Wednesday

Report: WhiteHat Website Security Statistics Report

The quarterly WhiteHat Website Security Statistics Report is released.

From Jerehmia Grossman:

This data is also very different from Symantec, Mitre (CVE), IBM (ISS) X-Force, and others who track publicly disclosed vulnerabilities in commercial and open source software products. WhiteHat’s report focuses solely on previously unknown vulnerabilities in custom web applications, code unique to that organization, on real-world websites. The full report is available and here are some highlights if you want to skim:

Top Ten
1. Cross-Site Scripting (7 out of 10 websites)
2. Information Leakage (5 in 10 websites)
3. Content Spoofing (1 in 4 websites)
4. Predictable Resource Location (PRL) (1 in 4 websites)
5. SQL Injection (1 in 5 websites)
6. Insufficient Authentication (1 in 6 websites)
7. Insufficient Authorization (1 in 6 websites)
8. Abuse of Functionality (1 in 7 websites)
9. Directory Indexing (1 in 20 websites)
10. HTTP Response Splitting (1 in 25 websites)

No comments: