Imperva recently published a very good article about web applications security.

The article shows numbers about the type and severity of the vulnerabilities usually found in web applications, as well as how this matter is evolving from 4 years ago until now.

The article is a very good resource for those that don't have a regulatory piece like PCI to push web application security in their companies. Even for those that are fighting that war "penetrate and patch vc security built in" the text is very important, as it shows the very high numbers of re-tests that showed critical vulnerabilities and the very small number of them that showed no vulnerabilities at all.

The only problem of the article is that it is from a company that sells application firewalls. Even with all the interesting data presented, the conclusio seems to be something too product-driven. If one tries to use it as a resource to justify developers trainning and security throughout the application life-cycle he may end up on getting only budget for another miracle box.