. Acunetix, Acunetix web vulnerability scanner, p.2012

O. H. Alhazmi, Y. K. Malaiya, and I. Ray, Security Vulnerabilities in Software Systems: A Quantitative Perspective, Sushil Jajodia and Duminda Wijesekera DBSec, pp.281-294, 2005.
DOI : 10.1109/MSECP.2003.1193213

M. Almgren, H. Debar, and M. Dacier, A Lightweight Tool for Detecting Web Server Attacks, pp.157-170, 2000.

. Anantasec, Ananta security blog, 2009.

A. William, W. L. Arbaugh, J. Fithen, and . Mchugh, Windows of vulnerability: A case study analysis, Computer, vol.33, pp.52-59, 2000.

A. Arora, R. Krishnan, R. Telang, and Y. Yang, Impact of vulnerability disclosure and patch availability -an empirical analysis, Third Workshop on the Economics of Information Security, 2004.

M. Balduzzi, C. T. Gimenez, D. Balzarotti, and E. Kirda, Automated discovery of parameter pollution vulnerabilities in web applications, NDSS'11, 8th Annual Network and Distributed System Security Symposium, pp.6-9, 2011.

D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda et al., Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications, 2008 IEEE Symposium on Security and Privacy (sp 2008), 2008.
DOI : 10.1109/SP.2008.22

D. Bates, A. Barth, and C. Jackson, Regular expressions considered harmful in client-side XSS filters, Proceedings of the 19th international conference on World wide web, WWW '10, pp.91-100, 2010.
DOI : 10.1145/1772690.1772701

J. Bau, E. Bursztein, D. Gupta, and J. C. Mitchell, State of the Art: Automated Black-Box Web Application Vulnerability Testing, 2010 IEEE Symposium on Security and Privacy, pp.332-345, 2010.
DOI : 10.1109/SP.2010.27

J. Billig, Y. Danilchenko, and C. E. Frank, Evaluation of Google hacking, Proceedings of the 5th annual conference on Information security curriculum development, InfoSecCD '08, pp.27-32, 2008.
DOI : 10.1145/1456625.1456634

N. Bilton, How credit card data is stolen and sold. http://bits.blogs.nytimes.com, 2011.

W. Stephen, A. D. Boyd, and . Keromytis, Sqlrand: Preventing sql injection attacks, Applied Cryptography and Network Security, Second International Conference, ACNS 2004 Proceedings, pp.292-302, 2004.

J. Burket, P. Mutchler, M. Weaver, M. Zaveri, and D. Evans, Guardrails: a data-centric web application security framework, Proceedings of the 2nd USENIX conference on Web application development, pp.1-1, 2011.

C. Cadar, D. Dunbar, and D. Engler, Klee: unassisted and automatic generation of high-coverage tests for complex systems programs, Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI'08, pp.209-224, 2008.

P. Allor, R. Neray, R. Iffert, R. Stone, S. Mcnulty et al., Ibm x-force 2011 mid-year trend and risk report, 2011.

H. Cavusoglu, H. Cavusoglu, and S. Raghunathan, Emerging issues in responsible vulnerability disclosure, Proceedings of WITS 2004, 2004.

. Us, Cyber security bulletins, p.2012

S. M. Christey and R. A. Martin, Vulnerability type distributions in cve, 2007.

S. Clark, S. Frei, M. Blaze, and J. Smith, Familiarity breeds contempt, Proceedings of the 26th Annual Computer Security Applications Conference on, ACSAC '10, 2010.
DOI : 10.1145/1920261.1920299

M. Dausin, A. Hils, D. Holden, P. Jagdale, J. Jones et al., The 2011 mid-year top cyber security risks report, 2011.

R. Dhamankar, M. Dausin, M. Eisenbarth, and J. King, The top cyber security risks, 2009.

A. Doupe, M. Cova, and G. Vigna, Why Johnny Can???t Pentest: An Analysis of Black-Box Web Vulnerability Scanners, Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2010.
DOI : 10.1007/978-3-642-14215-4_7

M. Doyle and J. Walden, An Empirical Study of the Evolution of PHP Web Application Security, 2011 Third International Workshop on Security Measurements and Metrics, 2011.
DOI : 10.1109/Metrisec.2011.18

. Inc and . Networks, F5 big-ip application security manager (asm) http://www.f5.com/solutions, 2011.

M. Finifter and D. Wagner, Exploring the Relationship Between Web Application Development Tools and Security, USENIX Conference on Web Application Development (WebApps). USENIX Association, 2011.

J. Fonseca and M. Vieira, Mapping software faults with web security vulnerabilities, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), pp.257-266, 2008.
DOI : 10.1109/DSN.2008.4630094

S. Frei, Security Econometrics -The Dynamics of (In)Security, 2009.

S. Frei, M. May, U. Fiedler, and B. Plattner, Large-scale vulnerability analysis, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense , LSAD '06, pp.131-138, 2006.
DOI : 10.1145/1162666.1162671

M. Van, G. , and H. Chen, Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks, Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, 2009.

V. Haldar, D. Chandra, and M. Franz, Dynamic Taint Propagation for Java, 21st Annual Computer Security Applications Conference (ACSAC'05), pp.303-311, 2005.
DOI : 10.1109/CSAC.2005.21

W. Halfond, S. Anand, and A. Orso, Precise interface identification to improve testing and analysis of web applications, Proceedings of the eighteenth international symposium on Software testing and analysis, ISSTA '09, 2009.
DOI : 10.1145/1572272.1572305

G. J. William, A. Halfond, and . Orso, AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks, Proceedings of the IEEE and ACM International Conference on Automated Software Engineering (ASE 2005), 2005.

. Hewlett-packard, Hp webinspect

T. Holz, M. Engelberth, and F. Freiling, Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones, Proceedings of the 14th European conference on Research in computer security, ESORICS'09, pp.1-18, 2009.
DOI : 10.1109/MSP.2007.45

P. Hooimeijer, B. Livshits, and D. Molnar, Prateek Saxena, and Margus Veanes. Fast and precise sanitizer analysis with bek, Proceedings of the 20th USENIX conference on Security, pp.1-1, 2011.

Y. Huang, F. Yu, C. Hang, C. Tsai, D. Lee et al., Securing web application code by static analysis and runtime protection, Proceedings of the 13th conference on World Wide Web , WWW '04, pp.40-52, 2004.
DOI : 10.1145/988672.988679

T. Jim, N. Swamy, and M. Hicks, Defeating script injection attacks with browser-enforced embedded policies, Proceedings of the 16th international conference on World Wide Web , WWW '07, pp.601-610, 2007.
DOI : 10.1145/1242572.1242654

M. Johns, C. Beyerlein, R. Giesecke, and J. Posegga, Secure Code Generation for Web Applications, ESSoS, pp.96-113, 2010.
DOI : 10.1007/978-3-642-11747-3_8

M. Johns, B. Engelmann, and J. Posegga, XSSDS: Server-Side Detection of Cross-Site Scripting Attacks, 2008 Annual Computer Security Applications Conference (ACSAC), pp.335-344, 2008.
DOI : 10.1109/ACSAC.2008.36

N. Jovanovic, C. Kruegel, and E. Kirda, Pixy: A static analysis tool for detecting web application vulnerabilities (short paper), SP '06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp.258-263, 2006.

K. Julisch, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security, vol.6, issue.4, pp.443-471, 2003.
DOI : 10.1145/950191.950192

A. Kie?un, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst, HAMPI: A solver for string constraints, Proceedings of the 2009 International Symposium on Software Testing and Analysis, pp.105-116, 2009.

A. Kie?un, P. J. Guo, K. Jayaraman, and M. D. Ernst, Automatic creation of SQL injection and cross-site scripting attacks, ICSE'09, Proceedings of the 31st International Conference on Software Engineering, 2009.

E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, Noxes, Proceedings of the 2006 ACM symposium on Applied computing , SAC '06, pp.330-337, 2006.
DOI : 10.1145/1141277.1141357

D. V. Klein, Defending against the wily surfer -web-based attacks and defenses, Proceedings of the 1st USENIX Workshop on Detection Symposium and Network Monitoring, 1999.

Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, and Y. Takahama, Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp.107-117, 2007.
DOI : 10.1109/ACSAC.2007.20

J. Kouns, K. Todd, B. Martin, D. Shettler, S. Tornio et al., The open source vulnerability database, 2010.

C. Kruegel and G. Vigna, Anomaly detection of web-based attacks, Proceedings of the 10th ACM conference on Computer and communication security , CCS '03, pp.251-261, 2003.
DOI : 10.1145/948109.948144

C. Kruegel, G. Vigna, and W. Robertson, A multi-model approach to the detection of web-based attacks, Computer Networks, vol.48, issue.5, pp.717-738, 2005.
DOI : 10.1016/j.comnet.2005.01.009

V. , B. Livshits, and M. S. Lam, Finding security errors in Java programs with static analysis, Proceedings of the 14th Usenix Security Symposium, pp.271-286, 2005.

M. Ter-louw and V. N. Venkatakrishnan, Blueprint: Robust prevention of cross-site scripting attacks for existing browsers, Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pp.331-346, 2009.

B. Martin, M. Brown, A. Paller, and D. Kirby, 2010 cwe/sans top 25 most dangerous software errors, 2010.

. Mcafee, Mcafee threats report: Third quarter 2011, 2011.

P. Mell, K. Scarfone, and S. Romanosky, A complete guide to the common vulnerability scoring system version 2.0, 2007.

M. J. Mondro, Approximation of mean time between failure when a system has periodic maintenance. Reliability, IEEE Transactions on, vol.51, issue.2, pp.166-167, 2002.

N. Mook, Cross-site scripting worm hits myspacecross-site-scripting-worm-hits- myspace, 2005.

T. Moore and R. Clayton, Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing, Financial Cryptography and Data Security, pp.256-272
DOI : 10.1007/978-3-642-03549-4_16

J. D. Musa, A. Ianino, and K. Okumuto, Software Reliability Measurement Prediction Application [74] Yacin Nadji, Prateek Saxena, and Dawn Song. Document structure integrity: A robust basis for cross-site scripting defense, Proceedings of the Network and Distributed System Security Symposium, NDSS 2009, 1987.

S. Neuhaus and T. Zimmermann, Security Trend Analysis with CVE Topic Models, 2010 IEEE 21st International Symposium on Software Reliability Engineering, 2010.
DOI : 10.1109/ISSRE.2010.53

S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, Predicting vulnerable software components, Proceedings of the 14th ACM conference on Computer and communications security , CCS '07, pp.529-540, 2007.
DOI : 10.1145/1315245.1315311

A. Nguyen-tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans, Automatically Hardening Web Applications Using Precise Tainting, SEC, pp.295-308, 2005.
DOI : 10.1007/0-387-25660-1_20

A. Ozment and S. E. Schechter, Milk or wine: does software security improve with age, USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium, 2006.

H. Peine, Security test tools for web applications, Fraunhofer IESE, 2006.

T. Pietraszek and C. Vanden-berghe, Defending Against Injection Attacks Through Context-Sensitive String Evaluation, Lecture Notes in Computer Science, vol.3858, pp.124-145, 2005.
DOI : 10.1007/11663812_7

P. Bisht, T. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan, NoTamper, Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, 2010.
DOI : 10.1145/1866307.1866375

N. Provos, P. Mavrommatis, M. Abu-rajab, and F. Monrose, All your iframes point to us, Proceedings of the 17th conference on Security symposium, pp.1-15, 2008.

E. Rescorla, Is finding security holes a good idea?, IEEE Security and Privacy Magazine, vol.3, issue.1, pp.14-19, 2005.
DOI : 10.1109/MSP.2005.17

A. Riancho, w3af -web application attack and audit framework, 2011.

W. Robertson and G. Vigna, Static enforcement of web application integrity through strong typing, Proceedings of the 18th conference on USENIX security symposium, pp.283-298, 2009.

W. Robertson, G. Vigna, C. Kruegel, and R. Kemmerer, Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks, Proceeding of the Network and Distributed System Security Symposium (NDSS), 2006.

M. Roesch, Snort -lightweight intrusion detection for networks, Proceedings of the 13th USENIX conference on System administration , LISA '99, pp.229-238, 1999.

D. Ross, Ie 8 xss filter, 2008.

. Rsnake, Xss (cross site scripting) cheat sheet esp: for filter evasion, 2009.

M. Samuel, P. Saxena, and D. Song, Context-sensitive auto-sanitization in web templating languages using type qualifiers McCamant, and Dawn Song. A symbolic execution framework for javascript, Proceedings of the 18th ACM conference on Computer and communications security Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp.587-600, 2010.

P. Saxena, D. Molnar, and B. Livshits, SCRIPTGARD, Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, 2011.
DOI : 10.1145/2046707.2046776

T. Scholte, D. Balzarotti, and E. Kirda, Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications, Proceedings of the International Conference on Financial Cryptography and Data Security, 2011.
DOI : 10.1007/978-3-642-27576-0_24

T. Scholte, D. Balzarotti, and E. Kirda, Have things changed now? a study of the evolution of input validation vulnerabilities in web applications, 2012.

T. Scholte, D. Balzarotti, W. Robertson, and E. Kirda, An empirical analysis of input validation mechanisms in web applications and languages, Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC '12, 2012.
DOI : 10.1145/2245276.2232004

M. J. Schwartz, Sony data breach cleanup to cost $171 million, InformationWeek, 2011.

D. Scott and R. Sharp, Abstracting application-level web security, Proceedings of the eleventh international conference on World Wide Web , WWW '02, pp.396-407, 2002.
DOI : 10.1145/511446.511498

P. Security, Panda security report the cyber-crime black market: Uncovered, 2011.

W. Security, Whitehat website security statistic report, 2011.

N. Seixas, J. Fonseca, M. Vieira, and H. Madeira, Looking at Web Security Vulnerabilities from the Programming Language Perspective: A Field Study, 2009 20th International Symposium on Software Reliability Engineering, pp.129-135, 2009.
DOI : 10.1109/ISSRE.2009.30

R. Shirey, Request for Comments: 2828, 2000.

R. Shirey, Request for comments: 4949, 2007.

Z. Su and G. Wassermann, The essence of command injection attacks in web applications, Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL '06, pp.372-382, 2006.

. Trustwave, Modsecurity: Open source web application firewall, 2011.

G. Vigna, W. Robertson, V. Kher, and R. A. Kemmerer, A stateful intrusion detection system for world-wide web servers, 19th Annual Computer Security Applications Conference, 2003. Proceedings., pp.34-43, 2003.
DOI : 10.1109/CSAC.2003.1254308

J. Walden, M. Doyle, R. Lenhof, and J. Murray, Idea: Java vs. PHP: Security Implications of Language Choice for Web Applications, International Symposium on Engineering Secure Software and Systems (ESSoS), 2010.
DOI : 10.1007/978-3-642-11747-3_5

J. Walden, M. Doyle, G. A. Welch, and M. Whelan, Security of open source web applications, Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, ESEM '09, pp.545-553, 2009.

G. Wassermann and Z. Su, Sound and Precise Analysis of Web Applications for Injection Vulnerabilities, Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, 2007.

G. Wassermann and Z. Su, Static detection of cross-site scripting vulnerabilities, Proceedings of the 13th international conference on Software engineering , ICSE '08, 2008.
DOI : 10.1145/1368088.1368112

J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin et al., An Empirical Analysis of XSS Sanitization in Web Application Frameworks, 2011.

A. Wiegenstein, F. Weidemann, M. Schumacher, and S. Schinzel, Web application vulnerability scanners -a benchmark, 2006.

S. W. Woo, O. H. Alhazmi, and Y. K. Malaiya, An analysis of the vulnerability discovery process in web browsers, Proceedings of the 10th International Conference on Software Engineering and Applications, 2006.

Y. Xie and A. Aiken, Static detection of security vulnerabilities in scripting languages, USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium, 2006.

F. Yamaguchi, F. Lindner, and K. Rieck, Vulnerability extrapolation: Assisted discovery of vulnerabilities using machine learning, Proc. of 5th USENIX Workshop on Offensive Technologies (WOOT), 2011.

A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek, Improving application security with data flow assertions, Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP '09, pp.291-304, 2009.
DOI : 10.1145/1629575.1629604

J. Zhuge, T. Holz, C. Song, J. Guo, X. Han et al., Studying Malicious Websites and the Underground Economy on the Chinese Web, Workshop on the Economics of Information Security (WEIS'08), 2008.
DOI : 10.1007/978-0-387-09762-6_11