[Owasp-singapore] [Fwd: [Owasp-leaders] Stats Stats Stats]

Wong Onn Chee ocwong at usa.net
Fri Dec 12 02:54:44 EST 2008


FYI

-------- Original Message --------
Subject: 	[Owasp-leaders] Stats Stats Stats
Date: 	Thu, 11 Dec 2008 15:14:07 -0500
From: 	Tom Brennan - OWASP <tomb at owasp.org>
To: 	Owasp-Leaders at Lists.Owasp <owasp-leaders at lists.owasp.org>



If your like me you, love to see measurable data that can point out obvious
trends and measurements/milestones of what is real and what is "FUD". 

Glad to see this finally get released today and wanted to share summary of
the stats information

===snip===

Data Overview
- 877 total websites
- Vast majority of websites assessed for vulnerabilities weekly
- Vulnerabilities classified according to WASC Threat Classification
- Vulnerability severity naming convention aligns with PCI-DSS
- Obtained between January 1, 2006 and December 1, 2008

Key Findings
- Total identified vulnerabilities (open & closed): 14,718
- Current open vulnerabilities: 5,283 (64% resolved)
- Historically, 82% of assessed websites have had at least one issue of
HIGH, CRITICAL, or URGENT severity
- 63% of assessed websites currently have issues of HIGH, CRITICAL, or
URGENT severity
- Historically, websites average 17 vulnerabilities identified during the
lifetime of the assessment cycle
- Websites currently average 6 open vulnerabilities
- Cross-Site Request Forgery gained two spots in the Top Ten moving to #8
- Vulnerability time-to-fix metrics are not changing, typically requiring
weeks to months to achieve resolution
- Roughly 50% of the most prevalent Urgent severity issues have been
resolved 

===snip===

More info:
http://jeremiahgrossman.blogspot.com/2008/12/sixth-quarterly-website-securit
y.html and full details about this...

If you have appsec research stats data please share - things you can do:
 
#1 - Join the OWASP Top 10 2009 Mailing list
https://lists.owasp.org/mailman/listinfo/owasp-topten

#2 - Review the OWASP Top 10 2009 Project and get involved
https://www.owasp.org/index.php/OWASP_Working_Session_Top_10_2009 on the
data collection.

-Brennan




_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders






More information about the Owasp-singapore mailing list