Vulnerabilities Drop Per Site, Most Sites Remain Vulnerable

ID THREATPOST:A80089DFB2006353086D9308E7FF0879
Type threatpost
Reporter Brian Donohue
Modified 2013-07-02T18:17:23


For at least the third year in a row, the number of serious vulnerabilities per website has fallen. That sounds like good news until you look at the numbers and realize that the average website carried an astonishing 56 holes in 2012, according to statistics compiled by WhiteHat Security researchers Jeremiah Grossman, Matt Johansen, and Gabriel Gumbs and based upon data gathered from tens of thousands of websites.

Sure, 56 is better than the 79 flaws per website reported in 2011, and it’s an enormous improvement on the 230 vulnerabilities per site reported way back in 2010, but, if WhiteHat Security’s sample is representative of the whole Internet, then we’re still working with an Web on which 86 percent all websites contain at least one serious vulnerability.

Serious vulnerabilities are defined by WhiteHat as “those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news.”

Some 61 percent of the vulnerabilities uncovered by WhiteHat researchers were eventually resolved, though it took, on average, 193 days to move from vulnerability detection to resolution. On the other hand, just 18 percent the sites they examined spent fewer than 30 days vulnerable. For the mathematically challenged, this means that a staggering 82 percent of websites spent somewhere between 31 and 365 days of last year vulnerable to at least one serious flaw. 33 percent of all the websites in the report were vulnerable every day of 2012.

For what it’s worth, entertainment and media sites had “the highest remediation rate,” meaning they were the best about resolving vulnerabilities in a timely fashion. Government and gaming sites followed closely behind entertainment and media sites in that category. Education, healthcare, and insurance websites were slowest to plug up holes. Gaming, telecommunications, and energy sector sites fixed the highest percentage of their vulnerabilities while non-profits, social networks, gaming, and food and beverage companies were the worst about supplying patches for their bugs.

Information technology and energy sector sites stood out in the report as the two industries that actually had more vulnerabilities per site in 2012 than 2011. IT reportedly took tops with an average 114 vulnerabilities per site – narrowly beating out retail sites, which allegedly contained 110 vulnerabilities on average. Despite persistent accusations of inefficiency, Government sites contained the fewest vulnerabilities followed closely by banking sites, with eight and 12 per respectively. Banks, traditionally the best sector as far as vulnerability remediation goes, did a poor job with that this year, fixing only slightly more than half of the bugs they encountered.

Among the sites analyzed by WhiteHat, every manufacturing, education, energy, government, and food and beverage website had at least one serious vulnerability.

WhiteHat also surveyed some 75 organizations. 57 percent of those had some sort of “instructor-led” software security training. Those organizations hosted sites with 40 percent less vulnerabilities, which they resolved 59 percent faster, but also had a 12 percent lower-than-average remediation rate. While this statistic seems to suggest that following “best practices” improves an organizations overall security posture, other findings indicated otherwise. Organizations that performed of static code analysis and implemented Web application firewalls had more vulnerabilities on their sites and lower remediation rates.

The top ten most common vulnerability classes uncovered by WhiteHat in 2012 were information leakage in 55 percent of sites, cross-site scripting in 53 percent, content spoofing in 33 percent, cross-site forgery requests in 26 percent, brute force in 26 percent, fingerprinting in 23 percent, insufficient transport layer protection in 22 percent, session fixation in 14 percent, URL redirector abuse in 13 percent, and insufficient authorization in 11 percent. SQL injection vulnerabilities are no longer among the top ten most common types of vulnerabilities.