WhiteHat Security Statics Report 2012

WhiteHat’s 12th Website Security Statistics Report represents far and away the largest amount of data we’ve ever 

analyzed — hundreds of terabytes worth. Just in terms of the total number of websites, it’s over twice the number since 

our last report. It’s easily the most complete and longest running study focused on the state of website security. 

Within this report we are very excited by the introduction of two new industries, Energy and Non-Profit. Historically, 

WhiteHat has reported vulnerability metrics generalized across industries. This increased website diversity increases our 

ability to share lessons learned.


1. The average number of serious* vulnerabilities found per website per year was 79, a
significant reduction from 230 in 2010 and down from 1,111 in 2007.

2. Cross-Site Scripting reclaimed its title as the most prevalent website vulnerability, identified in 55% of websites.

3. Web Application Firewalls could have helped mitigate the risk of at least 71% of all custom Web application vulnerabilities identified.

4.There was notable improvement across all verticals, but Banking websites possessed the fewest amount of security issues of any industry with an average of 17 serious* vulnerabilities identified per website.

5. Serious* vulnerabilities were fixed in an average of 38 days or faster, a vast improvement over the 116 days it took during 2010.

6. The overall percentage of serious* vulnerabilities that were fixed was 63%, up from 53% in 2010, and a marked improvement from 2007 when it was just 35%. A rough 7% average improvement per year over each of the last four years.

7. The higher severity that a vulnerability has, the higher the likelihood that the vulnerability will reopen. Urgent: 23%, Critical: 22%, High: 15%.

8. The average number of days a website was exposed to at least one serious* vulnerability improved slightly to 231 days in 2011, from 233 days in 2010. Find full report here

Leave a Reply

Your email address will not be published. Required fields are marked *