Positive Technologies
  Home       Contacts       Russian
MaxPatrol
Services
Research
Downloads
Company
Company
About
Clients
News archive
Contacts
 
 

International Web Application Security Statistics 2008

International Web Application Security Consortium (WASC) experts in web application security traditionally represent the WASC Web Application Security Statistics Project 2008.
The survey statistics contains the data collected during penetration testing, security audits and other activities made by WASC participants: Blueinfy, Cenzic, dns, encription limited, HP Application Security Center, Positive Technologies, Veracode, and WhiteHat Security. The statistics was obtained as a result of analysis of 12 000 web applications with more than 97 000 detected vulnerabilities of various risk levels.
It was found that over 13% of all reviewed sites can be compromised completely automatically; 49% of web applications contain vulnerabilities of high risk level (Urgent and Critical) detected during automatic scanning; detailed manual and automated assessment by white box method allowed us to detect these high risk level vulnerabilities with probability up to 80-96%. PCI DSS (Payment Card Industry Data Security Standard) compliance testing showed that the probability to detect vulnerabilities with risk level more than medium is more than 86% by any method; detailed analysis showed that 99% of web applications are not compliant with PCI DSS standard.
According to the statistics, the most widespread vulnerabilities are Cross-site Scripting, different types of Information Leakage, SQL Injection, and HTTP Response Splitting. Compared to 2007, the number of sites with widespread SQL Injection and Cross-site Scripting vulnerabilities fell by 13% and 20%, respectively. However, the number of sites with different types of Information Leakage rose by 24%; the probability to compromise a host automatically also rose from 7 to 13%.
Comparing the WASC data with the Positive Technologies statistics for Russian companies over 2008, we will notice that the situation is almost the same: 83% of Russian sites contain critical vulnerabilities and one of the most wide spread vulnerabilities is Cross-Site Scripting.
The WASC Web Application Security Statistics Project leader, Sergey Gordeychik (the Head of Consulting and Audit Department, Positive Technologies), commented upon the situation: "It is the third year we publish the statistics, and every new issue shows deterioration of the general condition of web site security. Growth of the number of vulnerable systems has two reasons: improvement of automated security control systems and hacker programs and increase in the percentage of dynamic web applications, which usually contain more security weaknesses."
The full report can be found here.


The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web. The WASC Web Application Security Statistics Project 2008 initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. The project goals are: identify the prevalence and probability of different vulnerability classes, compare testing methodologies against what types of vulnerabilities they are likely to identify.
 
 
 
Copyright © 2002-2010 Positive Technologies