WhiteHat Security released a report assembled from real-world website security data and found a tremendously high percentage of Web sites have at least one critical vulnerability.
The most common flaws - cross-site scripting and SQL Injection.
The report contains data collected between January 1, 2006 and October 1, 2009, and finds that the percentage of high, critical or urgent issues continue to slowly increase.
In its latest iteration of its annual Website Security Statistics report, WhiteHat found 64 percent of the 1,364 sites the company analyzed have at least one serious vulnerability.
But the news isn’t all bad - according to the company, 17 percent of the sites have never had a serious vulnerability.
83 percent of websites have had a high, critical or urgent issue over their lifetime and 64 percent of websites currently have a high, critical or urgent issue. This proves to be significant in that no website can be deemed immune – all websites have an opportunity to be compromised.Here is the Press Release:
WhiteHat Security Unveils Biggest Website Security Weaknesses in Latest Statistics Report
SANTA CLARA, Calif. – November 12, 2009 – WhiteHat Security, the leading provider of website risk management solutions, today released the eighth installment of the WhiteHat Security Website Security Statistics Report, a high-level perspective on major website security issues that continue to compromise corporate data across all industries. WhiteHat’s report, assembled from real-world website security data, cites the Top 10 website vulnerabilities and provides insight into the evolving challenges facing organizations today.WhiteHat’s Statistics Report provides an opportunity for businesses to understand the most prevalent vulnerabilities so they can develop and implement an effective website risk management program, reduce exposure and improve their overall security posture. WhiteHat created the report to educate the business community and general public about the most prevalent vulnerabilities that can lead to website compromises.
Unsurprisingly, only 36 percent of websites in the report currently do not have any serious vulnerabilities. From a historical perspective, this percentage drops to 17. Through its research, WhiteHat found that the characteristics of websites currently without any serious issues were nearly identical to those with them, with the exception that they had about half as many from the start. This proves to be significant in that no website can be deemed immune – all websites have an opportunity to be compromised. These odds are reduced when the business decides to proactively identify and remediate their vulnerabilities.
“It is extremely interesting to see that all the websites that are no longer vulnerable are so similar characteristically in technology and site format to those that have vulnerabilities,” said Jeremiah Grossman, founder and chief technology officer, WhiteHat Security. “The big difference right now seems to be that these organizations set an internal mandate to actively fix their flaws and reduce the potential for damage to their website, reputation and customers.”
Recent attacks on thousands of Web properties including Twitter, Facebook and MySpace also validate WhiteHat’s findings that these platforms have what hackers are eager to steal – user supplied data. With 86 percent of these sites hosting urgent, critical or high severity vulnerabilities, social networks lead all verticals. A close second, education websites are also highly vulnerable, with 83 percent having at least one serious vulnerability. This is not surprising, as educational institutions have many public-facing applications and often do not have significant resources dedicated to website security.
WhiteHat’s latest report contains data collected between January 1, 2006 and October 1, 2009, and finds that the percentage of high, critical or urgent issues continue to slowly increase. WhiteHat also finds that 83 percent of websites have had a high, critical or urgent issue over their lifetime and 64 percent of websites currently have a high, critical or urgent issue. Of the 22,000 vulnerabilities identified, almost 9,000 remain open, which means encouragingly that the majority – over 13,000 – have been closed.
As in previous reports, Cross-Site Scripting and SQL Injection continue to be fixtures in the Top 10 list along with many other common classes of attack. The report also shows that fix percentages are climbing for some and decreasing for others. In particular, more organizations are repairing technical issues such as SQL Injection and Cross-Site Scripting in larger volumes, an indication that awareness is building regarding the prevalence of easy exploitations of these specific vulnerabilities.
The report statistics were gathered through the deployment of WhiteHat Sentinel, a Software-as-a-Service (SaaS) based website risk management solution, providing the most accurate vulnerability information in the industry. WhiteHat Sentinel executes rigorous and ongoing website security assessments on more than 1,500 websites that helps companies protect their brands, comply with PCI Compliance and avoid costly and damaging breaches.
WhiteHat founder Jeremiah Grossman will host a webinar to reveal and analyze more of the report findings on Thursday, November 12, 2009 at 11:00 a.m. PT / 2:00 p.m. ET. For more information, visit WhiteHat’s site at www.whitehatsec.com and see the upcoming events section. You can also register at https://whitehatsec.market2lead.com/go/whitehatsec/stats111209.
About WhiteHat Security, Inc.
Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of website risk management solutions that protect critical data, ensure compliance and narrow the window of risk. WhiteHat Sentinel, the company’s flagship product family, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the visibility, flexibility, and control that organizations need to prevent Web attacks. Furthermore, WhiteHat Sentinel enables automated mitigation of website vulnerabilities via integration with Web application firewalls. To learn more about WhiteHat Security, please visit our website at www.whitehatsec.com.