[Owasp-ireland] "More Than 500K Websites Hit By New Form Of SQL Injection In '08"

Conor Mc Goveran conor.mcgoveran at onformonics.com
Sat Feb 28 04:37:20 EST 2009


Actually it wasn't the report itself I was commenting on, rather the article
on darkreading which was referencing the report. So apologies if it seemed I
was diminishing the report itself. The fact that the article didn't qualify
the source and scope of the data leads you to believe that these are
statistics which are compiled from a large data pool.
The choice on which areas to concentrate current attention within web
application security is a valuable one. The OWASP top ten list for example
is a good effort in this direction. What would make this approach all the
more valuable would be good quality statistics on a wide data pool that
would help us all understand the nature of the threat environment and
therefore help us to defend our applications.
I thought the perhaps OWASP as an organisation could consider becoming an
advocate/lobby group to goverenments and the EU for mandatory reporting to
national data comissioners. These data comissioners could anonomously
compile the statistics and publish them at national or EU level. If this
data was available on this scale I think it would greatly help improve the
overall level of threat knowledge. Just my two bits though (1,0).
Regards,
 Conor.

2009/2/27 Eoin <eoin.keary at owasp.org>

> hi,
>
> Point taken, one thing to remember is that Offer (CTO at breach) also
> organises the WSAC incident database.
> http://www.webappsec.org/projects/whid/
>
> I believe much of the data in the breach report is from the WSAC (Web
> application security consortium) database and not procured by breach
> themselves.
> Many of the incidents are submitted by individuals.
> Breach have also been big supporters of OWASP but as you say such a report
> does have some commercial aspect.
>
> ek
>
>
>
> 2009/2/26 Conor Mc Goveran <conor.mcgoveran at onformonics.com>
>
> I suppose not to do things in the singular I will make my second post to
>> the list within an hour or so of my first. Here again as a community (and
>> here I am talking about the global OWASP community) we have an opportunity
>> to be volunteers and use our energise in a positive way. This report is a
>> report on a report from a commercial vendor (Breach) who collates incident
>> information from 'publically reported' breaches. So we are talking here
>> about 80% of the 1% of reported breaches that Breach classify as based on
>> some form of SQL Injection, XSS or hybrid attack, maybe, perhaps, kind of
>> ....... This is lazy journalism at best.
>>
>> To better inform our training, education, techniques and methods of design
>> we need REAL information based on REAL attacks and REAL incidents. How can
>> we begin to collate this information? I remeber that both SANS and Security
>> Focus (in conjuction with DShield) made brave efforts to collate global IDS
>> and firewall logs. Not a great strategy. We recieved information on patterns
>> and trends which was useful for tuning IDS patterns to drop false positives
>> but not a lot beyond that.
>>
>> What is the solution I have some ideas but as a community we need to
>> decide together. So I am throwing this bone out there. What is the right way
>> to capture, identify and report on statistical levels of attacks and
>> breaches so that we a community of web developers can produce secure web
>> applications now and in the future? Who should collect this information?
>> Should we lobby our TD's for California style disclosure laws? Should we
>> collate the information privately as a community? Now that the OWASP is
>> asking us the community for subscriptions should we demand quality and
>> timely information ...
>>
>> Conor.
>>
>>
>> 2009/2/26 Eoin <eoin.keary at owasp.org>
>>
>>  Document can eb founf here:
>>>
>>>
>>> http://www.breach.com/resources/whitepapers/downloads/WP_WebHackingIncidents_2008.pdf
>>>
>>> 2009/2/26 davidrook <david.rook at realexpayments.com>
>>>
>>>
>>>> http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid=O050UZ0A2SBO0QSNDLOSKH0CJUNN2JVN?articleID=214600046
>>>>
>>>> --
>>>> David Rook
>>>> Security Analyst
>>>> Realex Payments
>>>> Enabling thousands of businesses to sell online.
>>>>
>>>> Realex Payments Dublin:
>>>> Castlecourt, Monkstown Farm, Monkstown, Co Dublin. Ireland
>>>> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | www.realexpayments.com
>>>>
>>>> Realex Payments London:
>>>> 1 Lyric Square, Hammersmith, London W6 0NB, United Kingdom.
>>>> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
>>>> www.realexpayments.co.uk
>>>>
>>>> Realex Payments Paris:
>>>> 27 avenue de l'Opéra, 75001 Paris. France.
>>>> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51
>>>>
>>>> Visit our other Realex Payments websites:
>>>> www.airlinepayments.com
>>>> www.sepa.ie
>>>>
>>>> Pay and Shop Limited, trading as Realex Payments has its registered
>>>> office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
>>>> registered in Ireland, company number 324929.
>>>> This mail and any documents attached are classified as confidential and
>>>> are intended for use by the addressee(s) only unless otherwise indicated. If
>>>> you are not an intended recipient of this email, you must not use, disclose,
>>>> copy, distribute or retain this message or any part of it. If you have
>>>> received this email in error, please notify us immediately and delete all
>>>> copies of this email from your computer system(s).
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-ireland mailing list
>>>> Owasp-ireland at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>>
>>>
>>>
>>>
>>> --
>>> Eoin Keary CISSP CISA
>>> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>>>
>>> OWASP Code Review Guide Lead Author
>>> OWASP Ireland Chapter Lead
>>> OWASP Global Committee Member (Industry)
>>>
>>> Quis custodiet ipsos custodes
>>>
>>> _______________________________________________
>>> Owasp-ireland mailing list
>>> Owasp-ireland at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>>
>>>
>>
>>
>> --
>> Conor Mc Goveran,
>> Managing Director,
>> Onformonics Ltd.
>>
>> Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
>> Company Reg: 45503
>> VAT: 9682767B
>>
>> Ph:        +353-14407576
>> Mobile:  +353-872038598
>>
>> _______________________________________________
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>
>>
>
>
> --
> Eoin Keary CISSP CISA
> https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
>
> Quis custodiet ipsos custodes
>



-- 
Conor Mc Goveran,
Managing Director,
Onformonics Ltd.

Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
Company Reg: 45503
VAT: 9682767B

Ph:        +353-14407576
Mobile:  +353-872038598
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20090228/eed1eccb/attachment.html 


More information about the Owasp-ireland mailing list