Fwd: [Full-disclosure] WASC Announcement: 2007 Web Application Securit y Statistics Published

["Paul Ferguson" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What really got me in this report reflects the fact that 7.21% of
websites can be SQL-injected automagically.

More funs stuff in the report.

FYI,

- - ferg


[forwarded message]


From: "Valery Marchuk" <tecklord () securitylab ru>
To: <full-disclosure () lists grok org uk>
Date: Mon, 8 Sep 2008 22:43:17 +0300



The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2007. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.


Goals
1. Identify the prevalence and probability of different vulnerability 
classes
2. Compare testing methodologies against what types of vulnerabilities they
   are likely to identify.


The statistics was compiled from web application security assessment 
projects
which were made by the following companies in 2007 (in alphabetic order):


- - Booz Allen Hamilton
- - BT
- - Cenzic with Hailstorm and ClickToSecure
- - dblogic.it
- - HP Application Security Center with WebInspect
- - Positive Technologies with MaxPatrol
- - Veracode with Veracode Security Review
- - WhiteHat Security with WhiteHat Sentinel


The overall statistics includes analysis results of 32,717 sites and
69,476 vulnerabilities of different degrees of severity. The detailed
information can be found here:


http://www.webappsec.org/projects/statistics/


If you represent an organization that performs vulnerability assessments
on websites, particular in those in custom web applications, through a
manual or automated process and would like to participate please let us
know. Please contact Sergey Gordeychik (statistics_at_webappsec.org).


Regards,
- - statistics_at_webappsec.org
http://www.webappsec.org/ The Web Application Security Consortium




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[end]

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIxYR+q1pz9mNUZTMRApx0AJ9CVzynfpmC3xVjtE6lCp3yhBltQACgqMHj
zvLVfuDbqTaJKkSRnUK39Vc=
=wSNX
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.