[Owasp-ireland] "More Than 500K Websites Hit By New Form Of SQL Injection In '08"

Conor Mc Goveran conor.mcgoveran at onformonics.com
Thu Feb 26 18:18:42 EST 2009

I suppose not to do things in the singular I will make my second post to the
list within an hour or so of my first. Here again as a community (and here I
am talking about the global OWASP community) we have an opportunity to be
volunteers and use our energise in a positive way. This report is a report
on a report from a commercial vendor (Breach) who collates incident
information from 'publically reported' breaches. So we are talking here
about 80% of the 1% of reported breaches that Breach classify as based on
some form of SQL Injection, XSS or hybrid attack, maybe, perhaps, kind of
....... This is lazy journalism at best.

To better inform our training, education, techniques and methods of design
we need REAL information based on REAL attacks and REAL incidents. How can
we begin to collate this information? I remeber that both SANS and Security
Focus (in conjuction with DShield) made brave efforts to collate global IDS
and firewall logs. Not a great strategy. We recieved information on patterns
and trends which was useful for tuning IDS patterns to drop false positives
but not a lot beyond that.

What is the solution I have some ideas but as a community we need to decide
together. So I am throwing this bone out there. What is the right way to
capture, identify and report on statistical levels of attacks and breaches
so that we a community of web developers can produce secure web applications
now and in the future? Who should collect this information? Should we lobby
our TD's for California style disclosure laws? Should we collate the
information privately as a community? Now that the OWASP is asking us the
community for subscriptions should we demand quality and timely information


2009/2/26 Eoin <eoin.keary at owasp.org>

> Document can eb founf here:
> http://www.breach.com/resources/whitepapers/downloads/WP_WebHackingIncidents_2008.pdf
> 2009/2/26 davidrook <david.rook at realexpayments.com>
>> http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid=O050UZ0A2SBO0QSNDLOSKH0CJUNN2JVN?articleID=214600046
>> --
>> David Rook
>> Security Analyst
>> Realex Payments
>> Enabling thousands of businesses to sell online.
>> Realex Payments Dublin:
>> Castlecourt, Monkstown Farm, Monkstown, Co Dublin. Ireland
>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | www.realexpayments.com
>> Realex Payments London:
>> 1 Lyric Square, Hammersmith, London W6 0NB, United Kingdom.
>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
>> www.realexpayments.co.uk
>> Realex Payments Paris:
>> 27 avenue de l'Opéra, 75001 Paris. France.
>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51
>> Visit our other Realex Payments websites:
>> www.airlinepayments.com
>> www.sepa.ie
>> Pay and Shop Limited, trading as Realex Payments has its registered office
>> at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
>> registered in Ireland, company number 324929.
>> This mail and any documents attached are classified as confidential and
>> are intended for use by the addressee(s) only unless otherwise indicated. If
>> you are not an intended recipient of this email, you must not use, disclose,
>> copy, distribute or retain this message or any part of it. If you have
>> received this email in error, please notify us immediately and delete all
>> copies of this email from your computer system(s).
>> _______________________________________________
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
> --
> Eoin Keary CISSP CISA
> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
> Quis custodiet ipsos custodes
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland

Conor Mc Goveran,
Managing Director,
Onformonics Ltd.

Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
Company Reg: 45503
VAT: 9682767B

Ph:        +353-14407576
Mobile:  +353-872038598
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20090226/ac384cec/attachment.html 

More information about the Owasp-ireland mailing list