Web Application Vulnerability Statistics
White paper
Web Application Vulnerability Statistics 2013
Jan Tudor whitepapers@contextis.co.uk June 2013
Context Information Security
Research. Response. Assurance
www.contextis.com
1 / 37
White paper/ Web Application Vulnerability Statistics 2013
Contents
Abstract Findings Summary Sector Analysis Overview by Year Average Vulnerabilities Analysis Advertising & Media Financial Services (Europe) Healthcare Insurance & Law Technology & Telecommunications UK Government Other Sectors Vulnerability Category Analysis Authentication Authorisation Encryption Information Leakage Input Validation Cross-site Scripting (XSS) Other input Server Configuration Session Management OWASP Top10 Conclusion Dataset Restrictions About Context Assurance About Context Works Cited Glossary of Terms 3 4 6 6 8 8 9 10 11 12 14 15 16 16 17 17 18 19 20 22 22 23 24 25 27 28 28 29 30
Context Information Security
Research. Response. Assurance
www.contextis.com
2 / 37
White paper/ Web Application Vulnerability Statistics 2013
Abstract
Over the past three years Context has gathered statistics from a range of IT security activities and consultancy engagements. One of the most common activities performed during this period has been web application penetration testing. This whitepaper will provide a unique insight into the state of web application security, presenting penetration test analysis drawn from a dataset containing nearly 12,000 confirmed vulnerabilities, found in almost 900 prerelease and production web applications during the period between January 2010 and December 2012. This dataset has been generated using the output from manually-guided penetration tests, not automated vulnerability scanners. The fact that all vulnerabilities have been identified and confirmed manually means the dataset provides a credible and high-quality resource that can be used to review the current state of web application security. In this whitepaper we present analysis
Web Application Vulnerability Statistics 2013
Jan Tudor whitepapers@contextis.co.uk June 2013
Context Information Security
Research. Response. Assurance
www.contextis.com
1 / 37
White paper/ Web Application Vulnerability Statistics 2013
Contents
Abstract Findings Summary Sector Analysis Overview by Year Average Vulnerabilities Analysis Advertising & Media Financial Services (Europe) Healthcare Insurance & Law Technology & Telecommunications UK Government Other Sectors Vulnerability Category Analysis Authentication Authorisation Encryption Information Leakage Input Validation Cross-site Scripting (XSS) Other input Server Configuration Session Management OWASP Top10 Conclusion Dataset Restrictions About Context Assurance About Context Works Cited Glossary of Terms 3 4 6 6 8 8 9 10 11 12 14 15 16 16 17 17 18 19 20 22 22 23 24 25 27 28 28 29 30
Context Information Security
Research. Response. Assurance
www.contextis.com
2 / 37
White paper/ Web Application Vulnerability Statistics 2013
Abstract
Over the past three years Context has gathered statistics from a range of IT security activities and consultancy engagements. One of the most common activities performed during this period has been web application penetration testing. This whitepaper will provide a unique insight into the state of web application security, presenting penetration test analysis drawn from a dataset containing nearly 12,000 confirmed vulnerabilities, found in almost 900 prerelease and production web applications during the period between January 2010 and December 2012. This dataset has been generated using the output from manually-guided penetration tests, not automated vulnerability scanners. The fact that all vulnerabilities have been identified and confirmed manually means the dataset provides a credible and high-quality resource that can be used to review the current state of web application security. In this whitepaper we present analysis