The impact of structural vulnerabilities on enterprise websites

Dasient released a new research report, “Structural Vulnerabilities on Websites: Why Enterprise Websites Are Vulnerable to Malware Attacks,” which found that, across all verticals, 75 percent of enterprises use some form of third-party JavaScript widgets, 42 percent of websites display external advertisements and up to 91 percent run third-party web applications, much of which is outdated and vulnerable.

To conduct this research, Dasient ran automated, passive malware risk assessments against the websites of Fortune 500 companies, Quantcast Top 1000 sites and other highly trafficked websites to determine which vertical markets (publisher/media, financial, ecommerce, traditional retail, high-tech manufacturers, travel/entertainment/leisure, consumer packaged goods, business services, manufacturing, and healthcare) were most at risk of having their websites infected with web-based malware due to structural vulnerabilities.

According to the report, structural vulnerabilities fall into three categories: third-party widgets such as polls, analytics or other sharing capabilities; external advertisements that could be serving malicious ads (malvertising); and third-party applications. These third-party resources are necessary for enterprises to provide functionality to users, but they can be exploited to distribute malware.

Some of the key findings include:

• There is an increased reliance on third-party JavaScript across all verticals. 75 percent of websites use some form of third-party JavaScript widgets. The highest category of vertical using widgets was travel, entertainment and leisure at 99 percent. Publishers came in second at 95 percent; high-tech was a close third at 94 percent; and financial institutions at 89 percent.
• More than 4 out of 10 of all websites rely on third-party advertising and publishers are twice as likely to use third-party ads. Across all verticals, 42 percent of websites used some third-party advertising on their sites and 89 percent of publishers already use third-party ads. In the retail and high-tech sectors, over 50 percent of sites used third-party ads. Surprisingly, 41 percent of financial institutions also use third-party ad-related resources on parts of their websites where financial advice is being exchanged among online communities.
• Many websites today are running outdated, vulnerable third-party applications. Across all verticals, up to 91 percent of businesses had outdated software applications (such as a content management, blogging or shopping cart systems) powering their websites. Three verticals were tied, at 97 percent, for having the highest percentage of websites with outdated software applications: consumer packaged goods, publishers and high-tech websites. Interestingly, some of the verticals that had a lower percentage of sites with external JavaScript or ads actually ranked higher for having outdated applications.

As part of the report, Dasient offers the following best practices for enterprises to protect their websites against the threat of structural vulnerabilities:

• Vet your third-party partners to be sure they have good security practices in place. Determine if your third-party partner has control over their own secure software development lifecycle (SDLC).
• Proactively monitor your website and contain malware infections – monitoring will help organizations find out about an infection before search engines and customers learn about it and before the site could get blacklisted, which would result in significant revenue and brand loss and reputation damage.
• Prevention alone is not the solution and is not effective for structural vulnerabilities – Dasient recommends detection and remediation Web Anti-Malware (WAM) services that provide end-to-end protection by monitoring websites for and automatically containing Web-based malware infections.

“Websites today are being turned into malware distribution vehicles and when a site includes code from other places, it naturally increases the risk and attack surface, resulting in the creation of these significant structural vulnerabilities,” says CTO and Co-Founder Neil Daswani. “The best way to mitigate the risks from structural vulnerabilities is to monitor websites for malware infections and automatically contain them.”