Web Application Vulnerability Statistics 2010-2011

Read the white paper

Over the past two years Context have been amassing statistics on a range of IT security activities based on the output of real-world IT security consultation engagements. One of the most common activities performed during this period has been web application penetration tests. This whitepaper will provide a unique insight into the state of web application security, presenting penetration test analysis from a dataset containing nearly eight thousand confirmed vulnerabilities found in almost six hundred pre-release web applications during the period January 2010 and December 2011.

This dataset has been generated using the output from manually guided penetration tests and not through the use of fully automated vulnerability scanners. As all vulnerabilities have been identified and confirmed manually, the dataset provides a credible and high-quality resource with which to review the current state of web application security.

This review represents the first analysis of the dataset and seeks to identify trends currently affecting the security of web applications. This analysis will help the industry to improve security by highlighting problem areas and to identify areas where specific classes of vulnerability are on the increase.

This review represents the first analysis of the dataset and seeks to identify trends currently affecting the security of web applications. This analysis will help the industry to improve security by highlighting problem areas and to identify areas where specific classes of vulnerability are on the increase.

Conclusions
  • On average, the number of issues identified during each web application penetration test increased during the course of 2011
  • Government, Finance, Law and Insurance sectors have seen the largest increases in vulnerabilities identified within their web applications
  • Server misconfiguration and information-leakage vulnerabilities are the most prevalent category of issues identified
  • All categories of vulnerability are increasingly being identified within web applications, with the exception of input validation weaknesses
  • Cross-Site Scripting affected two thirds of applications in 2011
  • SQL Injection affected nearly one in five applications in 2011
  • In general, the proportion of issues identified during both 2010 and 2011 remain consistent, indicating that developers continue to make the same mistakes.

Read the white paper


© Copyright 2013 Context Information Security