[Owasp-ireland] "More Than 500K Websites Hit By New Form Of SQL Injection In '08"

Eoin eoin.keary at owasp.org
Fri Feb 27 06:23:05 EST 2009


hi,

Point taken, one thing to remember is that Offer (CTO at breach) also
organises the WSAC incident database.
http://www.webappsec.org/projects/whid/

I believe much of the data in the breach report is from the WSAC (Web
application security consortium) database and not procured by breach
themselves.
Many of the incidents are submitted by individuals.
Breach have also been big supporters of OWASP but as you say such a report
does have some commercial aspect.

ek



2009/2/26 Conor Mc Goveran <conor.mcgoveran at onformonics.com>

> I suppose not to do things in the singular I will make my second post to
> the list within an hour or so of my first. Here again as a community (and
> here I am talking about the global OWASP community) we have an opportunity
> to be volunteers and use our energise in a positive way. This report is a
> report on a report from a commercial vendor (Breach) who collates incident
> information from 'publically reported' breaches. So we are talking here
> about 80% of the 1% of reported breaches that Breach classify as based on
> some form of SQL Injection, XSS or hybrid attack, maybe, perhaps, kind of
> ....... This is lazy journalism at best.
>
> To better inform our training, education, techniques and methods of design
> we need REAL information based on REAL attacks and REAL incidents. How can
> we begin to collate this information? I remeber that both SANS and Security
> Focus (in conjuction with DShield) made brave efforts to collate global IDS
> and firewall logs. Not a great strategy. We recieved information on patterns
> and trends which was useful for tuning IDS patterns to drop false positives
> but not a lot beyond that.
>
> What is the solution I have some ideas but as a community we need to decide
> together. So I am throwing this bone out there. What is the right way to
> capture, identify and report on statistical levels of attacks and breaches
> so that we a community of web developers can produce secure web applications
> now and in the future? Who should collect this information? Should we lobby
> our TD's for California style disclosure laws? Should we collate the
> information privately as a community? Now that the OWASP is asking us the
> community for subscriptions should we demand quality and timely information
> ...
>
> Conor.
>
>
> 2009/2/26 Eoin <eoin.keary at owasp.org>
>
>  Document can eb founf here:
>>
>>
>> http://www.breach.com/resources/whitepapers/downloads/WP_WebHackingIncidents_2008.pdf
>>
>> 2009/2/26 davidrook <david.rook at realexpayments.com>
>>
>>
>>> http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid=O050UZ0A2SBO0QSNDLOSKH0CJUNN2JVN?articleID=214600046
>>>
>>> --
>>> David Rook
>>> Security Analyst
>>> Realex Payments
>>> Enabling thousands of businesses to sell online.
>>>
>>> Realex Payments Dublin:
>>> Castlecourt, Monkstown Farm, Monkstown, Co Dublin. Ireland
>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | www.realexpayments.com
>>>
>>> Realex Payments London:
>>> 1 Lyric Square, Hammersmith, London W6 0NB, United Kingdom.
>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
>>> www.realexpayments.co.uk
>>>
>>> Realex Payments Paris:
>>> 27 avenue de l'Opéra, 75001 Paris. France.
>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51
>>>
>>> Visit our other Realex Payments websites:
>>> www.airlinepayments.com
>>> www.sepa.ie
>>>
>>> Pay and Shop Limited, trading as Realex Payments has its registered
>>> office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
>>> registered in Ireland, company number 324929.
>>> This mail and any documents attached are classified as confidential and
>>> are intended for use by the addressee(s) only unless otherwise indicated. If
>>> you are not an intended recipient of this email, you must not use, disclose,
>>> copy, distribute or retain this message or any part of it. If you have
>>> received this email in error, please notify us immediately and delete all
>>> copies of this email from your computer system(s).
>>>
>>>
>>> _______________________________________________
>>> Owasp-ireland mailing list
>>> Owasp-ireland at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>
>>
>>
>>
>> --
>> Eoin Keary CISSP CISA
>> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>>
>> OWASP Code Review Guide Lead Author
>> OWASP Ireland Chapter Lead
>> OWASP Global Committee Member (Industry)
>>
>> Quis custodiet ipsos custodes
>>
>> _______________________________________________
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>
>>
>
>
> --
> Conor Mc Goveran,
> Managing Director,
> Onformonics Ltd.
>
> Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
> Company Reg: 45503
> VAT: 9682767B
>
> Ph:        +353-14407576
> Mobile:  +353-872038598
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
>


-- 
Eoin Keary CISSP CISA
https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

Quis custodiet ipsos custodes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20090227/b5fa5da9/attachment-0001.html 


More information about the Owasp-ireland mailing list