WhiteHat Security released a report assembled from real-world website security data, is a high-level perspective on major website security issues that continue to compromise corporate data across all industries.
The report contains data collected between January 1, 2006 and October 1, 2009, and finds that the percentage of high, critical or urgent issues continue to slowly increase. 83 percent of websites have had a high, critical or urgent issue over their lifetime and 64 percent of websites currently have a high, critical or urgent issue. Of the 22,000 vulnerabilities identified, almost 9,000 remain open, which means encouragingly that the majority – over 13,000 – have been closed.
Unsurprisingly, only 36 percent of websites in the WhiteHat Security Website Security Statistics Report currently do not have any serious vulnerabilities. From a historical perspective, this percentage drops to 17. Through its research, WhiteHat found that the characteristics of websites currently without any serious issues were nearly identical to those with them, with the exception that they had about half as many from the start. This proves to be significant in that no website can be deemed immune – all websites have an opportunity to be compromised. These odds are reduced when the business decides to proactively identify and remediate their vulnerabilities.
“It is extremely interesting to see that all the websites that are no longer vulnerable are so similar characteristically in technology and site format to those that have vulnerabilities,” said Jeremiah Grossman, founder and chief technology officer, WhiteHat Security. “The big difference right now seems to be that these organizations set an internal mandate to actively fix their flaws and reduce the potential for damage to their website, reputation and customers.”
Recent attacks on thousands of Web properties including Twitter, Facebook and MySpace validate the report’s findings that these platforms have what hackers are eager to steal – user supplied data. With 86 percent of these sites hosting urgent, critical or high severity vulnerabilities, social networks lead all verticals. A close second, education websites are also highly vulnerable, with 83 percent having at least one serious vulnerability. This is not surprising, as educational institutions have many public-facing applications and often do not have significant resources dedicated to website security.
As in previous reports, Cross-Site Scripting and SQL Injection continue to be fixtures in the Top 10 list along with many other common classes of attack. The report also shows that fix percentages are climbing for some and decreasing for others. In particular, more organizations are repairing technical issues such as SQL Injection and Cross-Site Scripting in larger volumes, an indication that awareness is building regarding the prevalence of easy exploitations of these specific vulnerabilities.