WhiteHat Security released the second installment of its Web Application Security Risk Report, which details 15 months of vulnerability assessment data across a variety of real- world websites. The report unveils the top 10 website vulnerabilities facing enterprises, and identifies Web application security trends across financial, e-commerce, healthcare, and high-tech industries. The WhiteHat Report provides enterprises with a clear picture of current website security issues and details best practices for defending against potential attacks.
WhiteHat Security’s research confirms that the Web application layer requires proactive security as the number one target for malicious online attacks. In its December 2006 report, WhiteHat found that eight out of every 10 websites are vulnerable to attack. The Company’s recent findings now indicate that one out of every three websites has an urgent vulnerability issue that could put online data and corporate brand identity at risk.
The most prevalent vulnerability continues to be Cross-Site Scripting (XSS) with seven out of 10 websites being affected, followed by Information Leakage and Content Spoofing. SQL Injection and Insufficient Authorization also remain on the top 10 list, and if undiscovered can result in serious repercussions regarding highly sensitive information.
The WhiteHat Report notes a slight decrease in technical vulnerabilities such as XSS and SQL Injection. This may indicate that organizations are beginning to address the growing number and severity of website attacks. However, logical vulnerabilities such as insufficient authorization, where an attacker gains unauthorized access to protected sections of a website, have not decreased. This can be attributed in part to the fact that scanners alone do not pick up flaws affecting business logic and remediation may be more difficult.
In order to ensure effective and complete vulnerability assessments, it is key to have security experts working in conjunction with the scanners. This combined approach unearths items that scanners are not equipped to catch and serves as a stronger safeguard in protecting against attacks.