Research Analysis

Industry research such as Larry Suto’s is often superficial and at times driven by external motivations. So where should we derive our research data from? While one answer may be to forgo with research data all together, another option that comes to mind is academic research. An academic paper comparing vulnerability discovery techniques that I encountered is a good test case for that...

Larry Suto, who brought scanners wars 1 and 2 has published a WAF effectiveness research. As usual, Larry’s work is fun to dissect. While Larry’s research is not worse than your average analyst’s work, he does try to base his conclusion on more concrete and pseudo-scientific research making it much more vulnerable to scrutiny.

While securing web applications is a well understood need, and while WAFs have clear advantages over code review and testing such as immediate mitigation and higher automation, the WAF market is still a small market. The attached presentation discusses and offers some explanations to this phenomenon. 

Larry Suto, an application security consultant, publish a sequel to his 2007 best seller research about web application scanners. In the first round Larry managed to ignite quite a controversy and drew a lot of criticism from the loosing vendors. The reason is simple: Larry found out that the scanners do not perform as well as advertised.

One of the issues haunting WHID since its inception two years ago is inclusion criteria: which incidents get in? WHID goal is not to provide an alternative to Zone-h defaced sites archive or ScanSafe's Threat Alert which tracks malware planted on web sites.

XSS has dominated the Web Hacking Incidents Database statistics page since its inception. The immediate conclusion it that XSS is the most dangerous of them all. Is that so? or is it just a common research error?