Web Application Security Statistics for 2008

Keep on Guard!


Purpose

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications

Goals

  1. Identify the prevalence and probability of different vulnerability classes
  2. Compare testing methodologies against what types of vulnerabilities they are likely to identify.

Methodology

The statistics was compiled from web application security assessment projects which were made by the following companies in 2007 (in alphabetic order):

Booz Allen Hamilton
BT
Cenzic with Hailstorm and ClickToSecure
dblogic.it
HP Application Security Center with WebInspect
Positive Technologies with MaxPatrol
Veracode with Veracode Security Review
WhiteHat Security with WhiteHat Sentinel

There’s some pretty interestesting statistics there.

Read the full report here:

http://www.webappsec.org/projects/statistics/

Posted in: Web Hacking

, ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


2 Responses to Web Application Security Statistics for 2008

  1. Nico September 18, 2008 at 7:02 pm #

    I find that some vulnerabilities are under represented in these stats.

    For example, WSDL exposure is becoming more and more common in site that I had to test.

    Nico

  2. SpikyHead September 21, 2008 at 6:22 am #

    Why can’t OWASP and WASc join hands to produce such reports especially when both are getting help from CVE MITRE to produce their reports.