1

Web Application Vulnerability Statistics of 2012

2

Background

• iViZ – Cloud based Application Penetration Testing • Zero False Positive Guarantee

• Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage

• Funded by IDG Ventures

• 30+ Zero Day Vulnerabilities discovered

• 10+ Recognitions from Analysts and Industry

• 300+ Customers

3

Research Methodology

• Application security Data Collection • 300+ Customers

• 5,000 + Application Security Tests

• 25% Apps from Asia, 40% Apps from USA and 25% from Europe

4

Key Findings

• 99% of the Apps tested had at least 1 vulnerability

• 82% of the web application had at least 1 High/Critical Vulnerability

• 90% of hacking incidents never gets known to public

• Very low correlation between Security and Compliance (Correlation Coefficient: 0.2)

• Average number of vulnerability per website: 35

• 30% of the hacked organizations knew the vulnerability (for which they got hacked) beforehand

• #1 Vulnerability: Cross site scripting (61%)

• #1 Secure vertical: Banking

• #1 Vulnerable Vertical: Retail

5

Average number of Vulnerabilities

6

Top 5 Application Flaws

Percentage of websites containing the “Type of Vulnerability”

7

5 Common Business Logic Flaws

• Weak Password recovery

• Abusing Discount Logic/Coupons

• Denial of Service using Business Logic

• Price Manipulation during Transaction

• Insufficient Server Side Validation (One Time Password (OTP) bypass)

8

Which are the most vulnerable Industry Verticals?

Average number of Vulnerabilities per Application

9

Application Security Posture by Geography

Average number of Vulnerability per Application

10

Thank You!!

For more Information please visit

www.ivizsecurity.com