[Owasp-leaders] Stats Stats Stats

Tom Brennan - OWASP tomb at owasp.org
Thu Dec 11 15:14:07 EST 2008

If your like me you, love to see measurable data that can point out obvious
trends and measurements/milestones of what is real and what is "FUD". 

Glad to see this finally get released today and wanted to share summary of
the stats information


Data Overview
- 877 total websites
- Vast majority of websites assessed for vulnerabilities weekly
- Vulnerabilities classified according to WASC Threat Classification
- Vulnerability severity naming convention aligns with PCI-DSS
- Obtained between January 1, 2006 and December 1, 2008

Key Findings
- Total identified vulnerabilities (open & closed): 14,718
- Current open vulnerabilities: 5,283 (64% resolved)
- Historically, 82% of assessed websites have had at least one issue of
- 63% of assessed websites currently have issues of HIGH, CRITICAL, or
URGENT severity
- Historically, websites average 17 vulnerabilities identified during the
lifetime of the assessment cycle
- Websites currently average 6 open vulnerabilities
- Cross-Site Request Forgery gained two spots in the Top Ten moving to #8
- Vulnerability time-to-fix metrics are not changing, typically requiring
weeks to months to achieve resolution
- Roughly 50% of the most prevalent Urgent severity issues have been


More info:
y.html and full details about this...

If you have appsec research stats data please share - things you can do:
#1 - Join the OWASP Top 10 2009 Mailing list

#2 - Review the OWASP Top 10 2009 Project and get involved
https://www.owasp.org/index.php/OWASP_Working_Session_Top_10_2009 on the
data collection.


More information about the OWASP-Leaders mailing list