[ Thanks to WASC for this link.
]
“As a result, we now have 4 data sets:
“Overall statistics by all kinds of activities;
Automatic scanning statistics;
Black box method security assessment statistics;
White box method security assessment statistics.“Automatic scanning data is collected in fully automated
scanning process without any preliminary settings (with standard
profile) of hosting provider sites. Remember that not all the sites
include interactive elements, and additional settings made by an
expert considering certain Web application, allows to greatly
improve the efficiency of vulnerability detection.“Black box method security assessment statistics includes the
results of manual and automated Web application analysis without
any preliminary known data about the application. As a rule, this
includes scanning with standard settings and manual search of
vulnerabilities unavailable for automatic scanners.“White box method security assessment statistics includes the
results of the deep Web application analysis which contains
application analysis done as an authorized user. It also includes
static source code and binary analysis. Detected vulnerabilities
are classified according to Web Application Security Consortium Web
Security Threat Classification (WASC WSTCv2) early draft.
Vulnerability risk level is determined by contributors or assessed
according to CVSSv2 (Common Vulnerability Scoring System version
2). Then the level was brought to PCI DSS (Payment Card Industry
Data Security Standard) risk levels as described in the methodology
(see appendix 1).”