The Web Application Security Consortium has announced their WASC Web Application Security Statistics Project 2007.The goal of the project was to pool data around web application vulnerabilities to get a better idea of the threat landscape. Their results seem to differ from the trends I've been seeing around the breadth and depth of website compromises, particularly around SQL injection attacks.
The project statistics claim that only 7% of the analyzed sites can be compromised automatically. That seems a bit low, given how these attacks are now part of automated attack frameworks like Metasploit. The project does state that 96.85% of sites that undergo a detailed manual and automated analysis using white and black box methods detect high severity vulnerabilities.
That shouldn't provide much comfort, though. All it means is that almost all web apps are easily compromised, which could lead to your box or network being compromised as well.
No comments:
Post a Comment
Please tell me what you think.