Thursday, December 11, 2008

Sixth Quarterly Website Security Statistics Report

Since completing my 2008 speaking tour, I had more time to focus on projects back at the office, which is why posts have been a little slow. One particular project, WhiteHat Security’s Sixth Quarterly Website Security Statistics Report (reg required), is now available for download. There is a mountain of data within the pages providing a real-world perspective on Web application security from the hundreds of vulnerability assessments we perform weekly. This report we added more emphasis on separating historical trends from the current state of things. For instance, historically about 8 out of 10 websites have had at least one serious vulnerability, while today 6 out of 10 still do. Time-to-fix metrics are shortening. So progress is being definitely made, but we still have a long way to go. Enjoy!

As always, would love to hear comments about additional metrics we could add.

Data Overview
– 877 total websites
– Vast majority of websites assessed for vulnerabilities weekly
– Vulnerabilities classified according to WASC Threat Classification
– Vulnerability severity naming convention aligns with PCI-DSS
– Obtained between January 1, 2006 and December 1, 2008

Key Findings
– Total identified vulnerabilities (open & closed): 14,718
– Current open vulnerabilities: 5,283 (64% resolved)
– Historically, 82% of assessed websites have had at least one issue of HIGH, CRITICAL, or URGENT severity
– 63% of assessed websites currently have issues of HIGH, CRITICAL, or URGENT severity
– Historically, websites average 17 vulnerabilities identified during the lifetime of the assessment cycle
– Websites currently average 6 open vulnerabilities
– Cross-Site Request Forgery gained two spots in the Top Ten moving to #8
– Vulnerability time-to-fix metrics are not changing, typically requiring weeks to months to achieve resolution
– Roughly 50% of the most prevalent Urgent severity issues have been resolved


Anonymous said...

WOW! not just clickjacking ;)

Jeremiah Grossman said...

Cute. :)