Web application security statistics for 2008

The Web Application Security Consortium (WASC) announced the WASC Web Application Security Statistics Project 2008, a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape.

The statistics includes data about 12186 web applications with 97554 detected vulnerabilities of different risk levels, and the following conclusions can be drawn based on the analysis:

  • The most wide spread vulnerabilities are Cross-site Scripting, different types of Information Leakage, SQL Injection, HTTP Response Splitting

  • The probability to detect a urgent or critical error in dynamic web application is about 49% by automatic scanning and 96% by comprehensive expert analysis (white box method)
  • Administration issues are 20% more frequent cause of a vulnerability than system development errors
  • 99% of web application are not compliant with PCI DSS standard requirements, and 48% of web applications are not compliant with criteria of ASV scanning by PCI DSS
  • Detailed white box method analysis allows to detect up to 91 vulnerabilities per web application, while automatic scanning – only 3
  • Compared to 2007, the number of sites with wide spread SQL Injection and Cross-site Scripting vulnerabilities fell by 13% and 20%, respectively, however, the number of sites with different types of Information Leakage rose by 24%. On the other hand, the probability to compromise a host automatically rose from 7 to 13 %.

The statistics was compiled from web application security assessment projects which were made by the following companies in 2008: Blueinfy, Cenzic with Hailstorm, DNS with WebInspect, Encription Limited, HP Application Security Center with WebInspect, Positive Technologies with MaxPatrol, Veracode with Veracode Security Review and WhiteHat Security with WhiteHat Sentinel.

To see the results of the project in greater detail, go here.

Don't miss