March 04, 2004

Interesting research on application security metrics

Chris sent a good post on SC-L yesterday about some research @stake did on application security metrics. Although the findings are mostly focused on web application security, its still quite interesting. Especially since this was completed before OWASP really took off. I thought I would post it here because I know I am going to reference its findings in the future.



@stake published its first application security metrics report in April 2002.  

It is an analyis of 45 "e-business" applications that @stake assessed for its

clients.  Most are web applications.



The Security of Applications: Not All Are Created Equal 

http://www.atstake.com/research/reports/acrobat/atstake_app_unequal.pdf



@stake found that 70% of the defects analyzed were design flaws that could 

have been found using threat modelling and secure design reviews before the 

implementation stage of development.



62% of the apps allowed access controls to be bypassed 27% had no 

prevention of brute force attacks against passwords 71% had poor input 

validation.



@stake lists the top 10 categories of application defects found.  The list 

predates the OWASP Top 10 by eleven months and is largely the same.  

The data has percentage of applications effected and is ranked, so it is not 

anecdotal.



The is a follow-up of the first application defect study done 15 months later in

July, 2003.  This was done to see if application security is improving.



The Security of Applications, Reloaded

http://www.atstake.com/research/reports/acrobat/atstake_app_reloaded.pdf



The results found that security is improving overall but that there is a widening 

gap between the security quality of the top quartile of applications and the 

bottom quartile.



There is another article that 3 @stake authors wrote for IEEE Security and 

Privacy Magazine which contains elements from both reports.



Information Security: Why the Future Belongs to the Quants 

http://www.atstake.com/research/reports/acrobat/ieee_quant.pdf



Cheers,

Chris

Thanks Chris! Good information here.

Posted by SilverStr at March 4, 2004 12:26 PM | TrackBack