Among the findings in their report, WhiteHat research suggests that the average number of serious vulnerabilities found per website per year in 2011 was 79, a substantial reduction from 230 in 2010 and down from 1,111 in 2007.
Despite the significant improvement in the state of website security, organizational challenges in creating security programs that balance breadth of coverage and depth of testing leave large-scale attack surfaces or small, but very high-risk vulnerabilities open to attackers.
The report examined data from more than 7,000 websites across over 500 organizations that are continually assessed for vulnerabilities by WhiteHat Security’s family of Sentinel Services. This process provides a real-world look at website security across a range of vertical markets, including findings from the energy and non-profit verticals for the first time this year. The metrics provided serve as a foundation for improving enterprise application security online.
This year’s report found a notable improvement in application vulnerability management across all verticals in 2011. Banking websites continued to possess the fewest amount of serious vulnerabilities of any industry with an average of 17 serious vulnerabilities identified per website and had the highest remediation rate of any other industry at 74%.
“It’s imperative that organizations utilize this real-world overview of application security, an area that is often overlooked until a weakness or vulnerability is exposed, to understand their own security posture and avoid costly data breaches,” said Jeremiah Grossman, CTO, WhiteHat Security. “By focusing on the facts and building a website security program that fits into their overall business strategy, organizations can improve product development, lower costs, and raise customer confidence.”
WhiteHat researchers also found that though Remediation Rates continue to increase, the higher the severity of vulnerability, the more likely the vulnerability would reopen in the future. While there are likely to be a number of causes, one likely explanation is a deficient ‘hot-fix’ process. This is when a high-severity vulnerability is fixed quickly, live on the website, but the change is back-ported to development, and a future software release overwrites the patch.
With serious vulnerabilities categorized as High, Critical, to Urgent severity, the report found that 23% of vulnerabilities marked as Urgent severity were reopened, while 22% of Critical severity vulnerabilities and 15% of High severity vulnerabilities reopened respectively.
It is also important to note that Web Application Firewalls (WAFs) may have helped mitigate the risk of at least 71% of all custom Web application vulnerabilities identified. It just so happens that the most voluminous security vulnerabilities are those against which WAFs are most adept at defending.