Do Not Track (DNT) HTTP header is already supported by many browsers, but it was not really clear what it is supposed to do apart from expressing user's preference not to be tracked. I think it may help to demonstrate this on an example.
This page contains most currently known quantitative data sets on web application attack methods, collected as result (and as an addendum) to a discussion on new OWASP Top 10 in early 2013. Note that these data sets are sometimes of very different nature and often cannot be directly compared. Nonetheless, I strongly believe in most cases they give a pretty good picture on how are applications attacked in real life.
Ongoing work on the new issue of OWASP Top 10 gives us an opportunity to perform a reality check on the data it was based on, especially order and importance of vulnerabilities. All that reduces to a simple question: how do we measure "criticality" of an application issue?
A Web site based on SharePoint Team Services from Microsoft is built on top of both the Microsoft FrontPage Server Extensions — this introduction from Microsoft article on SharePoint sounds quite scary in the beginning, if you know security history of FrontPage extensions.
In 2011 Polish government introduced a new, simpler method for authentication of official communication with governmental offices — the Trusted Profile (Profile Zaufany). In 2013 it has crossed 100'000 users mark.