I'm reading through the WhiteHat Website Security Statistics Report released yesterday, and there's plenty of interesting data points. Here are some nuggets.\tFirst, a word on how this was put together: The company sifted through data from more than 650 organizations and tens of thousands of real-world websites continually monitored by WhiteHat Sentinel Services. Among the high points (or low points, depending on one's perspective):\t\t\t86 percent of all websites had at least one serious* vulnerability.\t\t\u00a0\t\t\tThe average number of serious* vulnerabilities identified per website was 56, continuing the downward trend from 79 in 2011 and 230 in 2010.\t\t\u00a0\t\t\tSerious* vulnerabilities were resolved in an average of 193 days from first notification.\t\t\u00a0\t\t\t61 percent of all serious* vulnerabilities were resolved, slightly less than the 63 percent during from 2011, but still up from 53 percent in 2010 and far better than 2007 when it was just 35 percent.\t\t\u00a0\t*Serious vulnerabilities are defined as those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news. In short, serious vulnerabilities are those that should really be fixed.\tAs far as the Top Ten most prevalent vulnerability classes in 2012, the list is relatively close to last year\u2019s, though Information Leakage surpassed Cross-Site Scripting yet again:\t1.) Information Leakage \u2013 55 percent of websites\t2.) Cross-Site-Scripting \u2013 53 percent of websites\t3.) Content Spoofing \u2013 33 percent of websites\t4.) Cross-site Request Forgery \u2013 26 percent of websites\t5.) Brute Force \u201326 percent of websites\t6.) Fingerprinting \u2013 23 percent of websites\t7.) Insufficient Transport Layer Protection \u201322 percent of websites\t8.) Session Fixation \u2013 14 percent of websites\t9.) URL Redirector Abuse \u2013 13 percent of websites\t10.) Insufficient Authorization \u2013 11 percent of websites\tMeanwhile:\t--57 percent of organizations surveyed provide some amount of instructor-led or computer-based software security training for their programmers. These organizations experienced 40 percent fewer vulnerabilities, resolved them 59 percent faster, but exhibited a 12 percent lower remediation rate.\t--39 percent of organizations said they perform some amount of Static Code Analysis on their website(s) underlying applications. These organizations experienced 15 percent more vulnerabilities, resolved them 26 percent slower, and had a 4 percent lower remediation rate.\t--Fifty-five percent of organizations said they have a Web Application Firewall (WAF) in some state of deployment. These organizations experienced 11 percent more vulnerabilities, resolved them 8 percent slower, and had a 7 percent lower remediation rate.\tDownload the full report here.