Real Life Vulnerabilities Statistics: an overview

From time to time, it is useful for a consulting company like us to stop, look back and think about what has been done in the last few years. This is important because:

• the company can identify the categories where internal skills need to be improved;
• the company is able to know in advance which areas are more flawed for specific customers. 

In addition to these considerations, we thought that these data would have been useful for the new release of the OWASP Top Ten project. 

For this reason, we collected all our reports from 2010 until 2012 and performed a statistical analysis that, in conjunction with other contributors' results, will help the new OWASP Top Ten to better fit these times and to keep track of differences from previous versions.

We started the analysis by splitting vulnerabilities in two main categories:

• Web Application Penetration Test (WAPT)
• Secure Code Review (SCR). 

The following histograms are the result of counting the occurrences of each vulnerability ordered by frequency and shown in percentage.

SCR vulnerabilities percentage

WAPT vulnerabilities percentage

We think this can help to understand how the results presented from the OWASP Top Ten 2013 were obtained. Also it is an overview of what we find during our consulting assessments. 

Finally, to give more expressiveness to these data, here are them according to their testing category (as described in the OWASP Tesing Guide) in order to know which areas are more vulnerable:

SCR areas of analysis percentage

WAPT areas of analysis percentage