WHID is  unique, but far from being the only tool trying to generate metrics for web applications security. This page lists additional resources that you may want to review.

Pen testing Based Vulnerability Statistics

Many resources report statistics regarding vulnerabilities found during penetration testing or code review. One of the larger scale studies of this type is the Web Application Security Consortium (WASC) Statistics Project, which aggregates findings of 8 different companies performing penetration testing and core review. Corsaire from the UK is issuing a similar annual report. While based on a smaller sample, the 2008 report covers 6 years of application security analysis and seem to be based on more detailed security analysis highlighting issues that do not exist in the WASC project.

Annual reports

IBM X-Force 2008 summary

This reports is mostly based on vulnerability reports.

• The most prevalent type of vulnerability affecting servers today is unquestionably vulnerabilities related to Web applications. (Page 31)
• In 2008, vulnerabilities affecting Web server applications accounted for 54 percent of all vulnerability disclosures. (Page 31)
• The predominate types of vulnerabilities affecting Web applications are

  cross-site scripting (XSS), SQL injection, and file include vulnerabilities. In 2008, SQL injection replaced cross-site scripting as the predominant

  Web application vulnerability. (Page 32)

• Out of all the disclosures in 2008, 74% had no patch by the end of 2008. (Page 37)