Web application vulnerability statistics of 2012

•

1 like•997 views

With years of experience and valuable insights of our cloud based application security testing, the prevailing website vulnerability trends are discovered. The study is based on our original research on more than 5000 tests covering 300+ customers distributed globally.

Technology

Web Application Vulnerability
Statistics of 2012

1

Background

• iViZ – Cloud based Application Penetration
Testing
• Zero False Positive Guarantee
• Business Logic Testing with 100% WASC (Web Application
Security Consortium) class coverage
• Funded by IDG Ventures
• 30+ Zero Day Vulnerabilities discovered
• 10+ Recognitions from Analysts and Industry
• 300+ Customers

2

Research Methodology

• Application security Data Collection
• 300+ Customers
• 5,000 + Application Security Tests

• 25% Apps from Asia, 40% Apps from USA
and 25% from Europe

3

Key Findings

• 99% of the Apps tested had at least 1 vulnerability
• 82% of the web application had at least 1 High/Critical
Vulnerability
• 90% of hacking incidents never gets known to public
• Very low correlation between Security and Compliance
(Correlation Coefficient: 0.2)
• Average number of vulnerability per website: 35
• 30% of the hacked organizations knew the vulnerability (for
which they got hacked) beforehand
• #1 Vulnerability: Cross site scripting (61%)
• #1 Secure vertical: Banking
• #1 Vulnerable Vertical: Retail

4

Top 5 Application Flaws

Percentage of websites containing the “Type of Vulnerability”

6

5 Common Business Logic Flaws

• Weak Password recovery
• Abusing Discount Logic/Coupons
• Denial of Service using Business Logic
• Price Manipulation during Transaction
• Insufficient Server Side Validation (One Time
Password (OTP) bypass)

7

Which are the most vulnerable Industry Verticals?

Average number of Vulnerabilities per Application

8

Application Security Posture by Geography

Average number of Vulnerability per Application

9

Thank You!!
For more Information please visit
www.ivizsecurity.com
www.ivizsecurity.com/blog/

10

More from DaveEdwards12

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

DaveEdwards12

A Journey to Protect Points of Sale (POS)

DaveEdwards12

Man in the Browser attacks on online banking transactions

DaveEdwards12

New realities in aviation security remotely gaining control of aircraft systems

DaveEdwards12

New realities in aviation security remotely gaining control of aircraft systems

DaveEdwards12

Insecurity in security products 2013

DaveEdwards12

Why current security solutions fail

DaveEdwards12

Anatomy of business logic vulnerabilities

DaveEdwards12

Using 80 20 rule in application security management

DaveEdwards12

Learn about the major risks to Cloud and Web-based Applications. What are their weaknesses? How can you deploy them in a more confident fashion and avoid the risks? What can you do to protect these applications without creating a major burden on your end-users and customers. Application Security has become one of the top most priorities of CIOs, CSOs and IT Staff in 2012. Cloud has created a paradigm shift in how we leverage technology. Learn about the power of the Cloud to Secure your applications.

Top Application Security Trends of 2012

DaveEdwards12

Know the vulnerabilities in security products and the risks it exposes to us to and how to encounter it in the most effective manner. Know the secrets which are not revealed : • How secure are security products? • What are the vulnerabilities that security products bring into your environment? • Which are the most vulnerable security products? • Who are the security vendors with most published vulnerabilities? • How to manage the risks?

Vulnerability in Security Products

DaveEdwards12

Insecurity in security products v1.5

DaveEdwards12

More from DaveEdwards12 (12)

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

A Journey to Protect Points of Sale (POS)

Man in the Browser attacks on online banking transactions

New realities in aviation security remotely gaining control of aircraft systems

Insecurity in security products 2013

Why current security solutions fail

Anatomy of business logic vulnerabilities

Using 80 20 rule in application security management

Top Application Security Trends of 2012

Vulnerability in Security Products

Insecurity in security products v1.5

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

ICT role in 21st century education and its challenges

rafiqahmad00786416

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Architecting Cloud Native Applications

WSO2

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

DBX First Quarter 2024 Investor Presentation

Dropbox

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

ICT role in 21st century education and its challenges

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

presentation ICT roal in 21st century education

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

How to Troubleshoot Apps for the Modern Connected Worker

FWD Group - Insurer Innovation Award 2024

Architecting Cloud Native Applications

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Ransomware_Q4_2023. The report. [EN].pdf

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

AWS Community Day CPH - Three problems of Terraform

DBX First Quarter 2024 Investor Presentation

Why Teams call analytics are critical to your entire business

Axa Assurance Maroc - Insurer Innovation Award 2024

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Web application vulnerability statistics of 2012

1. Web Application Vulnerability Statistics of 2012 1

2. Background • iViZ – Cloud based Application Penetration Testing • Zero False Positive Guarantee • Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage • Funded by IDG Ventures • 30+ Zero Day Vulnerabilities discovered • 10+ Recognitions from Analysts and Industry • 300+ Customers 2

3. Research Methodology • Application security Data Collection • 300+ Customers • 5,000 + Application Security Tests • 25% Apps from Asia, 40% Apps from USA and 25% from Europe 3

4. Key Findings • 99% of the Apps tested had at least 1 vulnerability • 82% of the web application had at least 1 High/Critical Vulnerability • 90% of hacking incidents never gets known to public • Very low correlation between Security and Compliance (Correlation Coefficient: 0.2) • Average number of vulnerability per website: 35 • 30% of the hacked organizations knew the vulnerability (for which they got hacked) beforehand • #1 Vulnerability: Cross site scripting (61%) • #1 Secure vertical: Banking • #1 Vulnerable Vertical: Retail 4

5. Average number of Vulnerabilities 5

6. Top 5 Application Flaws Percentage of websites containing the “Type of Vulnerability” 6

7. 5 Common Business Logic Flaws • Weak Password recovery • Abusing Discount Logic/Coupons • Denial of Service using Business Logic • Price Manipulation during Transaction • Insufficient Server Side Validation (One Time Password (OTP) bypass) 7

8. Which are the most vulnerable Industry Verticals? Average number of Vulnerabilities per Application 8

9. Application Security Posture by Geography Average number of Vulnerability per Application 9

10. Thank You!! For more Information please visit www.ivizsecurity.com www.ivizsecurity.com/blog/ 10

Web application vulnerability statistics of 2012

Recommended

Recommended

More Related Content

More from DaveEdwards12

More from DaveEdwards12 (12)

Recently uploaded

Recently uploaded (20)

Web application vulnerability statistics of 2012