

What we discovered by scanning 235 OSS apps for security issues - fmavituna
http://www.mavitunasecurity.com/blog/analysis-web-application-vulnerabilities/

======
jimktrains2
That was terribly devoid of data and the only link in the article links back
to their paid app. The choice in colors of the pie chart was just terrible.

Also, what do databases have to do with anything? Obviously MySQL would be
heavily used since it's commonly used with PHP and other web frameworks.

Also, how is their scanner false positive free?

~~~
fmavituna
Here is the raw data,

[https://docs.google.com/a/mavitunasecurity.com/spreadsheet/c...](https://docs.google.com/a/mavitunasecurity.com/spreadsheet/ccc?key=0Ai3Dfx3aMZQ9dEJiemw0UE9TS0tUemdldVNTWG5MR2c)

We'll update the blog with link to this as well.

> Also, how is their scanner false positive free?

Because it exploits the identified vulnerabilities and if a vulnerability is
exploited it can't be a false positive. That's how a human confirms a
vulnerability as well. If you like, there is more information on the website:

[http://www.mavitunasecurity.com/blog/false-positives-the-
dir...](http://www.mavitunasecurity.com/blog/false-positives-the-dirty-secret-
of-the-web-security-scanning-industry/)

[http://www.mavitunasecurity.com/blog/false-positive-free-
sca...](http://www.mavitunasecurity.com/blog/false-positive-free-scanning/)

P.S. in case that it's not obvious I'm the founder and OP.

------
city41
I don't understand how SQL injection still exists as a problem. Isn't it
pretty much completely solved by using an ORM or prepared statements? Is it
just laziness that allows it to fester on, or is there something I'm missing?

~~~
wglb
Prepared statements won't handle variable table names. Thus if your
application builds a table name from user-influenced input, you need to do an
extra step of sanitization that prepared statements won't do.

------
fmavituna
Sorry about the lack of disclosing the raw data, here is the document that
infographic produced from:

[https://docs.google.com/a/mavitunasecurity.com/spreadsheet/c...](https://docs.google.com/a/mavitunasecurity.com/spreadsheet/ccc?key=0Ai3Dfx3aMZQ9dEJiemw0UE9TS0tUemdldVNTWG5MR2c)

You can see the list of all scanned applications with versions and brief
information about the results, including the advisory link (if published).

From advisory you can see technical details of the vulnerabilities, i.e.
[http://www.mavitunasecurity.com/xss-and-blind-sql-
injection-...](http://www.mavitunasecurity.com/xss-and-blind-sql-injection-
vulnerabilities-in-exponentcms/)

List of all advisories from us (all found by Netsparker)

<http://www.mavitunasecurity.com/netsparker-advisories/>

------
ambiate
Your tinfoil hat should start buzzing when you see the word 'infographic.'
Instead of data to backup the analysis, you should expect back links to a
product or website (possibly far from the topic).

It is a well known art that infographics are highly popular on voting sites
and a cheap way to build quality back links.

~~~
fmavituna
Sorry about the lack of data, here it's:

[https://docs.google.com/a/mavitunasecurity.com/spreadsheet/c...](https://docs.google.com/a/mavitunasecurity.com/spreadsheet/ccc?key=0Ai3Dfx3aMZQ9dEJiemw0UE9TS0tUemdldVNTWG5MR2c)

Sure we added infographic to get more traffic and marketing purposes, not
because it's fun to create infographics.

FYI, it's not really easy to install and scan 235 OSS applications then get in
touch with vendors to reports those issues in details, so it's not really just
cheap marketing trick. AFAIK no one has produced this kind big statistical
report on security of OSS applications before, there are reports from Whitehat
- <https://www.whitehatsec.com/resource/stats.html> but mostly on commercial
applications.

~~~
ambiate
Now you've transitioned me from skeptic to potential client.

Yet, my reasons are for evil purposes. Could I not feed countless lists of
websites to the Professional version? I believe I see support for proxy(ies).
In turn, could I not sell these lists of vulnerable sites to some market?

Understand, my position comes as a product of prior environments. This is
basically a script kiddie's paradise. Could I use Google tricks to find lists
of sites that use all of the softwares mentioned in your spreadsheet, set out
a list of 500 proxies to do my bidding, and reap the black-hat rewards?

I could be a good guy, find the vulnerable sites, and use the list to WHOIS
every domain and email the owners with Perl/Python.

If you give me a product that can brute force my bitcoin wallet password, but
for an extra $1000, I can brute force unlimited bitcoin wallets, you attract a
certain breed.

~~~
mentat
There are people who can write this stuff from scratch. Some of those people
have "evil purposes". Do you propose making all the information secret? It
still won't change things. Check out Metasploit, that improves the overall
state of security because the good guys can do more in less time. This may be
a similar tool.

------
skytalon
Not really on topic, but in that article, why would the paragraph "title"
texts made up of images? (that appear to be in-page data).

------
jdbevan
Shame this isn't an unbiased/independent report.

