A small (21 professionals) and informal survey by Jeremiah has some interesting results, including the fact that noone appears to be “utilizing” the OWASP top ten, while a majority say the PCI standards are going “in the right direction”:
6) What do you think about the updated PCI Data Security Standard v1.1?
a) Huh? (0%)
b) It’s stupid and means nothing to me (0%)
c) Step in the right direction (57%)
d) Great for the web application security industry! (0%)
e) Other (43%)
Would be nice to know how the following numbers can be broken down. For example, is the lion’s share of time spent on a review due to size/complexity of the average commerce site (more than a week’s worth of hands-on testing), or a lack of prior reviews or documentation that stretch out the front-end preparations and back-end reporting? Or are the folks who answered just not the types who work with the small-site reviews…
4) Average number of man-hours required to perform a thorough web application vulnerability assessment on the average commerce website?
a) None (0%)
b) 0 – 10 (5%)
c) 10 – 25 (10%)
d) 25 – 40 (0%)
e) 40+ (86%)
The BBC has a related article with some interesting insights:
The hackers lack the skills to do anything with the data they steal and the old-time criminals lack the technical skills to get the data. This is where they meet.
I came across Ess4 hawking login data for the web shops he has hacked, the credit card numbers he has plundered from those sites and a how-to-guide that shows others how to do it.
He said: “i got many shops + tons of daily orders. i hack a shop in 3-4 hours and sell it for 100-500$.”
He thanked “stupid admins” for making basic mistakes that let him break in.
Roze, one experienced hand and a spammer, said he exploited “human stupidity” rather than poor security.
[…]
And, he said, when he was not relying on stupidity, he had a cadre of smart hackers working for him to break into networks. Curiously, most of these people were from Romania – a country that comes up again and again on these channels.
He said: “romanian guys are very smart. All the time they come with something new ;) they are the best hackers on earth i think.”
[…]
The big problem that these criminals face is not the police but each other and they are in constant fear of being ripped off by their brethren. There is little honour among these thieves.
Davi, it’s interesting that “no one is using the OWASP Top 10” as it’s NOT a standard. In the 2007 redraft that is being made actually clear for the first time.
The PCI uses the Top 10. Download it and check – it’s actually the 2004 Top 10. They used it without seeking our assistance. Therefore, by default the Top 10 is being used… but wrongly.
Read my blog entry here on why I don’t do small code reviews:
http://www.greebo.net/?p=374
Andrew
Andrew, thanks for the clarification. I agree with your post and fear the set-and-forget approach. The only thing worse would be a set-and-use without understanding the cost to document and change application traffic.
I often characterize this risk as “unripe automation” — implementing technology before business processes are documented well enough, let alone repeatable (based on the CMM guidance), to manage the systems effectively. A good example of this was the initial attemtps by GM to introduce robots into their production lines before they really understood what it takes to automate. Contrary to many hopes (and sci-fi stories) automation technology can not grow an understanding of and thus fix business processes (like bad code pushed to production). Instead, it actually amplifies faults by making them appear faster (like breaking the app and taking the site down). In the end GM spent more money on their set-and-forget technology projects than it would have cost for them to just buy Toyota and have them take over production.