Business Issues -> Security & Risk
Released: 3rd May 2013
Publisher: WhiteHat Security
Santa Clara, Calif. – May 2, 2013 – WhiteHat Security, the Web security company, today announced the 2013 edition of the WhiteHat Security Website Security Statistics Report. This is the first time an industry report has correlated vulnerability data from tens of thousands of websites from more than 650 organizations, continuously monitored by WhiteHat Sentinel, with software development lifecycle (SDLC) activity data obtained from 76 survey respondents.
“Website security is an ever-moving target, and organizations need to better understand how various parts of the SDLC affect the introduction of vulnerabilities, which leave the door open to breaches,” said Jeremiah Grossman, co-founder and CTO of WhiteHat Security. “This report – comprising survey and website vulnerability data – is the first time we can correlate various software security controls and SDLC behaviors to vulnerability outcomes and breaches. The results are both insightful and complex.”
The Current State of Website Security
In 2012, the average number of serious* vulnerabilities per website continued to decline, going from 79 in 2011 down to 56 in 2012. Despite this, 86 percent of all websites tested were found to have at least one serious vulnerability exposed to attack every single day of 2012. Of the serious vulnerabilities found, on average 61 percent were resolved and only 18 percent of websites were vulnerable for fewer than 30 days in 2012. On average, resolving these vulnerabilities took 193 days from the first notification.
WhiteHat Security designated each tested site by industry, and a closer look revealed that:
Top Ten Vulnerability Classes
The two most prevalent vulnerability classes in 2012 were Information Leakage and Cross-Site Scripting, identified in 55 percent and 53 percent of websites respectively. The next eight most prevalent include: Content Spoofing – 33 percent; Cross-site Request Forgery – 26 percent; Brute Force – 26 percent; Fingerprinting – 23 percent; Insufficient Transport Layer Protection – 22 percent; Session Fixation – 14 percent; URL Redirector Abuse – 13 percent; Insufficient Authorization – 11 percent.
SQL Injection continued its downward slide from 11 percent in 2011 to 7 percent in 2012, no longer making the Top 10.
Best Practices May Not Result in Better Security
In correlating the survey results with vulnerability data, WhiteHat Security could see how software security controls, or “best practices” impacted the actual security of organizations. Some of the findings include:
Some of this data implies that best practices such as software security training are effective, yet some of the statistics clearly show that following best practices does not necessarily lead to better security.
Accountability and Compliance
In the event an organization experiences a website or system breach, WhiteHat Security found that 27 percent said the Board of Directors would be accountable. Additionally, 24 percent said Software Development, 19 percent Security Department, and 18 percent Executive Management. Should the organizations also provide software security training to its programmers and also perform static code analysis, Software Development was held most accountable in the event of a breach.
Additionally, the correlated data revealed that compliance is the primary driver for organizations to resolve vulnerabilities, but also the number one reason organizations do not resolve vulnerabilities. In other words, vulnerabilities are fixed if required by compliance mandates; however, if compliance does not require a fix, the vulnerability remains, despite possible implications to the overall security posture of the site.
“This collective data has shown that many organizations do not yet consider they need to proactively do something about software security. It is apparent that these organizations take the approach of ‘wait-until-something-goes-wrong’ before kicking into gear unless there is some sense of accountability,” said Grossman. “This needs to change, and we believe there is now an opportunity for a new generation of security leaders to emerge and distinguish themselves with an understanding of real business and security challenges. Our hope is that they will address these issues we have identified and base their decisions on a foundation of data to improve the state of Web security over time.”
To view the complete report, visit https://www.whitehatsec.com/resource/stats.html.
*Serious vulnerabilities are defined as those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news. In short, serious vulnerabilities are those that should really be fixed.
About WhiteHat Security
Founded in 2001 and headquartered in Santa Clara, California, WhiteHat Security provides end-to-end solutions for Web security. The company’s cloud website vulnerability management platform and leading security engineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete Web security at a scale and accuracy unmatched in the industry. WhiteHat Sentinel, the company’s flagship product line, currently manages more than 15,000 websites – including sites in the most regulated industries, such as top e-commerce, financial services and healthcare companies.
Eskenzi PR for WhiteHat Security
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761