SecurityFeed.info » Jeremiah Grossman

Feeds

23887 items (23887 unread) in 97 feeds

• Aviv Raff On .NET (18 unread)
• Bugtraq (bugtraq) Mailing List (605 unread)
• CGISecurity.com: Your Web Site and Application Security Resource (74 unread)
• christian's weblog (25 unread)
• Irongeek's Security Site (125 unread)
• Jeremiah Grossman (74 unread)
• Heorot.net (11 unread)
• milw0rm.com (440 unread)
• Nmap Hackers (nmap-hackers) Mailing List (7 unread)
• Packet Storm Security Advisories (373 unread)
• Packet Storm Security Exploits (461 unread)
• Packet Storm Security Headlines (376 unread)
• Packet Storm Security Last 100 (1841 unread)
• Packet Storm Security Last 20 (833 unread)
• Packet Storm Security Last 50 (1441 unread)
• Packet Storm Security Last Files (544 unread)
• Packet Storm Security Miscellaneous Files (109 unread)
• Packet Storm Security Tools (113 unread)
• Rootsecure.net (694 unread)
• SecuriTeam.com (184 unread)
• Security Vulnerability Research & Defense (36 unread)
• SecurityFocus News (139 unread)
• SecurityFocus Vulnerabilities (806 unread)
• Securityvulns news channel (336 unread)
• SecWatch - Latest Exploit Alerts (10 unread)
• Taking Network Security to the Streets (28 unread)
• The One And Only Matt Parnell.com (34 unread)
• The Register - Security (389 unread)
• The Register - Software (457 unread)
• VulnWatch (vulnwatch) Mailing List (19 unread)
• Web App Security (webappsec) Mailing List (88 unread)
• IceСμbeς (15 unread)
• Linmagazine (186 unread)
• ‫netcraft Bytes :) (38 unread)
• Digg (4061 unread)
• Blonde 2.0 (51 unread)
• The Microsoft Security Response Center (MSRC) (40 unread)
• (IN)SECURE Magazine Notifications RSS (17 unread)
• 0x000000 Security (79 unread)
• ----- Anti-Malware ----- Analysis and Defense (15 unread)
• Apple Fun (25 unread)
• Technorati Search for: aviv.raffon.net (203 unread)
• C.I.S.R.T. (10 unread)
• Determina Zero-Day Protection (6 unread)
• Didier Stevens (47 unread)
• eEye Digital Security - Research Blog (10 unread)
• Ryan Naraine's Security Watch (96 unread)
• Security - RSS Feeds (179 unread)
• Exploit Prevention Labs (28 unread)
• Software Vulnerability Exploitation Blog (22 unread)
• F-Secure Antivirus Research Weblog (75 unread)
• Full Disclosure (290 unread)
• George Ou (10 unread)
• GNUCITIZEN Media Portfolio (65 unread)
• ha.ckers.org web application security lab (35 unread)
• heise security (342 unread)
• invisiblethings' blog (35 unread)
• Jeff Jones's blog (12 unread)
• JScript Blog (16 unread)
• Matasano Chargen (38 unread)
• McAfee Avert Labs (66 unread)
• Michael Howard's Web Log (26 unread)
• PandaLabs (35 unread)
• Zero Day (273 unread)
• SANS Internet Storm Center, InfoCON: green (232 unread)
• Latest Secunia Security Watchdog Blog Entries (24 unread)
• SecuriTeam Blogs (65 unread)
• Security Fix (115 unread)
• HP ASC Portal (30 unread)
• Strike Center (12 unread)
• Sunbelt Blog (217 unread)
• Sunnet Beskerming Security Advisories (29 unread)
• Technobabylon
• The Recurity Lablog (31 unread)
• Wired: Threat Level (454 unread)
• TrendLabs | Malware Blog - by Trend Micro (159 unread)
• Uninformed Journal (44 unread)
• WabiSabiLabi's blog (22 unread)
• WatchGuard Wire (48 unread)
• Latest Blog Entires From WebSense Security Labs (42 unread)
• Hackszine.com (151 unread)
• DVLabs: Blogs (63 unread)
• Errata Security (81 unread)
• Robert Hensing's Blog (71 unread)
• PaulDotCom Community Blog (10 unread)
• David LeBlanc's Web Log (20 unread)
• Billy (BK) Rios (19 unread)
• David Litchfield's blog (21 unread)
• Farfromr00tin (23 unread)
• aut disce, aut discede (17 unread)
• pwn* (16 unread)
• hackademix.net (42 unread)
• SecurityDot Vulnerabilities (422 unread)
• Vulnerabilities & Exploits (29 unread)
• Malicious Code (26 unread)
• Security Risks (21 unread)
• Digg / Security / upcoming (4195 unread)

Jeremiah Grossman (10 unread)

• August 27, 2008
• 19:33

  Download the 5th Website Security Statistics Report

   » ‎ Jeremiah Grossman
  Whew, what a mountain of work! I’m ecstatic the complete 5th installment of our Website Security Statistics Report report (all 13-pages) is finally published and available for everyone to see – and comment. I’m also extremely proud that we’re able to capture a measurable improvement in overall website security. Good news from inside InfoSec!? I know, weird huh!? We still have a long way to go, but these statistics show we’re on the right path and doing the right things:

  • Find and prioritize all websites
  • Find and fix website vulnerabilities
  • Implement a secure software development process
  • Utilize a defense-in-depth website security strategy
    

  Today’s webinar went extremely well, slides are available for those interested. And some quick numbers:
  

  Total Websites: 687
  Identified vulnerabilities: 11,234
  Unresolved vulnerabilities: 3,541 (66% resolved)
  Websites HAVING HAD at least one serious issue: 82%
  Websites CURRENTLY WITH at least one serious issue: 61%
  Average vulnerabilities per website: 5

  The shiny new WhiteHat Top Ten

  Yes! CSRF finally make the list!

  Also covered is:
  - Collection methodology
  - Time-to-fix and remediation metrics
  - Industry vertical comparisons
  - Best practices & lessons learned
  

  Feedback on what other numbers people would like us to report on in the future is very welcome.
  
  
  

  
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.
  
• August 25, 2008
• 17:09

  5th Website Security Statistics Report

   » ‎ Jeremiah Grossman

  For the last month I’ve been compiling our third quarter 2008 Website Security Statistics Report, which contains a comprehensive vulnerability analysis of over 600 real live websites. We’re talking 11,000 verified vulnerabilities collected from typically weekly assessments. This type of data is not available from reports by Symantec, Mitre (CVE), IBM X-Force, SANS, or anywhere else and we're excited to be able to share it.

  We put a ton of work into this report and there is a massive amount of data. Highlights include a revised Top Ten list of vulnerabilities, updated Time-to-Fix metrics, vulnerability remediation percentages showing progress, vertical market comparison, and so on. The information is really valuable because it provides visibility into the future trends, trouble spots, and what action items should be considered.

  On Wednesday, August 27th, 11:00 AM PDT I’ll be hosting an hour-long webinar to go over the results. Attendees will be given the opportunity to be the first to see the results and ask questions. Registration is free, but space is limited. If you are interested in attending, now is the time to register.
  

  
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.
  
• 16:44

  Back at my Desk

   » ‎ Jeremiah Grossman

  I’m finally home from a 3-city in 3 days tour covering Atlanta, New York, and Chicago. Beyond the excellent turn out for the WH/F5 lunch and learn presentations, I’m always fond of the extracurricular activity. Since I’m still injured, visiting new BJJ academies was out of the question, so instead I substituted the time with food. Fortunately I was able to do so with meals that fit within my high protein low-carb diet (208 lbs is the goal). 30lbs to go!

  In Atlanta there was Fogo de Chão, a stellar upscale all-you-can-eat Brazilian BBQ restaurant, that served 15 types of fire-roasted meats brought to your table sizzling on skewers. Now that’s hard to beat. In New York we stopped by my all-time favorite steak place, Smith & Wollensky, for a Colorado bone-in ribeye. The waiter said it was the most flavorful meat in the world, I’m thinking he was right.

  Chicago, I left the venue selection to the OWASP Chicago Chapter locals. But before that Cory Scott and Jason Witty invited me deliver an encore performance of “Get Rich or Die Trying” at the recommendation of Ed Bellis (Thank you). The cool thing about that particular talk is afterwards people always clue me into other business logic flaws they’ve encountered. It’s really good content to add, especially if it involves money. For me I was excited to see the presentations by Mike Zussman and Nate McFeters since I didn’t get to see either talk at Black Hat. 
  

  Afterwards we went out for drinks with several people including Nate McFeters, Thomas Ptacek, Shrikant Raman, and a dozen others. The appetizers were decent, but I think the chose the place more for the beer than anything else. Chicago probably has one of the more friendly and vibrant chapters around. Anyway, it’s good to be back home. I got to do some modest BJJ training over the weekend, play in the GGAFL finals (we got spanked badly), and hit some rides with the kids at Great America. Now off to do the expense reports. Yay! ;)
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.
  
• August 21, 2008
• 1:06

  Can you identify the white ninja?

   » ‎ Jeremiah Grossman
  During BlackHat USA, there were sightings of a mysterious white ninja. Witness reports claim he spoke with an english accent at 300 words per minute, raved on about sandboxing code, and plotted to take over the Web with a worm to wake people up (but just for a day). Anyone know who this phantom figure is?
  

  Bonus points for posting the best photo caption. I’m thinking “practice safe output encoding”.
  

  
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.
  
• August 12, 2008
• 21:43

  Application Security Vendors Counting their Millions

   » ‎ Jeremiah Grossman
  Software security sage Gary McGraw (CTO, Cigital) published his market research on what he believes are the 2007 revenue numbers for application security vendors. Speaking for myself, I can neither confirm nor deny the accuracy of this data, certainly when it comes to WhiteHat.
  
  Fortify: $29.2 million
  Coverity: $27.2 million
  Klockwork: $26 million
  Watchfire (IBM): $24.1 million
  SPI Dynamics (HP): $22.3 million
  Cenzic + Codenomicon + WhiteHat: $12.5 million
  Ounce Labs: $9.5 million
  
  $150.8 million total for the tools / SaaS market
  
  “The source code analysis space is now larger than the black box testing tools space….”
  
  Sort of, but more on that in a moment.
  
  “Tools don't run themselves”
  
  Ain’t that the truth.
  
  “The hard-to-track software security services space checks in around $100-140 million in 2007, with growth just shy of 20% over 2006. Services can be divided into three tracks: training (around $7 million), risk assessment ($45-60 million) and penetration testing ($50-75 million).”
  
  I’m not sure about the risk assessment number, but I’m thinking the estimates for training and penetration testing is probably orders of magnitude lower than they should be. The rates for larger players including IBM Global Services, Verizon, Symantec, Ernst & Young, PwC, and KPMG aren’t cheap. And to some extent neither are the smaller players such as Matasano, SecTheory, iSec, Leviathan, Denim Group, Foundstone, Gotham, NGSS, FishNet, Aspect, SANS, IOActive, Immunity, NTO, NGS, BlueInfy, Net-Square and dozens of other regional players. No wonder the overall market totals are tough to track, but each takes their piece of the pie.
  
  I believe when it comes to the black-box testing of web applications, services are likely 5x larger than the tools industry – especially if you consider that few organizations these days haven’t had a professional vulnerability assessment (and its tough to capture international sales as well). The opposite is true for white-box testing where tool purchases a way more common due to the costs of a line-by-line source code review by a consultant. Then we have WAF sales driven by VA sales, which makes sense because an organization typically must identify a need before they can justify the fix. The same was true of network firewalls, patch management, and A/V markets.
  
  All in the all trajectory for the entire web application security segment is going up, and fast. PCI-DSS 6.6 is certainly one stimulant, but so is all the web hacking going on these days. Great numbers Gary, thanks for sharing!
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.
  
• August 11, 2008
• 13:24

  BlackHat encore - Chicago OWASP next week

   » ‎ Jeremiah Grossman
  Chapter leaders Cory Scott or Jason Witty were gracious enough to invite me to present at this months OWASP Chicago meeting. It's always fun to visit a new chapter. I've been to about a dozen so far, and meeting like minded webappsec people from various parts of the country/world. This is also a good opportunity for those who missed Black Hat to see one of the presentations live rather than relying solely on the information in the slides.
  
  August 21 - OWASP Chicago Chapter (6:00pm – 8:30pm)
  6:00 Refreshments and Networking
  6:15 Bad Cocktail: Spear Phishing + Application Hacks - Rohyt Belani, Managing Partner, Intrepidus Group
  7:15 Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - Jeremiah Grossman, Founder & CTO of Whitehat Security
  
  Bank of America Plaza
  540 W. Madison, Downtown Chicago, 23rd floor.
  
  *Please RSVP to jason{AT}wittys.com by 8/19/2008 if you plan to attend. Your name will need to be entered into the building's security system in order to gain access to the meeting.*
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.
  
• 13:06

  Road Show - 3 Cities in 3 Days

   » ‎ Jeremiah Grossman
  For those interested in learning more about the WhiteHat Sentinel / F5 ASM integration we have a road show scheduled (If not, go ahead and stop reading now). We’re visiting Atlanta, New York, and Chicago next week. In each city presenting will be our CEO Stephanie Fohn sharing insights on the latest website vulnerability statistics, a guest customer from a financial institution sharing their experiences on “The Challenge of Managing Application Security in Today's Environment”, and myself paired with an F5 engineer performing live VA+WAF demos. A really nice lunch will be served on us and registration is free, space is limited though. Hope to see many of you there!
  
  August 19 (Atlanta @ 11:30am – 1:30pm)
  The Four Seasons Hotel
  75 Fourteenth Street Atlanta, GA 30309
  Guest Speaker: Allen Stone, Senior Security Specialist, E*TRADE Financial
  
  
  August 20 (New York @ 11:30am – 1:30pm)
  The Tribeca Grand Hotel
  2 Avenue of the Americas
  New York, NY 10013
  Guest Speaker: Jim Routh, Chief Information Security Officer, DTCC
  
  
  August 21 (Chicago @ 11:30am – 1:30pm)
  The Peninsula Chicago Hotel
  108 East Superior Street
  Chicago, IL 60611
  (312) 337-2888
  Guest Speaker: Anna Sherony, Privacy and Information Protection Officer, Sammons Financial
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.
  
• 12:04

  Get Rich or Die Trying (BlackHat USA 2008)

   » ‎ Jeremiah Grossman
  Update 08.11.2008: Added a video interview of Trey and myself to the bottom of the post.
  
  Our speaking slot was informally dubbed the “power hour” due to the number of stellar presentations all booked at the same time - many of which I would have loved to attend personally. Nate McFeters & Co. unveiled the details on their GIFAR research, Microsoft announced they’ll be revealing vulnerability details to certain vendors prior to public disclosure, Joanna Rutkowska on Xen Hypervisor, etc. And making matters just a little bit more interesting, we were generously given a larger ballroom. This was scary because with a speaking time near the end of the last day combined with top-notch competition, a sparsely attended room would have been entirely likely. So when the room filled to capacity, I’m guessing of around 1,000 people (standing room only) Trey Ford and I were extremely ecstatic! Which reminds me, Trey Ford (Director of Solutions Architecture) pinched hit for Arian Evans (Director of Operations) so he could focus more time on his presentation, “Encoded, Layered and Transcoded Syntax Attacks.”
  
  The premise for the “Get Rich or Die Trying” presentation was looking forward at the next 3-5 years considering that we’re probably going to see less fertile ground for XSS/SQLi/CSRF to be taken advantage of – that is if the good guys do their job well. So the bad guys will likely focus more attention on business logic flaws, which QA overlooks, scanners can’t identify, IDS/IPS can’t defend, and more importantly issues potentially generating 4, 5, 6 or even figures a month in illicit revenue. In many ways though this is sort of like predicting the present since just about every example we gave was grounded with a real-world public reference and backed by statistics. We also wanted this presentation was very different than what most are used to at BlackHat that tend to be deeply technical, hard to follow, and often dry. And while everyone in webappsec is transfixed on JavaScript malware issues, we chose another direction.
  
  We designed a presentation meant to be a lot of fun, that taught things anyone could do, and perhaps by the end might have people questioning their ethics. Judging from much of the feedback I think we might have succeeded on the last point. :) RSnake was also a good sport when we ribbed him a little bit. For those interested in the slides, I quickly uploaded them to slideshare. The quality is decent (hard to see the references) and you can download the PDF. I’m working on slenderizing it now, so when I have it I’ll upload that as well, including the video when we get it.
  
  Get Rich or Die Trying - Black Hat 08072008View SlideShare presentation (tags: flaws logic business form)
  
  
  Lastly thank you very much to everyone who came and supported us, it meant a lot.
  
  
  
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.
  
• July 31, 2008
• 13:55

  My Picks for BlackHat USA 2008

   » ‎ Jeremiah Grossman
  Loads of awesome looking presentations this year! So hard to choose from. I really hope I’ll have time to see most of them and not stuck 24x7 in little rooms answering questions with people holding microphones. :) I hear the conference attendance is PACKED and suggest if you want to get in to see a popular speaker/talk, get there early. Oh, the same goes for the OWASP/WASC Party, get the Breach booth early.
  
  
  Day 1: 10:00 to 11:00
  
  Bad Sushi: Beating Phishers at Their Own Game
  Nitesh Dhanjani, Senior Manager
  Billy Rios, Microsoft
  
  I saw this talk at Blue Hat is Seattle a couple months back. Not only is the data they present extremely compelling, but their humor and speaking style really put it over the top. With so many dry talks in our industry, when speakers are actively engaging it really makes a difference.
  
  
  Day 1: 11:15 to 12:30
  
  DNS Goodness
  Dan Kaminsky
  
  The vulnerability itself and disclosure drama aside, I have it on good authority that Dan will provide some important lessons learned as a result of the fiasco with regards to software serviceability. I’m really interested in hearing what he has to say about how we can improve our situation so we can adapt better to a similar scenario down the road.
  
  
  Day 1: 13:45 to 15:00
  
  Iron Chef: Fuzzing Challenge
  
  This event was a lot of fun last year when I participated as a “celebrity judge”. Just don’t be under the impression that this is a scientific experiment or any kind. Instead simple enjoy the “show” where you can participate if you'd like. You get some code, find vulnerabilities however you want, and share your results. Simple! We should give them RSnake’s blog software. :)
  
  
  Day 1: 15:15 to 16:30
  
  Xploiting Google Gadgets: Gmalware and Beyond
  Tom Stracener
  Robert Hansen
  
  My man RSnake accompanied by Tom Stracener delivering Google zero-days and JavaScript malware PoC abound. Who could miss that! Keep your eyes peeled for Googlers in the front row feverishly taking notes and radioing live information back to the Googleplex. This talk might also renew our sense of paranoia about browser security, if there is such a thing.
  
  
  Day 1: 16:45 to 18:00
  
  FLEX, AMF 3 and BlazeDS: An Assessment
  Jacob Carlson
  Kevin Stadmeyer
  
  Don’t know much about the speakers or the talk itself, but the subject matter looks compelling and particularly timely. I’ve been doing a lot of my own research in Flash/Flex are well and there is a lot of unexplored territory within. XSS and CSRF malware payloads can and will get a lot worse with this stuff.
  
  
  Day 2: 10:00 to 11:00
  
  Encoded, Layered and Transcoded Syntax Attacks: Threading the Needle Past Web Application Security
  Arian Evans
  
  Going only because I have to speak alongside Arian. :) This presentation is the result of a large amount of experimentation on live websites using seriously obfuscated attack techniques. Some of the methods we’re still not exactly sure why they work, only that they do in extreme edge cases. What we’re also learning is that there is A LOT of web application vulnerability edge cases out there.
  
  
  Day 2: 11:15 to 12:30
  
  No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling
  Ivan Ristic
  Ofar Shezaf
  
  A serious toss up between this one and Threats to the 2008 Presidential Election, which I’m sure is also going to be a stellar. For me, I need to stay as up-to-date as I can in WAF technology evolution and Ivan is THE MAN in the open source space.
  
  
  Day 2: 13:45 to 15:00
  
  REST for the Wicked
  Bryan Sullivan
  
  Love the talk title and really interested in learning about any new attack techniques on SOAP and surrounding technologies. This area also continues to be a struggle for automated testing.
  
  
  Day 2: 15:15 to 16:30
  
  Get Rich or Die Trying – Making Money on the Web, the Black Hat Way
  Jeremiah Grossman
  Arian Evans
  
  Again, only because I HAVE to be there. :) I’ve been wanting to do a presentation like this for quite some time and have finally been able to pull together enough data and public examples to make it possible. The idea is to demonstrate how to make serious money illicitly using the most simplistic of web attack techniques, all of which have already been used in the real world, and then speculate a little on other possibilities. All story driven, not meant to be grown breaking attack wise, just really thought provoking and fun.
  
  
  Day 2: 16:45 to 18:00
  
  Pushing the Camel Through the Eye of a Needle
  SensePost
  
  Only because the Sensepost guys are super l33t, always have exceptional material, and I’ve never been to a bad presentation yet. Didn’t even bother to read the description, I know it’ll be worthwhile. Hopefully I can make it over there after my presentation.
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.
  
• July 25, 2008
• 13:27

  Results: Web Application Security Professionals Survey (July 2008)

   » ‎ Jeremiah Grossman
  The survey concluded this morning with a simply amazing turn out! A total of 340 respondents -- well over double the previous. Thank you to everyone who helped get the word and of course to those taking the time to fill out the form. This information is invaluable. Since there were so many responses, and hence comments, I’m only able to post the report graphs below. The full report containing all the comments, probably the best part, is available for download (xls). The upside of so much data is I was also able to run reports on people classifying themselves as “Security vendor / consultant”, “Enterprise security professional”, and “Developers” individually to see how they differed, if at all. If you want to the entire package of reports, here ya go. Big hat tip to Robert “RSnake” Hansen for the bandwidth.
  
  And now for my interpretation of the results…
  
  Question #1 – 3
  Shows that we have a nicely diverse set of individuals with varying backgrounds and years of experience. It looks like I should have had more granular answer options for Q2 though, note for next time.
  
  
  
  
  
  
  
  
  Question #4
  In the matter of browser security I figured just about everyone is using something above and beyond a default install, which is just plain crazy now days and the results confirmed. What astonished me though is the percentage of people across the range using virtualization, roughly 25%! Think about this. 1 in 4 web security people assume their browser and/or OS has a high likelihood of getting owned. Military intelligence, congressional ethics, browser security.
  
  
  
  
  Question #5
  In retrospect I should have asked a better PCI-DSS related question, the answers were unsurprising. People in the certain business sectors were influenced by PCI-DSS when it applied to them and they weren’t when it didn’t. What I really want to know is what ARE the driving factors behind why organizations are investing in web application security. I’ll try to figure out a better way to get to that answer set.
  
  
  
  
  Question #6
  These answers I found to be really interesting because they were split roughly down the middle and the comments were all over the map. Clearly there is no widely accepted view of what security means in the Web 2.0 software development era. We’re still trying to figure things out and convince ourselves that we have the right answer. Or that someone does. I think there is a lot still to be learned in this particular area and I plan to ask more questions on the topic going forward. This also might be an area where we should bring individual experts and practitioners to together to discuss the various issues.
  
  
  
  
  Question #7
  I purposely kept the term “vulnerability scanner” vague to see how they performed as an entire category. It doesn’t appear that vulnerability scanners have improved much or at least peoples impressions of them since the last survey. They performed dismally in Web 2.0 technologies including Ajax, Flash, and Web services. What surprised me is how well the scanners performed in the persistent XSS category, on par with the non-persistent. I can’t say I agree, but it is what it is. Could be an artifact that people don’t understand the difference and figure if the tool didn’t find it that its not there. The other interesting thing is that developers have a better opinion of scanners than security vendors and enterprise professionals.
  
  I plan on digging into this area even more in the future and separate out scanner types, asking for product names, and overall impressions.
  
  
  
  
  Question #8
  I was fairly impressed with these results. 1/3 of the respondents said they’d either recommend a WAF, already have a WAF, or had a WAF on the road map. Then half of everyone said they were “Skeptical, but open minded” as compared to a sparse 15% expressing a level of negativity. This should be a huge market indicator for WAF vendors, industry analysts, VARs, and systems integrators. That 50% category represents a huge opportunity to demonstrate a WAFs value and long-term viability. In the next year we’ll know which way the trend is heading.
  
  
  
  
  Question #9
  Cmon, I had to poke a little fun at RSnake. I mean you gotta know web security is becoming mainstream when you can’t automatically win an online Chihuahua beauty contest poll in Austin without getting out haxored at the last second. ;)
  
  
  
  
  Question #10
  OK, that settles it. Web security people have little to no respect for McAfee’s HackerSafe brand and even that’s putting it mildly if you read the comments. I was confused on what the large “other” responses wanted for an option though. There is also a quite unnerving statistic with developers as their answers were split in thirds. Could it be that 1/3 of developers believe HackerSafe means security?
  
  
  
  
  Question #11
  And there we have it, web security people don’t trust Google, roughly 75% of them anyway. The kicker is most still use them in some way or form anyway. Maybe in many ways we are just like the average user. We’ll tend to sacrifice security for convenience just like they do.
  
  
  
  
  Question #12
  Some like the idea, some hate it, and others have a love-hate relationship. Either way it appears there’s enough people interested in a certification that its time for someone to do it and do it well. Sooner or later there will be 1 or perhaps 2 industry acceptable certifications. Who will it be!? Probably the first one to do it right will.
  
  
  
  
  Question #13
  The answers were all over the map and I don’t think I asked this question in the best way. Still the majority of C-level executives are at least giving the web security problem a good look. What I’d really like to know, similar to question #5, is what exactly is causing people to care and dedicate more resources. Maybe it’s an incident, industry regulation, keeping up with the jones, who knows! I aim to find out.
  
  
  
  
  Question #14
  80% of us figured the industry noise was tolerable or we’ve become number to it. The rest, well, they are not long for the industry anyway. You must get used to it or you’ll go crazy, maybe some of us already have.
  
  
  
  
  Question #15
  Who’s winning? Few think it’s the good guys. What more can we say here but that this is really sad and we have our work cut out for us.
  
  
  
  
  Question #16
  The forced ranked list. Some were close in the center, but this is what we got. Awareness is still a HUGE issue and I tend to agree.
  
  1) General awareness and education
  2) Implementation of an security inside the SDLC
  3) Source code analysis
  4) Black-box vulnerability assessment / pen-testing
  5) Web application firewalls
  6) Enforcing industry regulation
  
  
  
  
  Question #17
  Read the comments, it’s worth it. :)
  
  WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the company’s flagship service, provides continuous web applications vulnerability assessment and management.