The always insightful WASC security statistics report for all of 2008 has just been released.
The data collected represents combined results of webapp vulnerability assessments from such market leaders as Whitehat, Cenzic, HP and Veracode. In total, 12186 individual sites were sampled.
One thing to consider, the results are gathered from organizations who already have purchased services from these companies. They aren’t cheap, and out of the range for most small-medium businesses. Roughly $7k/assessment from Cenzic. In general, I think it’s safe to imply the results gathered here represent organizations with budget, expertise and formalized SDLCs which require some level of security assessment.
Your average CMS/forum/ecommerce site likely isn’t represented, but from my own experience are all seeing the same kinds of vulnerabilities. XSS, SQL Injection, RFI, etc.
Some FUD-enforcing statistics:
- > 13% of webapps can be autohacked completely
- ~ 49% of webapps contain high risk vulnerabilities which can be automatically detected during scans
- ~ 80-96% of webapps contain high risk vulnerabilities when inspected manually
- 99% of webapps are not compliant with the PCI DSS standard
- Top 3 vulns: XSS (39%), Information leakage (32%), SQL Injection (7%)
If the big guys with (assumed) more experience, money and formal programs to reduce these risks in their webapps are still struggling to get it right, how do you think everyone else is doing?
Attention is growing to the webapp sec problem, and reports like this really help. Keep up the good work guys.
