[Owasp-leaders] [Owasp-community] Announcing the OWASP Web Hacking Incidents Database (WHID) Project - Seeking Participants

Pawel Krawczyk pawel.krawczyk at hush.com
Mon Apr 13 18:53:26 UTC 2015


Hi Matt,

Your research topic seems very similar to what I was trying to achieve a few years ago while working at Aon, except I was using it for risk management on a portfolio of around 1000 web applications of all possible business origins, ages and programming environments. WHID was very useful for the first part (actually, it was one of the best sources I had), which resulted in the following article with some quantitative estimates - I was also using raw database which I received from Zone-H in the analysis:

https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html <https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html>

The model I was trying to build was actually something like: given a web application exposed to the Internet, with N users (plus a number of other features) how likely it is that it will be compromised? While quite useless from an individual application owner’s point of view (because your risk tolerance in such case tends to be close to zero) such a model would be extremely useful from a CIO’s point of view, where you need to share resources (yes, including security resources unfortunately) between hundreds or thousands of websites.

This particular model I have eventually never published even though I have been using it for actual risk assessment. It was mostly because I hoped to get something like an actuarial model based on hard data, and instead got something more close to CVSS where the formula’s coefficients based on quite subjective experts’ opinion. Nonetheless, the model was quite useful in real life, I just never had enough time and motivation to really write it down and publish.

My observation (expressed before by many) is that quantitative research on application security is quite challenging because there’s very little good quality representative data published and each data set out there is significantly biased. My afterthought is that I might be a bit too ambitious thought, as models like CVSS may be equally useful from purely practical purposes :)

> On 13 Apr 2015, at 18:13, Matthew Parsons <mparsons at parsonsisconsulting.com> wrote:
> 
> Ryan,
> I was thinking about using this type of information to do a quantitative risk assessment to predict future software security vulnerabilities.  I work for Intel as an application security engineer doing web penetration testing and source code review.  I am also a second year doctoral student with an anticipated graduation date of March 2017.  My research topic is a qualitative review interviewing 20 software security professionals on secure design patterns.  Dr. Gary McGraw suggested this topic.  Has the quantitative research been done?  And if not do you think there would be an interest with working on this?  
> 
> All the best,
> Matt
> 
> 
> On Tue, Apr 7, 2015 at 10:40 AM, Ryan Barnett <ryan.barnett at owasp.org <mailto:ryan.barnett at owasp.org>> wrote:
> Greetings OWASP Community!  I wanted to let everyone know that we have officially launched the project - https://www.owasp.org/index.php/OWASP_WASC_Web_Hacking_Incidents_Database_Project <https://www.owasp.org/index.php/OWASP_WASC_Web_Hacking_Incidents_Database_Project>.  
> 
> Project Description:
> WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. This data is in contrast to many public statistics reports on vulnerability prevalence in that it shows what types of vulnerabilities attackers are actively exploiting.
> 
> A useful way to use WHID is to help provide data for “Likelihood of Attack” RISK ratings.  There is a lot of public “vulnerability” data publicly available, but which ones are actively being used by attackers?  Here is a quick mapping of OWASP Top 10 items to WHID entries - https://www.owasp.org/index.php/OWASP_Top_10/Mapping_to_WHID <https://www.owasp.org/index.php/OWASP_Top_10/Mapping_to_WHID>
> 
> We are actively seeking participants who can help add entries for WHID - https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AvaknFl7LiV2dHRLNEVoNks4YlJuZ1JIWHhyaG5OM2c&usp=drive_web#gid=1 <https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0AvaknFl7LiV2dHRLNEVoNks4YlJuZ1JIWHhyaG5OM2c&usp=drive_web#gid=1>.  If you you would iike to participate – please sign-up for the mail-list here: https://lists.owasp.org/mailman/listinfo/owasp_wasc_web_hacking_incidents_database_project <https://lists.owasp.org/mailman/listinfo/owasp_wasc_distributed_web_honeypots_project>.  You can also follow the project on Twitter - https://twitter.com/owaspwhid <https://twitter.com/owaspwhid> 
> 
> Cheers.
> 
> --
> Ryan Barnett
> OWASP Web Hacking Incidents Database Project Leader
> 
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org <mailto:Owasp-community at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-community <https://lists.owasp.org/mailman/listinfo/owasp-community>
> 
> 
> 
> 
> -- 
> Matt Parsons, CISSP, MSM 
> mparsons at parsonsisconsulting.com <mailto:mparsons at parsonsisconsulting.com>
> http://www.parsonsisconsultingblog.com <http://www.parsonsisconsultingblog.com/>
> http://www.twitter.com/parsonsmatt <http://www.twitter.com/parsonsmatt>
> 
> 
> 
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community


-- 
Pawel Krawczyk
pawel.krawczyk at hush.com +44 7879 180015
CISSP, OWASP



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150413/f02bcc02/attachment-0001.html>


More information about the OWASP-Leaders mailing list