The Web poses unique security challenges. When legitimate websites are compromised, anyone can - theoretically - be exposed. To be meaningful, security researchers dealing with Web threats have to develop a solid risk assessment plan that includes the ability to distinguish actual risk from theoretical possibility.

ScanSafe has an advantage in this area because we deal in actual traffic and thus can take 'probable' out of the equation. We don't have to guess whether something will or won't be a problem for Web surfers because we have the actual numbers. Still, we always backup our own findings with traffic analysis and exposure numbers from verifiable sources.

We also consider the quality/popularity of the compromised sites that are acting as conduits for the malware. If the majority of compromised sites have non-existent or extremely low popularity rankings, common sense and a basic knowledge of SEO tells us that the attacks will never take off.

If we didn't incorporate risk assessment, we'd be issuing non-stop alerts. Website compromises are real, pervasive, and an ongoing threat. On average, ScanSafe analyzes over a thousand unique attacks against Web properties each month, many of which impact tens of thousands of highly trafficked websites. Mixed in with those are plenty of others that very few users will ever encounter.

Because we see so much, we take some things for granted. For example, we expect to see heavy obfuscation of embedded scripts, multiple embedded scripts on a compromised page, and having multiple redirects involved.

While these techniques aren't new to us, we can appreciate that some researchers may be seeing them for the first time. And it's understandable that someone seeing it for the first time would be eager to blog about it.

But enthusiasm aside, as an industry we need to ensure we've done the proper risk assessment and that we report events in their proper context. At ScanSafe, we take this part of our job very seriously and work diligently to separate the theoretical from the real. Because if we didn't do that, we would mislead the many folks who are relying on us.