« Apple website hit with SQL Injection | Main | CGISecurity.com Turns 10!: A short appsec history of the last decade »

WASC Web Hacking Incident Database Semi-Annual Report for 2010

Fellow WASC officer Ryan Barnett has published an update to the Web Hacking Incident Database project. He sent the following to The Web Security List (a list which I operate) this morning.


"Greetings everyone,
I wanted to let you all know that we have released the new WHID report for 2010 -

A few Report Summary Findings -

  • A steep rise in attacks against the financial vertical market is occurring in 2010, and is currently the no. 3 targeted vertical at 12 percent. This is mainly a result of cybercriminals targeting small to medium businesses’ (SMBs) online banking accounts.
  • Corresponding to cybercriminals targeting online bank accounts, the use of Banking Trojans (which results in stolen authentication credentials) made the largest jump for attack methods (Banking Trojans + Stolen Credentials).
  • Application downtime, often due to denial of service attacks, is a rising outcome.
  • Organizations have not implemented proper Web application logging mechanisms and thus are unable to conduct proper incident response to identify and correct vulnerabilities. This resulted in the no. 1 “unknown” attack category.

We also have a new Top 10 Web Application Risks listing – which is an interesting contrast to the OWASP Top 10.

I would also like to point out that we have added the Real-Time Statistics feature on the WHID project site - http://projects.webappsec.org/Web-Hacking-Incident-Database#RealTimeStatistics
With this new capability, you can now get live stats based on either the Year and/or your Vertical Market of choice.

Ryan Barnett
WASC WHID Project Lead"


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!