[Owasp-ireland] The Verizon 2012 Data Breach Investigations Report is out!

Alexis FitzGerald alexis at rits.ie
Thu Mar 22 16:40:09 UTC 2012


I could not find any mention of XSS (or CSRF). At least they were
mentioned in last year's edition. Does this mean that the OWASP Top 10
puts too much of an emphasis on these issues? While they might be
prevalent in online applications, they are not actually exploited much
in actual data breaches?

Opinions welcome.

Alexis

On 22/03/2012 16:47, David Rook wrote:
> Hi Fabio,
>
> What I found interesting is that of the vectors included in the
> hacking category 90% of the breaches were because of non app sec
> issues! I was a bit surprised by that and it is very different when
> the report focuses on "large" organisations (54%) but it does provide
> a strong argument for app sec v non app sec spend *not *being equal.
>
> Sure app sec spend needs to increase but using the evidence presented
> in this report (and I acknowledge it's not the complete picture of
> course) it's a tough sell to convince people that app sec spend should
> be equal to or more than non app sec spend.
>
> Veracode published a blog which pulled out the app sec "highlights":
>
> http://www.veracode.com/blog/2012/03/verizon-data-breach-investigative-report-2012-application-security-specific-highlights/
>
> Dave
>
> On 22/03/2012 15:02, Fabio Cerullo wrote:
>> Hi there,
>>
>> Interesting read... not surprisingly SQL injection is on top of the
>> list along with credentials misuse and malware.
>>
>> http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
>>
>> Fabio
>> _______________________________________________
>> Owasp-ireland mailing list
>> Owasp-ireland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>>
>
> -- 
> David Rook
> Application Security Lead
> Product Management
> Realex Payments
> Enabling thousands of businesses to sell online. 
>
> Connect with us:
> http://www.twitter.com/securityninja
> http://www.twitter.com/realexpayments
> http://www.facebook.com/realexpayments
> http://www.linkedin.com/company/realex-payments
> http://www.youtube.com/realexpayments
>
> Realex Payments Dublin: 
> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | http://www.realexpayments.com
>
> Realex Payments London: 
> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  | http://www.realexpayments.co.uk
>
> Realex Payments Paris: 
> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51 | http://www.realexpayments.fr
>
> Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929.
> This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s). 
>
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20120322/2398e498/attachment.html>


More information about the Owasp-ireland mailing list