Subscribe to this site’s feedOne of the most difficult parts of producing a secure application is simply understanding how difficult such a task is. The magnitude of the problem is so great that all too often even well-educated and experienced engineers produce code with significant vulnerabilities. At the end of August 2008, Government Computer News published an article containing statistics from two reputable security companies. This is a summary of the statistics in the article:
| Description of Statistic |
Percentage |
| Unsafe communication practices | 70% |
| Cross-Site Scripting (XSS) vulnerabilities | 60% |
| SQL Injection Vulnerabilities | 20% |
| Cross-Site Request Forgery (CSRF) vvulnerabilities | 75% |
| One or more security issues | 82% |
| One or more high, critical or urgent security issue according to the PCI DSS | 61% |
| Running unpatched applications that can lead to malicious code injection | >50% ("overwhelming majority") |
| Percentage of reported vulnerabilities that have been remediated | 66% |
In summary, while there seems to be quick response to reported vulnerabilities (66% of all reported have been corrected), 82% of all sites are known to have security issues and in 61% of all sites at least one of the security issue is considered serious. These statistic are likely underestimates as they are based on reported or discovered vulnerabilities and there certainly must be unreported or undiscovered vulnerabilities.
Leave a comment