This is Charles Henderson's Typepad Profile.
Join Typepad and start following Charles Henderson's activity
Join Now!
Already a member? Sign In
Charles Henderson
Director of Application Security Services - Trustwave, SpiderLabs
Recent Activity
Obviously we have been busy up until this point simply getting the GSR out the door in an accurate, timely manner. Keeping in mind that SpiderLabs testing arm is quite a bit larger than seven people, to answer your question regarding length of engagement: in the 2009 GSR we documented a little over 1800 tests averaging 80 hours in total testing length and I would expect the numbers to be fairly similar from 2010 with regards to testing length. Over the course of the next year we plan to release a number of additional SpiderLabs documents. Some of these will certainly be more application specific and should provide much more application testing data that we hope you will find interesting.
Andre, The short answer is that in the comprehensive document we made a decision to only include ten items on the application list. While we certainly see the vulnerabilities you listed as well, we see the listed vulnerabilities more often. Certainly there would be many more vulnerabilities listed on a comprehensive list of all application vulnerabilities we saw in 2010. To take things a step further, consider for a moment the percentage of applications that even allow file upload. The volume of other vulnerabilities may be limited by similar factors. With this in mind, it is not totally unsurprising that some dangerous vulnerabilities may not appear in our list. That is not to say that these vulnerabilities are not serious and would not result in a critical weakness which might lead to an application's compromise. There are many application vulnerability lists and it is our feeling that each one has its place. This list is certainly not meant to replace other lists. We certainly appreciate the feedback!
Charles Henderson is now following The Typepad Team
Nov 18, 2010