1/ Years ago I worked on a data analysis project. The project was designed to predict the particular type and number of vulnerabilities likely to be identified (or not) in a given website when security tested.

2/ The results were fascinating. With only knowing WHEN a website was first deployed on the Web and the programming language in use, it was possible to predict the type and quanitity of vulnerabilities present with a very high degree of accuracy.

3/ Other factors such as industry, organizational size, regulatory obligations, software development processes, and so on mattered very little statistically.

4/ The only other factor found that seemed to matter was if the ORG or website was known to have been hacked sometime in the past. Turned out they were substantially less vulnerable than the broad average website.

5/ I was getting closer to be able to precisely predict WHERE vulnerabilities of a particular type would be located in a website (ie a named URL param, form field, header, etc). I ran out of time, but I’m convinced it’s possible and it would greatly increase testing efficiency.

6/ If you can imagine, among other benefits, this type of vulnerability prediction would also greatly benefit the cyber-insurance market. Such as estimating risk without having to perform vulnerability testing in advance. Or telling the client what to prioritize testing for.

7/ Or, if you’re a bug bounty hunter, this type of analysis could help you be just that much more efficient in how you allocate your time.