undefined | Better HN

0 pointsdmix10y ago0 comments

Indeed, I'd love to see an expanded chart (as well as a more recent one). This one is focused on two categories, memory vs web vulns.

0 comments

tptacek10y ago

I'm not in love with White Hat as a company, but they do collect stats across their customer base, and their annual stats have shown sharp declines in SQL injection.

DOM corruption is a somewhat complex class of vulnerabilities (see lcamtuf's "Notes From A Post-XSS World" for an example of why), and it's not surprising to see we're making less progress.

sebcat10y ago

> I'm not in love with White Hat as a company, but they do collect stats across their customer base, and their annual stats have shown sharp declines in SQL injection

White Hat has a set of tests they run against their customers over time. They tell their customers what problems they find. Their customers (mostly) fix the problems.

I'm not sure that translates correctly to the outside world. The fact that their stats show a decline in the presence of SQL injection vulnerabilities could only be showing us that they have more old customers that have gone through a couple of reports and patch cycles than they have new customers who might not yet have fixed what they're told to fix.

tptacek10y ago

I don't know: their observations square with my anecdotal observations over 10 years of appsec consulting. On my first ever web pentest, I got a 'OR''=' SQLI in the username of a login form. In 2014, when I left Matasano, that would have been absolutely shocking. SQLI has become far less common:

* Developers are taught to use parameterized queries

* Fewer big applications are built in PHP

* More projects use ORMs now than don't

* Random testers hoping for bug bounties hammer every application with SQLI scanners

2 more replies

j / k navigate · click thread line to collapse

0 comments

tptacek10y ago

I'm not in love with White Hat as a company, but they do collect stats across their customer base, and their annual stats have shown sharp declines in SQL injection.

DOM corruption is a somewhat complex class of vulnerabilities (see lcamtuf's "Notes From A Post-XSS World" for an example of why), and it's not surprising to see we're making less progress.

sebcat10y ago

> I'm not in love with White Hat as a company, but they do collect stats across their customer base, and their annual stats have shown sharp declines in SQL injection

White Hat has a set of tests they run against their customers over time. They tell their customers what problems they find. Their customers (mostly) fix the problems.

tptacek10y ago

* Developers are taught to use parameterized queries

* Fewer big applications are built in PHP

* More projects use ORMs now than don't

* Random testers hoping for bug bounties hammer every application with SQLI scanners

2 more replies

j / k navigate · click thread line to collapse