Webappsec Stats
I know this isn’t new, but believe it or not I am finally catching up on some of my really old mail. I ran across the webappsec stats page today, and I thought I’d throw in my two cents, for what it’s worth. Honestly, these numbers, while extremely interesting are only based on what we already know - not on what we don’t know. Seems like a dumb thing to say, but with every new vulnerability, we increase the amount of potential issues in websites.
Secondly, and more interestingly, I noticed that XSS has actually increased in the numbers reported. Previously the scanning companies were saying 70%, now they are at 85% (which is actually higher than what I’ve found, but I believe it, since I hardly check every link and every parameter when I do manual assessments). But I think it’s safe to say it is well above 70% and probably closer to 80-90% as that jives with what I’ve seen (again, I can only comment on what I’ve found, and not on what I didn’t find).
The other thing that was interesting is that nowhere was there a point in the stats that covered how many sites were vulnerable. Clearly at least 85% are vulnerable, but it doesn’t say how many total are vulnerable to any type of vulnerability listed. I would love to get that number as an aggregate score to know the health of the types of people who are proactive enough to ask companies to help them with their security. It’s a sad statement either way, but it’s an important point to make about where we are with the current security landscape.
April 15th, 2007 at 10:32 pm
While they don’t say how many of the sites are vulnerable, they do tell you “Total Sites Tested - 31,373″, so in the case of XSS and 85% of the sites are vulnerable, that would be around 26,667 of them.
–thrill
April 15th, 2007 at 11:40 pm
More interesting to me though is what the stats *don’t* show. Look at Authorization, Authentication, Session Expiration, and Predictable Resource Location - all of them less that 0.5%. Rather than these vulnerabilities not being discovered in webapps, it shows that the scanners just simply can’t find these types of vulns. In my experience, these appear much more frequently than the stats show.
Therefore, I would have to believe that XSS and SQL injection are heavily favored in the stats and “in the real world” it’s probably not quite right - I wouldn’t say orders of magnitude off, but certainly you can’t just look at these stats and say “that’s the current lie of the land”
April 15th, 2007 at 11:50 pm
The project group is also seeking consultants to provide data to these statistics (contact the project lead if you are qualified/interested). This is the first round of stats based on 4 companies and they want to grow it and have it become a living document.
April 16th, 2007 at 12:21 pm
Zeno - Thanks for pointing out that we are indeed looking to grow this project to build stats that are increasingly valuable over time. Companies involved in web application vulnerability scanning should contact statistics@webappsec.org if they’re interested in participating. Scanners will never be perfect and statistics will never tell the whole story but we do need metrics to better understand the type and volume of vulnerabilities that we’re seeing, especially in custom web applications.
Michael Sutton
Project Lead
WASC Web Application Security Statistics Project