Web Application Vulnerability Statistics 2010-2011

Show left menu  
Hide left menu  
Web App Stats 11

Over the past two years Context have been amassing statistics on a range of IT security activities based on the output of real-world IT security  consultation engagements. One of the most common activities performed during this period has been web application penetration tests. This whitepaper will provide a unique insight into the state of web application security, presenting penetration test analysis from a dataset containing nearly eight thousand confirmed vulnerabilities found in almost six hundred pre-release web applications during the period January 2010 and December 2011.

Web Application Vulnerability Statistics 1

This dataset has been generated using the output from manually guided penetration tests and not through the use of fully automated vulnerability scanners. As all vulnerabilities have been identified and confirmed manually, the dataset provides a credible and high-quality resource with which to review the current state of web application security.

This review represents the first analysis of the dataset and seeks to identify trends currently affecting the security of web applications. This analysis will help the industry to improve security by highlighting problem areas and to identify areas where specific classes of vulnerability are on the increase.

This review represents the first analysis of the dataset and seeks to identify trends currently affecting the security of web applications. This analysis will help the industry to improve security by highlighting problem areas and to identify areas where specific classes of vulnerability are on the increase.

Conclusions

  • On average, the number of issues identified during each web application penetration test increased during the course of 2011

  • Government, Finance, Law and Insurance sectors have seen the largest increases in vulnerabilities identified within their web applications

  • Server misconfiguration and information-leakage vulnerabilities are the most prevalent category of issues identified

  • All categories of vulnerability are increasingly being identified within web applications, with the exception of input validation weaknesses

  • Cross-Site Scripting affected two thirds of applications in 2011

  • SQL Injection affected nearly one in five applications in 2011

  • In general, the proportion of issues identified during both 2010 and 2011 remain consistent, indicating that developers continue to make the same mistakes.

Web Application Vulnerability Statistics 2

Read the full white paper
Back to Top