The document summarizes the findings of a study that tested over 5,000 web applications for vulnerabilities. It found that 99% of applications had at least one vulnerability, and 82% had at least one high or critical vulnerability. The most common vulnerability was cross-site scripting (61%). The banking industry had the fewest vulnerabilities while retail had the most. On average, each application contained 35 vulnerabilities.
2. 2
Background
• iViZ – Cloud based Application Penetration
Testing
• Zero False Positive Guarantee
• Business Logic Testing with 100% WASC (Web Application
Security Consortium) class coverage
• Funded by IDG Ventures
• 30+ Zero Day Vulnerabilities discovered
• 10+ Recognitions from Analysts and Industry
• 300+ Customers
3. 3
Research Methodology
• Application security Data Collection
• 300+ Customers
• 5,000 + Application Security Tests
• 25% Apps from Asia, 40% Apps from USA
and 25% from Europe
4. 4
Key Findings
• 99% of the Apps tested had at least 1 vulnerability
• 82% of the web application had at least 1 High/Critical
Vulnerability
• 90% of hacking incidents never gets known to public
• Very low correlation between Security and Compliance
(Correlation Coefficient: 0.2)
• Average number of vulnerability per website: 35
• 30% of the hacked organizations knew the vulnerability (for
which they got hacked) beforehand
• #1 Vulnerability: Cross site scripting (61%)
• #1 Secure vertical: Banking
• #1 Vulnerable Vertical: Retail
6. 6
Top 5 Application Flaws
Percentage of websites containing the “Type of Vulnerability”
7. 7
5 Common Business Logic Flaws
• Weak Password recovery
• Abusing Discount Logic/Coupons
• Denial of Service using Business Logic
• Price Manipulation during Transaction
• Insufficient Server Side Validation (One Time
Password (OTP) bypass)
8. 8
Which are the most vulnerable Industry Verticals?
Average number of Vulnerabilities per Application