The security industry, like most of the IT world at large, is awash in statistics. Some reports are straightforward and easy to interpret, while others leave a lot to the imagination. The Web Application Security Consortium Security Statistics report falls into the latter category. On the face of it, the report seems simple enough–a report of the results of scans by a number of Web application security scanners against various apps. But, as Chris Eng of Veracode points out in his post on the WASC’s report, things get a bit muddy once you look a little deeper.
As might be expected, cross-site scripting flaws account for nearly 70% of all of the vulnerabilities found in the scans. Fair enough; XSS is ubiquitous. But then we see that insufficient authorization problems showed up in just four sites a total of 23 times. This problem is also quite common in Web applications, and one would expect it to be more prevalent in the scan results. So why the seeming disparity? Eng contends this results from the limitations and inherent “biases” of Web app scanners, and so the results are not necessarily indicative of the overall health of Web applications.
Another point to consider is that many attackers looking for ways into Web apps use simplified versions of these scanners to find common flaws. So the WASC numbers may not be representative of the state of Web application security, but it’s likely a good indicator of the classes of vulnerabilities that attackers are targeting.