Last Thurdsay I attended a  Webminar on Web Application Security presented by WhiteHat Security Founder and CTO , Jeremiah Grossman.

The presentation showed statistical data gathered by Whitehat’s specialized vulnerability assessment system during Jan.1 2006 and March 31 2007. Hundreds of websites have been scanned during this time and the "targets" vary from static brochureware websites to complex financial and e-commerce applications.

What I really appreciate about the way this data has been gathered is that scanners actually went inside the core of the applciations unveiling vulnerabilities which are mostly accesible to human users only.

According to Jeremiah’s report the Top 5 Vulnerability Classes which were encountered are :

• Cross Site Scritipting : 65%
• Content Spoofing : 11%
• SQL Injection : 6%
• Predictable Resource Location : 6%
• Information Leakage : 4%

Using the Payment Card Industry Data Security Standardi v (PCI-DSS) severity system (urgent, critical, high, medium,
low) as a baseline, WhiteHat Security ranks vulnerability severity by the potential business impact if the issue were to be exploited.

Likelihood of websites having vulnerabilities by severity rating :

• Urgent : 29%
  • SQL Injection, Insuficient Authorization, Directory Traversal 
• Critical : 74%
  • Cross Site Scripting, Insuficient Authentication, Abuse of Functionality
• High : 62%
  • Information Leakage, Content Spoofing, Predictable Resource Location
• Medium : 5%
• Low : 3%

More of this report (free registration)  : WhiteHat Security Web Application Security Risk Report

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!