Fellow WASC officer Ryan Barnett has published an update to the Web Hacking Incident Database project. He sent the following to The Web Security List (a list which I operate) this morning.
"Greetings everyone,
I wanted to let you all know that we have released the new WHID report for 2010 –
http://projects.webappsec.org/Web-Hacking-Incident-Database-2010-Semi-Annual-Report
A few Report Summary Findings –
- A steep rise in attacks against the financial vertical market is occurring in 2010, and is currently the no. 3 targeted vertical at 12 percent. This is mainly a result of cybercriminals targeting small to medium businesses’ (SMBs) online banking accounts.
- Corresponding to cybercriminals targeting online bank accounts, the use of Banking Trojans (which results in stolen authentication credentials) made the largest jump for attack methods (Banking Trojans + Stolen Credentials).
- Application downtime, often due to denial of service attacks, is a rising outcome.
- Organizations have not implemented proper Web application logging mechanisms and thus are unable to conduct proper incident response to identify and correct vulnerabilities. This resulted in the no. 1 “unknown” attack category.
We also have a new Top 10 Web Application Risks listing – which is an interesting contrast to the OWASP Top 10.
I would also like to point out that we have added the Real-Time Statistics feature on the WHID project site – http://projects.webappsec.org/Web-Hacking-Incident-Database#RealTimeStatistics
With this new capability, you can now get live stats based on either the Year and/or your Vertical Market of choice.
Cheers,
Ryan Barnett
WASC WHID Project Lead"
