[Owasp-dallas] [Owasp-community] Announcing the OWASP Web Hacking Incidents Database (WHID) Project - Seeking Participants

Zac Fowler zac.fowler at owasp.org
Thu Apr 16 20:32:29 UTC 2015


Cool project Ryan! Thanks for sharing!

On Mon, Apr 13, 2015 at 1:53 PM, Pawel Krawczyk <pawel.krawczyk at hush.com>
wrote:

> Hi Matt,
>
> Your research topic seems very similar to what I was trying to achieve a
> few years ago while working at Aon, except I was using it for risk
> management on a portfolio of around 1000 web applications of all possible
> business origins, ages and programming environments. WHID was very useful
> for the first part (actually, it was one of the best sources I had), which
> resulted in the following article with some quantitative estimates - I was
> also using raw database which I received from Zone-H in the analysis:
>
>
> https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
>
> The model I was trying to build was actually something like: given a web
> application exposed to the Internet, with N users (plus a number of other
> features) how likely it is that it will be compromised? While quite useless
> from an individual application owner’s point of view (because your risk
> tolerance in such case tends to be close to zero) such a model would be
> extremely useful from a CIO’s point of view, where you need to share
> resources (yes, including security resources unfortunately) between
> hundreds or thousands of websites.
>
> This particular model I have eventually never published even though I have
> been using it for actual risk assessment. It was mostly because I hoped to
> get something like an actuarial model based on hard data, and instead got
> something more close to CVSS where the formula’s coefficients based on
> quite subjective experts’ opinion. Nonetheless, the model was quite useful
> in real life, I just never had enough time and motivation to really write
> it down and publish.
>
> My observation (expressed before by many) is that quantitative research on
> application security is quite challenging because there’s very little good
> quality representative data published and each data set out there is
> significantly biased. My afterthought is that I might be a bit too
> ambitious thought, as models like CVSS may be equally useful from purely
> practical purposes :)
>
> On 13 Apr 2015, at 18:13, Matthew Parsons <
> mparsons at parsonsisconsulting.com> wrote:
>
> Ryan,
> I was thinking about using this type of information to do a quantitative
> risk assessment to predict future software security vulnerabilities.  I
> work for Intel as an application security engineer doing web penetration
> testing and source code review.  I am also a second year doctoral student
> with an anticipated graduation date of March 2017.  My research topic is a
> qualitative review interviewing 20 software security professionals on
> secure design patterns.  Dr. Gary McGraw suggested this topic.  Has the
> quantitative research been done?  And if not do you think there would be an
> interest with working on this?
>
> All the best,
> Matt
>
>
> On Tue, Apr 7, 2015 at 10:40 AM, Ryan Barnett <ryan.barnett at owasp.org>
> wrote:
>
>> Greetings OWASP Community!  I wanted to let everyone know that we have
>> officially launched the project -
>> https://www.owasp.org/index.php/OWASP_WASC_Web_Hacking_Incidents_Database_Project
>> .
>>
>> Project Description:
>>
>> WHID goal is to serve as a tool for raising awareness of the web
>> application security problem and provide information for statistical
>> analysis of web applications security incidents. The database is unique in
>> tracking only media reported security incidents that can be associated with
>> a web application security vulnerability. This data is in contrast to many
>> public statistics reports on vulnerability prevalence in that it shows what
>> types of vulnerabilities attackers are actively exploiting.
>>
>>
>> A useful way to use WHID is to help provide data for “Likelihood of
>> Attack” RISK ratings.  There is a lot of public “vulnerability” data
>> publicly available, but which ones are actively being used by attackers?
>> Here is a quick mapping of OWASP Top 10 items to WHID entries -
>> https://www.owasp.org/index.php/OWASP_Top_10/Mapping_to_WHID
>>
>> We are actively seeking participants who can help add entries for WHID -
>> https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AvaknFl7LiV2dHRLNEVoNks4YlJuZ1JIWHhyaG5OM2c&usp=drive_web#gid=1.
>> If you you would iike to participate – please sign-up for the mail-list
>> here:
>> https://lists.owasp.org/mailman/listinfo/owasp_wasc_web_hacking_incidents_database_project
>> <https://lists.owasp.org/mailman/listinfo/owasp_wasc_distributed_web_honeypots_project>.
>> You can also follow the project on Twitter -
>> https://twitter.com/owaspwhid
>>
>> Cheers.
>>
>> --
>> Ryan Barnett
>> OWASP Web Hacking Incidents Database Project Leader
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>
>>
>
>
> --
> Matt Parsons, CISSP, MSM
> mparsons at parsonsisconsulting.com
> http://www.parsonsisconsultingblog.com
> http://www.twitter.com/parsonsmatt
>
>
>
>  _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
>
> --
> Pawel Krawczyk
> pawel.krawczyk at hush.com +44 7879 180015
> CISSP, OWASP
>
>
>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-dallas/attachments/20150416/7383f712/attachment.html>


More information about the OWASP-Dallas mailing list