tag:blogger.com,1999:blog-13756280.post2251058513684367809..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: The future of web application vulnerability assessment is about scaleJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-13756280.post-52062941780986576622012-03-07T07:43:44.530-08:002012-03-07T07:43:44.530-08:00@Anonymous: That's a really good question with...@Anonymous: That's a really good question with important data. Unfortunately, I don't have a good reference to the data that you need, but suspect that someone out there does. <br /><br />Are you on twitter? If so, that would be a better place to ask. I'll RT if you point it out to me.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-5696157227778163352012-03-07T07:38:49.082-08:002012-03-07T07:38:49.082-08:00Hi Jeremiah, I'm a security professional for a...Hi Jeremiah, I'm a security professional for a major and am digging around the web for basic metrics around patch management and the cost associated.<br /><br />I've seen some complex math formulas that don't benefit what I need. <br /><br />I was looking at the cost of IT operations for testing, deploying a patch on 100,000 endpoints with 20% dev/test machines. Heterogenous environment mostly Windows, with 10% *Nix, 10% network devices.<br /><br />Based on premise that enterprise deployment tool is in place for Windows and that the testing would involve manual patching for the 20% of the dev machines.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-67781912089572319512006-12-27T12:32:00.000-08:002006-12-27T12:32:00.000-08:00Yah, just trying to put things into perspective, e...Yah, just trying to put things into perspective, even though numbers will be somewhat innaccurate.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-15622752819233270572006-12-27T11:11:00.000-08:002006-12-27T11:11:00.000-08:00Oh, wait, I see the math problem. You swapped the ...Oh, wait, I see the math problem. You swapped the assessor cost and the retail assessment cost in the "brave new world" scenario. It still costs billions of dollars to do the tests, but at least you can do it with only 5,000 people.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-62699562715225518312006-12-27T10:09:00.000-08:002006-12-27T10:09:00.000-08:00> I don't understand your math. You approximately ...> I don't understand your math. You approximately halved the retail cost of an assessment, but the price went down an order of magnitude. I think the $2,000/assessment retail is incorrect, given that worker productivity went up over 50-fold. Did you mean to type in $200?<br /><br />In my model worker productivity increase 5-fold (from 40 assessments to 200) which could have meant an retail price decrease from $5,000 to $1,000. However, I don't think the two metrics are necessarily directly related. $1,000 was too cheap. I just picked some numbers that felt right based upon the trajectory I see at WH.<br /><br />> Networks tend to be standardized, and net admins are educated about security. The parallels to this in the web app world are frameworks and education. Un/fortunately, I don't see either of these being at the maturity level of networks anytime soon.<br /><br />That's a very compelling observation. That could very well be exactly what's going on. And frankly, a topic article worthy if expounded upon. I'll have to think about this more.<br /><br />> (P.S. I get like a 50% success rate tops on your captcha. Does that mean I'm a replicant?)<br /><br />HEHEH, I've had the same problem and wonder the same thing often about myself.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-27541054168498955172006-12-27T09:11:00.000-08:002006-12-27T09:11:00.000-08:00I don't understand your math. You approximately ha...I don't understand your math. You approximately halved the retail cost of an assessment, but the price went down an order of magnitude. I think the $2,000/assessment retail is incorrect, given that worker productivity went up over 50-fold. Did you mean to type in $200?<br /><br />From nits to useful comments, I think that a lot of the reason that network assessments are cheap now has to do with the very things that make people say that web assessments are hard. Networks tend to be standardized, and net admins are educated about security. The parallels to this in the web app world are frameworks and education. Un/fortunately, I don't see either of these being at the maturity level of networks anytime soon. Network architecture has essentially stagnated. Nobody's deploying any radical new network architectures. Wireless would be the exception, and we can see how secure that is. I don't think web assessments will be as straightforward as net assessments until web development stagnates and frameworks emerge that are as widespread and secure as TCP or SSL implementations are today. With all the churn and parallel implementation that exists in web development today, I don't see that happening anytime soon.<br /><br />(P.S. I get like a 50% success rate tops on your captcha. Does that mean I'm a replicant?)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-54386922106051955222006-12-27T07:56:00.000-08:002006-12-27T07:56:00.000-08:00> And to top it all off, the most serious of the v...> And to top it all off, the most serious of the vulnerabilities are impossible for any automated tool to find.<br /><br />A lot of em, that's for sure. I wonder how many people are getting this part of web app sec yet.<br /><br />> What will help to a degree is for coders to be more focused on coding correctly<br /><br />While improvement will inevitably make websites more secure, it doesn't reduce the workload for web app VA. We have to check for the same things anyway, by scanner and human.<br /><br />> (no, we don't have to train them to use MITM proxies against their sites in order to do this) and for engineers to understand that security needs to be baked in from the beginning.<br /><br />Well said.<br /><br />>We're probably in a losing proposition, though. The bad guys always have an unlimited supply of able workers and the reward scale is such that money isn't necessary (initially) to motivate them.<br /><br />Taking the Web as a whole, your probably right. Far too many websites to protect, far too many vulns at the moment. Its a cake walk to break into just about anything you want. <br /><br />Where we need to get to is being able to offer those that REALLY want to be secure the means and solutions to do so. The rest who don't care, well, not much can be done.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-86193511413319545382006-12-27T03:45:00.000-08:002006-12-27T03:45:00.000-08:00And to top it all off, the most serious of the vul...And to top it all off, the most serious of the vulnerabilities are impossible for any automated tool to find.<br /><br />Source code scanning earlier in the development process and more reliable VA scanners will help, but the lions share of my VA time is spent working on logic flaws that neither a source code scan nor an automated application scan can find - horizontal and vertical privilege escalation (some will tell you their tools can, but they're not that great), XSRF, and privacy issues.<br /><br />What will help to a degree is for coders to be more focused on coding correctly (no, we don't have to train them to use MITM proxies against their sites in order to do this) and for engineers to understand that security needs to be baked in from the beginning.<br /><br />We're probably in a losing proposition, though. The bad guys always have an unlimited supply of able workers and the reward scale is such that money isn't necessary (initially) to motivate them.Will Stranathanhttps://www.blogger.com/profile/07533170385996088112noreply@blogger.com