This is a quite interesting project and discloses the greatest errors and issues found in 2008. For sure, if we have more companies supporting such project we will reach even more actual figures. Here at N-Stalker, based on our Scanner Service in SaaS mode ( http://www.redesegura.com.br ) we intend, until end of this year, to release of statistics covering failures found in current customers in the local market, as well as accomplished PoCs.

In summary, the following has been published:

12186 applications have been analyzed and 97554 vulnerabilities were detected in different severity levels. What draws one’s attention is that 13% of sites can be completely and automatically jeopardized, what shows total carelessness towards system security. Almost half (i.e. 49%) of analyzed applications contain highly critical flaws detected during automatic scanning routine.

** Web applications with Brute Force Attack, Buffer Overflow, OS Commanding, Path Traversal, Remote File Inclusion, SSI Injection, Session Fixation, SQL Injection, Insufficient Authentication, Insufficient Authorization vulnerabilities detected by automatic scanning.

-Most common flaws found are:  Cross-site Scripting (XSS), different forms of information leakage, SQL Injection and HTTP Response Splitting.
– 99% of applications are not fully compliant  with PCI DSS standards.
-In comparison with 2007, SQL Injection and Cross-Site Scripting vulnerabilities have diminished. On the other hand, information leakage has significantly grown (24%) and percentage of targets that can be automatically jeopardized has increased from 7% to 13%

Below follows some charts of reported flaws:

Complete statistics in: http://projects.webappsec.org/Web-Application-Security-Statistics

Keep you eyes on national web statistics to be released soon.

N-Stalker Team