The sixth installment of the WhiteHat Website Security Statistics Report, provides a unique high-level perspective on the leading Web application security issues across industries such as retail, financial services, technology and healthcare, based on real-world websites. WhiteHat has published the report for two years, highlighting the top ten vulnerabilities, vertical market trends and emerging attack vectors. During that time, the industry has seen malicious Web hacking become more sophisticated and damaging as additional business is conducted online. In addition to the regular roster of vulnerabilities that repeatedly make the top ten list, Cross-Site Request Forgery (CSRF) has moved up two spots to number eight, indicating its increasingly pervasive nature.
The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
This latest installment includes data obtained between January 1, 2006 and December 1, 2008 and finds 82 percent of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity. Vulnerability time-to-fix metrics are slowly improving, but continue to show significant room for improvement, typically requiring weeks to months to achieve resolution. Only about 50 percent of the most prevalent urgent severity issues were resolved during the assessment time frame.
Within this sixth report, some areas of the top ten list remained static; but, notable changes were seen overall. Most noticeably, while CSRF just cracked the top ten in the fifth report, it moved up to number eight in this edition. Business logic flaws have remained steady in the top ten, demonstrating that these workflow flaws, which include Insufficient Authorization, Insufficient Authentication, Abuse of Functionality and Content Spoofing, are still overlooked at many organizations. The fact that the majority of the top ten list remained largely static as compared to previous reports demonstrates that the data contained within this report is a representative sampling of the security of the Web’s more important e-commerce related websites.
New to this edition of the report, WhiteHat added the pharmaceutical vertical to its comparison of the percentage of websites across industry verticals with an urgent, critical or high severity vulnerability. Sixty-five percent of pharmaceutical websites contain an urgent, critical or high severity vulnerability, while education websites remain the most vulnerable with 88 percent. Retail sector website security continues to outperform other verticals since the last report, and WhiteHat credits this to the large volume of battlefield testing these websites undergo.
The report statistics were gathered through the deployment of WhiteHat Sentinel, a SaaS-based website vulnerability management solution. With more than 700 sites under management, including many of the Fortune 500, WhiteHat has access to an unparalleled amount of website security data, allowing the company to accurately identify which issues are the most prevalent. WhiteHat Security uses the Web Application Security Consortium (WASC) Threat Classification as a baseline for classifying vulnerabilities and the Payment Card Industry Data Security Standard (PCI-DSS) severity system to rate vulnerability severity.