ISSA-LA InfoSec Summit XI

There is a serious misalignment of interests between Application Security vulnerability assessment vendors and their customers. On the surface you can see it within the pages of any Application Security vulnerability statistics report, where they state that the vast majority of websites contain serious issues — averaging dozens (SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, etc).  Their data also shows only half of those reported vulnerabilities ever get fixed and takes months. The data itself is not in dispute, these are legitimate vulnerabilities, but underneath there’s a secret: Vendors are incentivized to report everything they possible can, which they use to impress and win deals, even issues those vulnerabilities rarely matter. As a proof point, the vast majority of those ‘serious’ website vulnerabilities are simply NOT being exploited. Why is that?

Conversely, customers just want the vulnerability reports that are likely to get them hacked. Every finding beyond that is a waste of time, money, and energy, which is precisely what everyone is currently experiencing. If attackers really aren’t finding, exploiting, or even caring about these vulnerabilities as we can infer from the supplied data — the value in discovering them in the first place becomes questionable.