Blog Elements

Half Sized Blog Element (Single Author Style)

Half Sized Blog Element (Multi Author Style)

Don’t Take Vulnerability Counts At Face Value

2013-06-13/0 Comments/in Vulnerability/by fdesir

A posting from Dark Reading in there Vulnerability Management Section: In 2012, there were 5,291 vulnerabilities documented by security researchers and software firms. Wait, no, make that 8,137. No, 9,184. Well, it could even be 8,168 or 5,281. In reality, the exact number of vulnerabilities reported in different databases each year varies widely–by as much […]

New OWASP Top 10 Reflects Unchanged State Of Web Security

2013-06-13/0 Comments/in Web Security/by fdesir

A posting from Dark in there Application Security section: The oft-cited and oft-debated OWASP Top 10 list of the most critical vulnerabilities in Web applications got an update this week with the most prevalent flaw—injection–remaining at the number one slot. Injection, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfiguration, […]

Don’t Take Vulnerability Counts At Face Value

2013-06-13/0 Comments/in Vulnerability/by fdesir

New OWASP Top 10 Reflects Unchanged State Of Web Security

2013-06-13/0 Comments/in Web Security/by fdesir

Full Sized Blog Element (Big Preview Pic)

Don’t Take Vulnerability Counts At Face Value

2013-06-13/0 Comments/in Vulnerability/by fdesir

In reality, the exact number of vulnerabilities reported in different databases each year varies widely–by as much as 75 percent in 2012. The fundamental problems in counting vulnerabilities, along with the issues assigning a meaningful severity to each vulnerability, means that analyses based on the data should be treated with skepticism, argue two security professionals that plan to outline problems with vulnerability data at Black Hat in Las Vegas later this summer.

Researchers Brian Martin, content manager of the Open Source Vulnerability Database (OSVDB), and Steve Christey, principal information security engineer in the security and information operations division at The MITRE Corporation, say that the goal of their talk is to not only point out unreliable data but also to help people pinpoint what reports are based on such shaky foundations.

To read more click here:

New OWASP Top 10 Reflects Unchanged State Of Web Security

2013-06-13/0 Comments/in Web Security/by fdesir

A posting from Dark in there Application Security section:

The oft-cited and oft-debated OWASP Top 10 list of the most critical vulnerabilities in Web applications got an update this week with the most prevalent flaw—injection–remaining at the number one slot.

Injection, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfiguration, sensitive data exposure, missing function-level access control, cross-site request forgery (CSRF), using known vulnerable components, and unvalidated redirects and forwards round out the Top 10 list, respectively. XSS actually dropped down a slot from the number two position in 2012, and broken authentication/session management moved up.

According OWASP, the jump in broken authentication and session management is most likely due to these bugs being scrutinized more closely. “We believe this is probably because this area is being looked at harder, not because these issues are actually more prevalent,” OWASP wrote in its report on the new list of Web app flaws.

CSRF dropped from number five to eight, mainly due to developers doing a better job in eliminating those flaws, according to OWASP.

To read more click here: