The WASS Project which Veracode contributed data to shows some nice benefits to White box (static) over Black box (dynamic) for many serious vulnerability categories. White box overall detects a higher prevalence of many categories which we can extrapolate to having lower FN rates. Now the sample set of apps is not the same so this can only be used as a trend. Static is better than dynamic in 5 out of 7 categories: credential/session prediction, SQL Injection, Path Traversal, Insufficient Authorization, OS Commandeering. In one category, insufficient authorization, dynamic is better and in one …

From the L0pht Archives:

Weld Pond and Cult of the Dead Cow to be Featured on Dateline NBC
9.30.1999
The lack of client side security for internet transactions poses a huge
security risk that online banks and others just seem to ignore. Tools such
as BO2K and even simpler keystroke loggers can cut through the
authentication used for “secure” web transactions to allow an attacker to
authenticate as the hapless consumer.

Dateline explores this problem on Sunday October 3rd at 7pm EST. Watch
Cult of the Dead Cow demonstrate the attack and Weld Pond from the
L0pht talk about whatis really going on.

It is shocking how …

Attackers are not going to be satisfied with a simple PII breach any more. The market is becoming saturated with PII. Look at the stats. In 2007, credit card records sold for an average of $10 per cardholder record; in 2009 the same records sell for an average of 50 cents per record. Attackers want higher value than this. They want to control the endpoint. They want access to your online financial accounts. They are succeeding.

Controlling the endpoint within a business can net an attacker $100,000+. In “Real-Time Hackers Foil Two-Factor Security”, …