kevin Beets from avertlabs has published some interesting stats on month of bugs projects including the amount of vulns published verses fixed. For more information visit the article link below. Article Link: http://www.avertlabs.com/research/blog/?p=286
One in 10 web pages laced with malware - Google
"At least one in 10 web pages are booby-trapped with malware, according to Google. A five-strong Google research team found that 450,000 pages, out of a sample of 4.5 million pages, contained scripts to install malicious code, such as Trojans and spyware on vulnerable PCs, the BBC reports. This is a conservative...
WASC Announcement: Distributed Open Proxy Honeypot Project Data Released
The Web Application Security Consortium (WASC) is pleased to announce the inital release of data collected by the Distributed Open Proxy Honeypot Project. This first release of information is for data gathered from January - April, 2007. During this timeframe, we had 7 internationally placed honeypot sensors deployed and sending their data...
Web based vulns top newly discovered issues
"The takeaway is that researchers are paying a lot more attention to web vulnerabilities, and if companies don't want to get caught up in that, then they need to pay attention to those flaws," said Steven Christey, the security researcher that authored the draft report and the CVE Editor for The MITRE...
Security flaws on the rise, questions remain
"We are seeing people discover vulnerabilities in software with tiny distribution and low installed base--free guestbooks that are written left and right, available by the thousands. And we are seeing that it takes no skill to find vulnerabilities in these applications. " - Securityfocus http://www.securityfocus.com/news/11367