To help companies with navigating the world of web application vulnerabilities and securing their own web applications, the Open Web Application Security Project (OWASP) online community created the OWASP Top Ten. As we followed their rankings, we noticed that the way we ranked major vulnerabilities was different. Being curious, we decided to find out just how big the difference was. That’s why we set up our own rankings that reflected our take on the most widespread and critical web application vulnerabilities as viewed through a prism of eight years’ experience.
Profile of participants and applications
We collected the data from a sample of the application security assessment projects our team completed in 2021–2023. Most of the web applications were owned by companies based in Russia, China and the Middle East.
Almost half of the applications (44%) were written in Java, followed by NodeJS (17%) and PHP (12%). More than a third (39%) used the microservice architecture.
Distribution of programming languages used in writing web applications, 2021–2023 (download)
We analyzed data obtained through web application assessments that followed the black, gray and white box approaches. Almost every application assessed with gray box was analyzed with black box too, so we combined these two approaches in our statistics. Therefore, a vast majority (83%) of the web application projects used the black and gray box methods.
Discrepancies caused by the differing approaches to analysis
Since the black, gray and white box methods implied different levels of access to the applications, the types of vulnerabilities that were most likely to be found were different as well. We ..
Support the originator by clicking the read the rest link below.
