[Owasp-topten] A9 - No Support within Statistics Sampled

Christian Heinrich christian.heinrich at cmlh.id.au
Tue May 28 04:20:02 UTC 2013

Dave and Jeff,

I have received a few direct e-mail related to
which I will attempt to address now.

Based on http://lists.owasp.org/pipermail/owasp-topten/2013-May/001041.html
I am unaware if either HP or Trustwave produced statistics relevant to
A9 or other "supply chain" issues since I have not reviewed their
samples (as I had to register).  I would welcome both of them to
provide the relevant extract for consideration?

Neither http://blog.mindedsecurity.com/2013/02/real-life-vulnerabilities-statistics.html
and https://www.softtek.com/webdocs/special_pdfs/WP-State-of-the-art-2013.pdf
make any reference to "supply chain" issues. Again, I would welcome
both parties to correct this if my analysis is incorrect?

Therefore (provided the above assumptions are correct), the only
source of statistics related to the "supply chain" is Vercode's "State
of Software Security - Volume 4".  Please note the intent of these
statistics is not strictly scientific, rather Veracode's target
audience and associated marketing are those seeking "Independent
security verification of third-party software ..." (as quoted on p7).

The relevant extracts based which do not support A9 are:

p9 - "As the reliance on third-party software and components has
grown, so has the awareness that security weaknesses embedded in those
applications become a liability for the enterprise that is accepting
that software. This recognition transcends the security community as
you see calls for this level of due diligence from leaders in the
sourcing and vendor management area as well. In this report we
examined which industry segments are heeding this call to action and
engaging in this process with their third-party software suppliers. We
found enterprises representing at least eight different industry
segments—Software, Finance, Aerospace & Defense, Government,
Entertainment, Telecommunications, Insurance, and Oil & Gas. While
Software and Finance account for the majority of the dataset,
companies across the spectrum are starting to hold their software
suppliers accountable."

p23 - "Requestor Type by Industry" Pie Chart i.e. Software/IT
Services(54%) and then Finance (39%), the remaining seven percent is
spread across Aerospace & Defense, Government, Entertainment,
Telecommunications, Insurance, Oil & Gas and other

It is also worth noting too that the "State of Software Security -
Volume 4" was published in December 2011, therefore the same target
audience of the OWASP Top Ten has known about A9 already for over a
year and a half.  Furthermore, if A9 was an emerging risk then should
have been incorporated in the April 2010 Release of the OWASP Top Ten
three years ago then (i.e. 1.5 years before the publication of
Veracode "State of Software Security - Volume 4").

Christian Heinrich


More information about the Owasp-topten mailing list