Every semester, WhiteHat security publishes its website security statistics report. It provides a good insight on the evolution of the landscape. Its reading is interesting although the data must be taken very carefully rather than ground truth. To be honest, the author clearly highlights this point.
Some of the points that interested me.
- The number of serious vulnerabilities is decreasing each year. Unfortunately, the deviation is large. Some sites presents hundreds of serious vulnerabilities whereas banking sites present only a few (hopefully). Here also, this is a best case scenario.
- Number one type of vulnerability: XSS, followed by Information leakage. The famous SQL injection appears only in 8th position. But we know how SQL injection can be devastative.
- In the ranking of type of companies, as already said banking industry are the best students in the class with only 17 serious vulnerabilities. Interestingly, social networks are not doing a bad job being at 3rd rank with 31 vulnerabilities
- An interesting, and worrying, data: the vulnerability reopen rates. 20% of the vulnerabilities have been reopened at least once! The more serious the vulnerability, the higher the likelihood of reopening.
If you’re interested in collecting this type of trends, then read this white paper.