Without meaning to open another can of worms: Web application ~= code repository.
Obviously not a decidable problem for computer programs working with deployment artifacts, but many consulting engagements do start out with reliable(-enough) mappings. I'm not so much wading into the specific statistic. Michal makes a good point --- any automated survey hoping to provide an SQLI metric does contend with either a meaningless definition of "application" or an undecidable problem. My only point is: even if you had a reliable classification of a huge number of applications across many diverse customers (for instance, Veracode might), any automated survey is bound to be biased in other ways. I think Michal and I agree that SQLI is much more prevalent than the conventional wisdom dictates. On Thu, Mar 8, 2012 at 1:17 PM, Michal Zalewski <[email protected]> wrote: >> There are many SQLI patterns that are hard for automated tools to >> find. This is an obvious point, so I'm sorry to pedantic, but I think >> a survey based on automated scanning is a misleading starting point >> for the discussion. > > Well, the definition of a web application is a surprisingly > challenging problem, too. This is particularly true for any surveys > that randomly sample Internet destinations. > > Should all the default "it works!" webpages produced by webservers be > counted as "web applications"? In naive counts, they are, but > analyzing them for web app vulnerabilities is meaningless. In > general, at what level of complexity does a "web application" begin, > and how do you measure that when doing an automated scan? > > Further, if there are 100 IPs that serve the same www.youtube.com > front-end to different regions, are they separate web applications? In > many studies, they are. On the flip side, is a single physical server > with 10,000 parked domains a single web application? Some studies see > it as 10,000 apps. > > Heck, is www.google.com a web application, or a collection of several > hundred web apps? In my view, it's the latter, but how do you tell > with a script? > > Would it be considered a single application were it running on a > single physical machine? The intuitive answer is "no", but then, from > the perspective of SQLi or an RCE bug, there is a difference of sorts. > > There's more... are foo.blogspot.com and bar.blogspot.com separate > "web applications"? If not, then what about *.appspot.com? How does an > automated tool determine the difference between these environments? > > The list goes on... In such cases, manually constructed and carefully > vetted data is actually quite likely to be more meaningful than any > automated > studies. > > /mz -- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log _______________________________________________ Dailydave mailing list [email protected] http://lists.immunityinc.com/mailman/listinfo/dailydave
