55% of Application Security Vulnerabilities are Missed By Tools
Jeff Williams took over running OWASP from me way back when. No only is he a nice bloke, nearly 7 feet tall and has done a superb job with OWASP, but he’s super smart as well. I was sent some slides he was using to promote OWASP.
https://www.owasp.org/images/a/ad/OWASP_Overview_Spring_2007.ppt
Slide 4 is shown below and caught my eye.
The data being referenced here is from some other super sharp folks Steve Christey and Robert Martin. Their slides as here Mitre CWE BeingExplicit Slides.ppt
What Steve and Robert have done is to analyze various taxonomies being used in the wild, process them into a schema for common weaknesses and then overlay claims from tools vendors for coverage.
The result: 55% of the weaknesses reported are not covered by application security tools and if I am reading slide 30 of 42 correctly (I wasn’t there and there are no notes) they are saying that all-bar-one tool vendor can’t find 84% of the common weaknesses reported in real world software applications.
So why does all this matter? I think the future of security solutions is in whole products. This has been being preached by the Chasm Group. Too many security products only solve part of the problem and don’t solve a customers problem; just part of it. Where is the whole assessment products that tie together what a tool can automate and what a human needs to do?
http://www.slideshare.net/mcurphey/product-definition/
