Website security statistics of 2012
-
Upload
beeware -
Category
Technology
-
view
289 -
download
2
Transcript of Website security statistics of 2012
1
Web Application Vulnerability Statistics of 2012
2
Background
• iViZ – Cloud based Application Penetration Testing • Zero False Positive Guarantee
• Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage
• Funded by IDG Ventures
• 30+ Zero Day Vulnerabilities discovered
• 10+ Recognitions from Analysts and Industry
• 300+ Customers
3
Research Methodology
• Application security Data Collection • 300+ Customers
• 5,000 + Application Security Tests
• 25% Apps from Asia, 40% Apps from USA and 25% from Europe
4
Key Findings
• 99% of the Apps tested had at least 1 vulnerability
• 82% of the web application had at least 1 High/Critical Vulnerability
• 90% of hacking incidents never gets known to public
• Very low correlation between Security and Compliance (Correlation Coefficient: 0.2)
• Average number of vulnerability per website: 35
• 30% of the hacked organizations knew the vulnerability (for which they got hacked) beforehand
• #1 Vulnerability: Cross site scripting (61%)
• #1 Secure vertical: Banking
• #1 Vulnerable Vertical: Retail
5
Average number of Vulnerabilities
6
Top 5 Application Flaws
Percentage of websites containing the “Type of Vulnerability”
7
5 Common Business Logic Flaws
• Weak Password recovery
• Abusing Discount Logic/Coupons
• Denial of Service using Business Logic
• Price Manipulation during Transaction
• Insufficient Server Side Validation (One Time Password (OTP) bypass)
8
Which are the most vulnerable Industry Verticals?
Average number of Vulnerabilities per Application
9
Application Security Posture by Geography
Average number of Vulnerability per Application