Purpose

The Web Application Security Consortium (WASC) is pleased to announce the launch of the WASC Web Application Security Statistics Project. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and gain a better understanding about the web application vulnerability landscape. We're ascertaining which classes of attack are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project seeks to be the equivalent for custom web applications.

Goals

1. Identify the prevalence and probability of different vulnerability classes (WASC TOP 10)
2. Compare testing methodologies against what types of vulnerabilities they are likely to identify.

First Round

This initial round of statistics was compiled from data provided by four vendors - Whitehat Security, SPI Dynamics, Positive Technologies and Cenzic. We would like to thank all of the initial contributors for their participation. Our goal is to have the project grow over time with data from an increasing number of sources as this will improve the overall quality of the data. Statistical biases will be lessened as more entities contribute to the initiative so we would encourage those vendors engaged in web application scanning work to contact us if they are interested in participating in the project.

Methodology

Statistics have been compiled from past web application security engagements using automated scanning technologies. Various scanning tools have been used including WhiteHat Sentinel, SPI Dynamics WebInspect, Positive Technologies MaxPatrol and Cenzic Hailstorm. Identified vulnerabilities for all scanning technologies have been aggregated using the Web Security Threat Classification as a baseline.

The scans include a combination of raw scan results and results that have been manually validated to remove false positive results. The statistics do not include the results of any purely manual security audits (aka human assessments). With reference to the 'Vulnerability Stack' shown below, the focus of the automated scanning engagements from which the data is derived is primarily to uncover vulnerabilities in the 'Custom Web Applications' layer. However, the scanning tools used for these engagements will also identify vulnerabilities at the Third-Party Web Applications' and 'Web Server' layers. Therefore, these statistics reflect vulnerabilities in the top three layers of the Vulnerability Stack.

Vulnerability Stack

2006 Statistics (January 1 - December 31)

Total Sites Tested - 31,373

Graphs

Contributors

WASC would like to thank the following organizations for making this initiative possible. Each organization is responsible for contributing sanitized data from automated web application scanning which was then combined to produce aggregated statistics.

Participation

If you represent an organization that performs vulnerability assessments on websites, particular in those in custom web applications, through a manual or automated process and would like to participate please let us know. Once statistics are compiled, a report will be distributed, and all contributors will receive a logo on the project pages as well as on other deliverables in appreciate of their contribution. Please contact Sergey Gordeychik. Statistics will be collected twice annually one week after June 30 and December 31.