While no true security best practices exist, the key is in identifying the security metrics that mean the most to the organization and focusing on those activities to remediate specific vulnerabilities, according to a new WhiteHat Security report.
“We see no compelling evidence of ‘best-practices’ in application security,” said Jeremiah Grossman, founder of WhiteHat Security. “We instead observed that certain software security activities improve specific metrics, such as the number of vulnerabilities, time-to-fix, and remediation rates, more than other activities. The best approach is for organizations to identify specific security metrics they’d like to improve upon, and then strategically select activities most likely to make a positive impact.”
The report was generated by examining vulnerabilities of more than 30,000 websites under WhiteHat Sentinel management. Overall, data for 2015 turned out to be far more serious than anticipated:
- 86% of all websites tested by WhiteHat Sentinel had at least one serious vulnerability, and most of the time, far more than one – 56% to be precise.
- On average, 61% of these vulnerabilities were resolved, but doing so required an average of 193 days from the first customer notification.
- Insufficient transport layer protection is the most likely vulnerability across vertical industries including retail trade, health care/social assistance, information technology and financial/insurance, with a range of 65-76% likelihood.
55% of retail trade sites, 50% of health care and social assistance sites, and 35% of finance and insurance sites are always vulnerable, meaning sites had at least one serious vulnerability exposed every single day of the year. Conversely, only 16% of the retail trade sites, 18% of health care and social assistance sites, and 25% of finance and insurance sites had one or more serious vulnerabilities exposed less than 30 days of the year.
Researchers found that the best way to lower the average number of vulnerabilities, speed up time-to-fix, and increase remediation rates is to feed vulnerability results back to development through established bug tracking or mitigation channels. This approach makes application security front-and-center in a development group’s daily work activity and creates an effective process to solve problems.
This year’s report yielded positive results when priority was given to increasing remediation rates. Notably, results also showed that major vertical industries aren’t placing enough focus on remediation.
- Organizations that are compliance-driven to remediate vulnerabilities have the lowest average number of vulnerabilities (12 per website) and the highest remediation rate (86%).
- Organizations that have made the vulnerability feed-to-development process connection, exhibited roughly 40% less vulnerabilities, fixed issues nearly a month faster on average and increased remediation rates by 15%.
- Considering sites in health care, retail trade and finance were found to be “always vulnerable,” their remediation rates are relatively low at 20%, 21%, and 27% respectively.
“The report shows that even though nowadays there are tools and solutions available, organizations are still not using them and not following best practices, hence website hacks are the order of the day. On the other hand, the data clearly shows that those organizations that perform frequent web application security tests during the different stages of the SDLC have fewer vulnerabilities and exhibit a faster time-to-fix,” Ferruh Mavituna, Netsparker CEO, told Help Net Security.