The Web Application Security Consortium (WASC)
The statistics was compiled from web application security assessment
projects which were made by the following companies in 2008 (in
alphabetic order):* Blueinfy
* Cenzic with Hailstorm
* DNS with WebInspect
* Encription Limited
* HP Application Security Center with WebInspect
* Positive Technologies with MaxPatrol
* Veracode with Veracode Security Review
* WhiteHat Security with WhiteHat SentinelThe statistics includes data about 12186 sites with 97554 detected
vulnerabilities.
http://projects.webappsec.org/Web-Application-Security-Statistics