Is Your Web App Secure? Really?

The Web Application Security Consortium (WASC) today announced the findings of its WASC Web Application Security Statistics Project 2008. Their objective was to pool data from a number of sources to assess the vulnerability of web applications across the Internet.

WASC's analysis of over 12,000 web applications is disturbing. Some of their findings are [WASC's emphasis]:

• About 49% of web applications contain vulnerabilities of high risk level (Urgent and Critical) detected during automatic scanning
• Detailed manual and automated assessment by white box method allows to detect these high risk level vulnerabilities with probability up to 80-96%
• The probability to detect vulnerabilities with risk level more than medium (PCI DSS compliance level) is more than 86% by any method
• At the same time, detailed analysis shows that 99% of web applications are not compliant with PCI DSS standard.
  

So...let's see here... About half of all web apps have high risk vulnerabilities, it's pretty straightforward to detect the vulnerabilities with automated scanning, yet 99% of web apps are not PCI DSS compliant.

Concerned yet?

Now, these data are from 2008 so they may be a bit old, and I don't know that all the web apps examined were payment apps (!), so maybe the 99% figure is high. Nevertheless, I have to believe the PCI Council will have a comment on this report and its findings.