It is known that security vulnerabilities are common on the web: many web sites are vulnerable. Is there any data on what fraction of web sites are vulnerable, and what fraction are secure?
Asked
Active
Viewed 983 times
5
-
By vulnerable you mean vulnerable to a known issue? Else you get close to 100%. – CodesInChaos Mar 14 '12 at 14:19
-
@CodeInChaos, hmm, I think both versions of the question are interesting. I was thinking "vulnerable in any way whatsoever", so if you have statistics or data to show that this is close to 100%, and how close, I'd definitely be interested. But if you have stats on "vulnerable to known issues", that'd be interesting, too. – D.W. Mar 14 '12 at 18:43
3 Answers
7
The most recent study I've seen was back in 2008 by the Web Application Security Consortium [webappsec.org]. The study was compiled from the results of eight separate security assessment projects and had a total sample size of 12186 web applications made up from various industries. The study makes for a very interesting read, but I'll summarize a few of the key points for you here:
- There were 97554 detected vulnerabilities of different risk levels.
- More than 13% of all reviewed sites can be compromised completely automatically.
- About 49% of web applications contain vulnerabilities of high risk level (Urgent and Critical) detected during automatic scanning.
- At least 88% of web sites have a serious vulnerability (ranked Urgent, Critical, or High by the PCI-DSS standard).
- 99% of web applications are not compliant with PCI DSS standard.
Keep in mind these figures are about four years old, and four in internet years is a lifetime (in other words: take them with a grain of salt). That being said, I very much doubt any significant change was made to the percentage of vulnerable sites.
On a slightly related note, if you are interested in other security related statistics, there are two good sites that release reports on a slightly more frequent basis.
- One is a DHS sponsored cyber security site [us-cert.gov], whose latest report can be found here (pdf).
- Another (which you're probably already familiar with) is the Open Web Application Security Project [owasp.org], whose latest report can be found here.
3
WhiteHat Security's 2011 annual report has some detailed statistics on the web sites they monitor, and what fraction of them are vulnerable.
Here are some highlights:
84% of web sites were vulnerable for at least 30 days out of 2010. (In other words, count the number days in 2010 when the web site had at least one serious vulnerability. For 84% of web sites, this number was 30 days or more.) 44% were vulnerable for every day in 2010.
About half of banking sites were vulnerable for at least 30 days of 2010. 16% were vulnerable for every day in 2010.
Most other sectors were comparable to the overall rate for all websites. In other words, banking sites are the exception; everyone else is pretty similar.
The average website had a total of 230 serious vulnerabilities at one point or another in 2010. The average banking web site had a total of 30 serious vulnerabilities in 2010.
Of the vulnerabilities that have been fixed, the median time to fix them is about 116 days (taken over all websites). (The corresponding number for banking sites is 13 days.) However, many of the vulnerabilities have not been fixed, so these numbers probably underestimate the true time-to-fix.
The report defines a serious vulnerability as one that would be classified as High, Critical, or Urgent severity by the PCI-DSS standard.
So it sounds like something in the ballpark of 80% of web sites are vulnerable to various attacks.
D.W.
- 98,420
- 30
- 267
- 572
2
Veracode released some data on the web applications they've analyzed. Here are some highlights.
On compliance with OWASP standards, which say that your application should not have any vulnerability in the OWASP top 10 (see Figure 24):
- 16% of government web applications have no detected vulnerability in the OWASP top 10
- 24% of finance industry web applications have no detected vulnerability in the OWASP top 10
- 28% of commercial web applications meet have no detected vulnerability in the OWASP top 10
(Footnote: This is for the first submission of the application to their service.)
On compliance with SANS standards, which require that you don't have any vulnerability on the SANS top 25 list (see Figure 25):
- 18% of government web applications have no detected vulnerability in the SANS top 25
- 28% of finance industry web applications have no detected vulnerability in the SANS top 25
- 34% of commercial web applications have no detected vulnerability in the SANS top 25
The methodology is not clear from the web site. It is not clear how many of the non-compliant web applications are vulnerable (or, for that matter, how many of the compliant web apps are vulnerable).
They also report statistics on the prevalence of various vulnerabilities, in the web applications they have analyzed (see Table 7):
- 75% of government web applications were vulnerable to XSS
- 67% of finance industry web web applications were vulnerable to XSS
- 55% of commercial web applications were vulnerable to XSS
and
- 40% of government web applications were vulnerable to SQL injection
- 29% of finance industry web web applications were vulnerable to SQL injection
- 30% of commercial web applications were vulnerable to SQL injection
In short, it appears that something like at least 80% of web applications are vulnerable, according to their stats.
D.W.
- 98,420
- 30
- 267
- 572
-
I appreciate the collection of all these stats, this is very good. Can you make sure to update this answer after Veracode releases? – AviD Mar 14 '12 at 18:38
-