[Owasp-ireland] The Verizon 2012 Data Breach Investigations Report is out!

Eoin eoin.keary at owasp.org
Fri Mar 23 13:49:05 UTC 2012


Yes indeed. The browser is also getting pretty important in terms of protecting clients also with x-frame and CSP.


Eoin Keary
BCC Risk Advisory
Owasp Global Board
+353 87 977 2988


On 23 Mar 2012, at 13:41, David Rook <david.rook at realexpayments.com> wrote:

> Hit send too quickly!
> 
> Especially when you also consider a point Fabio included in his email from the IBM report:
> 
> "Fifty percent reduction in cross site scripting (XSS) vulnerabilities due to improvements in software quality"
> 
> On 23/03/2012 13:34, Eoin wrote:
>> 
>> Alexis, assuming this is the case if say we need to re contextualise the top 10
>> As most common. 
>> Shall we propose this to the project leads??
>> 
>> 
>> Eoin Keary
>> BCC Risk Advisory
>> Owasp Global Board
>> +353 87 977 2988
>> 
>> 
>> On 23 Mar 2012, at 12:51, Alexis FitzGerald <alexis at rits.ie> wrote:
>> 
>>> According to:
>>> https://www.owasp.org/index.php/Top_10_2010:
>>> The OWASP Top 10 "presents a more concise risk focused list of the Top 10 Most Critical Web Application Security Risks."
>>> It's about risk - not just "discovered vulnerabiities"
>>> 
>>> A simple definition of risk is:
>>>     risk= likelihood * impact
>>> 
>>> If you accept the DBIR evidence, then the likelihood of XSS must be low (since it is not even mentioned), therefore the risk from XSS is correspondingly low (eventhough it is commonly found)
>>> 
>>> The question then arises does the OWASP list of "Top 10 Most Critical Web Application Security Risks" rate XSS too high?
>>> 
>>> Alexis
>>> 
>>> On 23/03/2012 13:20, David Rook wrote:
>>>> 
>>>> Already submitted something Eoin!
>>>> 
>>>> On the developers point I was recently speaking with Lorna Alamri about app sec conferences in general and I suggested something similar. Specifically my one liner on that was:
>>>> 
>>>> "Get developers to come and speak, get them to tell the security people in the audience why they find it hard to write secure code"
>>>> 
>>>> Someone like Niall Jordan (I'm sure he is reading these emails!) would be ideal for that in my opinion with the background he has - both sides of the table in recent times. I can send a message to our developers here to see if anyone fancies doing something like that as well.
>>>> 
>>>> On 23/03/2012 12:14, Eoin wrote:            
>>>>> 
>>>>> Correct,
>>>>> The latest WhiteHat report has XSS as second, Information leakage as #1
>>>>>  
>>>>> Hope you are going to submit (CFP) something for OWASP Ireland 2012 (September)?
>>>>> Other people on the list please get involved also......
>>>>>  
>>>>> I'd love for some developers to talk at the event discussing problems they have with security and how can it be easier to do!!??
>>>>>  
>>>>> We have Keynotes:
>>>>> Jeremiah Grossman, Michael Coates + 1 more
>>>>> And a good panel to be chaired by Bryce Bolland (UBS Security CTO)
>>>>>  
>>>>>  
>>>>>  
>>>>>  
>>>>>  
>>>>> 
>>>>> 
>>>>>  
>>>>> On 23 March 2012 12:07, David                 Rook <david.rook at realexpayments.com> wrote:
>>>>> Hi Eoin,
>>>>> 
>>>>> I think your final point hits the nail on the head, after all it's not a report detailing the most                     commonly found vulns but the vectors used to steal data and whilst XSS could have been involved it wasn't the way the data was stolen if that makes sense.
>>>>> 
>>>>> I'm sure if you looked at the latest White Hat Security report for example it would show XSS as being a common vuln and I don't think any would argue against that :)
>>>>> 
>>>>> Dave
>>>>> 
>>>>> 
>>>>> On 23/03/2012 12:01, Eoin wrote:
>>>>>> 
>>>>>> Hi David,
>>>>>>  
>>>>>> I'll admit i did not read the report:)
>>>>>>  
>>>>>> So the Verizon report pretty much says XSS is not used very much to cause havok!!
>>>>>> It would be good to read other reports to see if they say similar??
>>>>>>  
>>>>>> So are we as security peeps barking up the wrong tree.... I think the OWASP Top 10 is based on discovered issues as opposed to breaches if that makes sense - The most                             common vulns found.
>>>>>>  
>>>>>> -ek
>>>>>>  
>>>>>> 
>>>>>> 
>>>>>>  
>>>>>> On 23 March 2012 08:58, David Rook <david.rook at realexpayments.com> wrote:
>>>>>> Hi Eoin,
>>>>>> 
>>>>>> Yep it can do but how malware was installed was included in the report as well and XSS is going to account for very few of those infections I think. According to the report 95% of all malware used in those data breaches was installed after the attacker got access to the system, at best I think only around 3% of the malware used in data breaches came from web app vulns being exploited (2% "injected by attacker" and 1% "drive by web attacks"). 
>>>>>> 
>>>>>> It could be that the malware installed via an XSS exploit is part of the 95% but if it was a significant chunk of that I'd have expected it to be called out in the report.
>>>>>> 
>>>>>> I could be reading that part of the report wrong though :)
>>>>>> 
>>>>>> Dave
>>>>>> 
>>>>>> 
>>>>>> On 22/03/2012 17:13, Eoin wrote:
>>>>>>> 
>>>>>>> But xss leads to malware                                         upload? It's a payload delivery system.
>>>>>>> Agree??
>>>>>>> 
>>>>>>> Eoin Keary
>>>>>>> BCC Risk Advisory
>>>>>>> Owasp Global Board
>>>>>>> +353 87 977 2988
>>>>>>> 
>>>>>>> 
>>>>>>> On 22 Mar 2012, at 16:48, David Rook <david.rook at realexpayments.com> wrote:
>>>>>>> 
>>>>>>>> Hi Alexis,
>>>>>>>> 
>>>>>>>> I'd say your final question is correct. I'm not doubting they are big issues (in that they can be exploited and are in many web apps) but they aren't in the same league as the vectors mentioned in the report. I can't remember a big CSRF news story for example yet alone one that lead to a lot of data being stolen.
>>>>>>>> 
>>>>>>>> Dave
>>>>>>>> 
>>>>>>>> On 22/03/2012 16:40, Alexis FitzGerald wrote:                                          
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> I could not find any mention of XSS (or CSRF). At least they were mentioned in last                                             year's edition. Does this mean that the OWASP Top 10 puts too much of an emphasis on these issues? While they might be prevalent in online applications, they are not actually exploited much in actual data breaches? 
>>>>>>>>> 
>>>>>>>>> Opinions welcome.
>>>>>>>>> 
>>>>>>>>> Alexis
>>>>>>>>> 
>>>>>>>>> On 22/03/2012 16:47, David Rook wrote:
>>>>>>>>>> 
>>>>>>>>>> Hi Fabio,
>>>>>>>>>> 
>>>>>>>>>> What I found interesting is that of the vectors included in the hacking category 90% of the breaches were because of non app sec issues! I was a bit surprised by that and it is very different when the report focuses on "large" organisations (54%) but it does provide a strong argument for app sec v non app sec spend not being equal.
>>>>>>>>>> 
>>>>>>>>>> Sure app sec spend needs to increase but using the evidence presented in this report (and I acknowledge it's not the complete picture of course) it's a tough sell to convince people that app sec spend should be equal to or more than non app sec spend.
>>>>>>>>>> 
>>>>>>>>>> Veracode published a blog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20120323/0dbcbf30/attachment-0001.html>


More information about the Owasp-ireland mailing list