[Owasp-singapore] [Fwd: [Owasp-leaders] Stats Stats Stats]

Wong Onn Chee ocwong at usa.net
Fri Dec 12 02:54:44 EST 2008


-------- Original Message --------
Subject: 	[Owasp-leaders] Stats Stats Stats
Date: 	Thu, 11 Dec 2008 15:14:07 -0500
From: 	Tom Brennan - OWASP <tomb at owasp.org>
To: 	Owasp-Leaders at Lists.Owasp <owasp-leaders at lists.owasp.org>

If your like me you, love to see measurable data that can point out obvious
trends and measurements/milestones of what is real and what is "FUD". 

Glad to see this finally get released today and wanted to share summary of
the stats information


Data Overview
- 877 total websites
- Vast majority of websites assessed for vulnerabilities weekly
- Vulnerabilities classified according to WASC Threat Classification
- Vulnerability severity naming convention aligns with PCI-DSS
- Obtained between January 1, 2006 and December 1, 2008

Key Findings
- Total identified vulnerabilities (open & closed): 14,718
- Current open vulnerabilities: 5,283 (64% resolved)
- Historically, 82% of assessed websites have had at least one issue of
- 63% of assessed websites currently have issues of HIGH, CRITICAL, or
URGENT severity
- Historically, websites average 17 vulnerabilities identified during the
lifetime of the assessment cycle
- Websites currently average 6 open vulnerabilities
- Cross-Site Request Forgery gained two spots in the Top Ten moving to #8
- Vulnerability time-to-fix metrics are not changing, typically requiring
weeks to months to achieve resolution
- Roughly 50% of the most prevalent Urgent severity issues have been


More info:
y.html and full details about this...

If you have appsec research stats data please share - things you can do:
#1 - Join the OWASP Top 10 2009 Mailing list

#2 - Review the OWASP Top 10 2009 Project and get involved
https://www.owasp.org/index.php/OWASP_Working_Session_Top_10_2009 on the
data collection.


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the Owasp-singapore mailing list