WASC Web Application Security Statistics
The Web Application Security Consortium (WASC) has published its Web Application Security Statistics Project 2008.
The data has been gathered from anonymous submissions by eight organisations about their web application security assessment projects in 2008. The large number of projects gives a good spread of data, though of course it excludes web sites and web applications that have never been tested.
The statistics includes data about 12,186 sites with 97,554 detected vulnerabilities
The owners of web sites and web applications that are not included here will include those validated/tested by others, tested internally and not tested at all. The latter may include simpler, less functional web sites or those where the potential damage is considered to be less than the cost of application security validation/testing. Nevertheless, the data are important for web developers, testers and auditors for many reasons:
- The most common vulnerabilities are listed—they are nothing new and demonstrate where greater effort is often required to standardise code and stamp these out.
- The risk assessment methodology is explained and can be used as a guide for internal assessments.
- High risk vulnerabilities are common (more than 80% have urgent and critical vulnerabilities), even in applications that are likely to be considered more important, and therefore are being tested by independent third parties.
- Organisations that are required to be PCI DSS compliant, may be failing to ensure their web sites meet the requirements.
- Manual white box (full knowledge) testing is needed as well as automated scanning to detect many vulnerabilities.
All the contributors to this project should be thanked for sharing their insights with us.
Posted on: 20 October 2009 at 14:56 hrs
Comments are filtered automatically and should appear shortly after they been checked.