This is a really awesome time to be involved with web application security, and software security in general! Real metrics are finally being published in our industry. This will help us move away from the Anecdotal Evidence powering competing Security Risk Religions that folks have been selecting between by coin-toss, when choosing application security initiatives. Facts rule.
Cool reports so far this year: + Verizon DBIR (tells us who is hacking what) + Veracode's stats reports + WhiteHat's stats reports BSIMM has some promise here, too. WhiteHat Security just published their 10th stats report - remediation-timeline stats from 2,000 websites. This should be interesting to SC-L given the degree of SDL zealotry here. Quote from WASC list: Many in the industry eager to receive new and timely webappsec statistics. Yesterday we released "WhiteHat Website Security Statistic Report - Industry Benchmarks." Now over 2,000 websites worth of vulnerability data collected over the last several years. This report is meant to help answer the question, “How are we doing?” I uploaded all the data to my slideshare account for easy viewing. Enjoy! Slides http://www.slideshare.net/jeremiahgrossman/website-security-statistics-report-2010-industry-bechmarks Full Report http://www.slideshare.net/jeremiahgrossman/w-pstats-fall1010th /Quote --- Veracode also published a stats report around the same time that looks interesting, though I haven't managed to chew all the way through it yet: It appears Veracode observes different remediation times. Why? (I ask here since the Veracoders haunt this list) --- Arian Evans Software Security Scanning Sophisticate _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________