Estadísticas de Seguridad del 2007 en aplicaciones WEB.

Data analysis

Data analysis shows that more than 7% of analyzed sites can be compromised automatically. About 7.72% applications had a high severity vulnerability detected during automated scanning (P. 1). Detailed manual and automated assessment using white and black box methods shows that probability to detect high severity vulnerability reaches 96.85%.

So automated scanning represents data for an average Internet site and black and white box methods results refer to interactive corporate web applications.

!!!

P. 1 Probability to detect vulnerabilities of different risk degree

The most prevalent vulnerabilities are Cross-Site Scripting, Information Leakage, SQL Injection and Predictable Resource Location (P. 2, P. 3). As a rule, Cross-Site Scripting and SQL Injection vulnerabilities appears due to system design errors, Information Leakage and Predictable Resource Location are often connected with improper system administration (for example, weak access control).

!!!

P. 2 The most prevalent vulnerabilities

!!!

P. 3 Vulnerability frequency by types

While detailed system analysis with BlackBox and WhiteBox methods appreciable percentage of sites are vulnerable to Content Spoofing, Insufficient Authorization and Insufficient Authentication (P. 4, P. 5). With this approach to security assessment the probability to detect SQL Injection reaches 25%.

!!!

P. 4 The most prevalent vulnerabilities (BlackBox & WhiteBox)

!!!

P. 5 Vulnerability frequency by types (BlackBox & WhiteBox)

In terms of Web Application Consortium Threat Classification version 1 classes (T. 1 and P. 6) the most prevalent classes of vulnerabilities are Client-side Attacks, Information Disclosure and Command Execution. The detailed analysis shows the popularity of Authentication and Authorization classes (P. 7).

T. 1 The probability distribution of vulnerabilities detection according to WASC TCv1 classes

% ALL

% Scans

% Black & WhiteBox

Authentication

1.17%

0.02%

20.82%

Authorization

1.28%

0.07%

19.01%

Client-side Attacks

33.13%

31.17%

69.37%

Command Execution

8.15%

7.32%

27.85%

Information Disclosure

31.78%

30.42%

56.54%

Logical Attacks

0.90%

0.20%

13.92%

!!!

P. 6 The probability distribution of vulnerabilities detection according to WASC TCv1 classes

!!!

P. 7 The probability distribution of vulnerabilities detection according to WASC TCv1 classes (BlackBox & WhiteBox)

The Comparison of security assessment methods

While compared automated scanning with detailed Blackbox and Whitebox analysis methods, it is evidently clear that detailed analysis is much more effective to detect Authorization and Authentication class vulnerabilities and logic flaws (T. 2, P. 8).

T. 2 Automated scanning vs Blackbox and Whitebox analisys (% Sites)

Threat Classification

Scans vs Black & WhiteBox

Content Spoofing

18.30%

Insufficient Authorization

14.15%

Insufficient Authentication

12.95%

SQL Injection

8.68%

!!!

P. 8 The difference in probability of vulnerabilities detection using different methods

As mentioned above (P 1), the probability to detect high risk degree vulnerability using detailed analysis is 12.5 times higher than using automated scanning. According to the number of vulnerabilities detected for a site (T. 3 and P. 9) the detailed analysis allows to detect on average 9 high risk degree vulnerabilities per site while automated scanning allows to detect only 2.3 vulnerabilities of this rank.

T. 3 Number of vulnerabilities per site

All

Scans

Black&WhiteBox

Low

3.15

2.96

1.11

Med

2.35

2.04

2.65

High

4.22

2.33

8.91

All

2.12

1.61

13.11

!!!

P. 9 Number of vulnerabilities per site

fuente: webappsec.org

Responder

Por favor, inicia sesión con uno de estos métodos para publicar tu comentario:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s