Website security vastly improves, WhiteHat finds

An examination of thousands of websites across a dozen industries has found a major reduction in the number of serious vulnerabilities exposing the properties to hackers.

The average number of serious vulnerabilities found in 2011 on the 7,000 websites monitored by WhiteHat Security fell 66 percent to 79 from 230 in 2010, according to the vendor's annual report, released Wednesday.

The decline in security flaws has been falling steadily since 2007, when the number was 1,111.

The falling rate shows website managers are more focused on plugging holes. "Awareness is building and people are getting better in the fixing [of vulnerabilities]," Jeremiah Grossman, founder and chief technology officer of WhiteHat, said. "Web security is definitely getting more important, because the bad guys are showing that they're perfectly capable and willing to hack Web sites that aren't do the best that the can."

Hackers are increasingly launching targeted attacks against weak websites, as opposed to automated attacks against tens of thousands of sites at once. The rising danger of a targeted attack is making companies more vigilant, Grossman said.

High-profile hacks against large corporations like AT&T, Sony and Citigroup have also hammered home the need for better site security. In addition, vendors are supplying chief security officers with better technology for finding vulnerabilities.

"There's been this growing awareness of website vulnerabilities and tools for detecting them that has raised the awareness of what can and should be done to secure websites," Scott Crawford, managing research director of Enterprise Management Associates, said. "That's been the rising tide that has lifted all boats in terms of this general increase knowledge of common Web site exposures."

The study, which examined the sites of 500 organizations ranging from nonprofits to Fortune 500 companies, found that the time it took to fix flaws on sites fell to an average of 38 days last year, from 116 days in 2010.

The industries that fixed flaws the fastest were energy, four days; manufacturing, 17 days; and retail, 27 days. The slowest industries were nonprofits, 94 days; financial services, 80 days; and telecommunications, 50 days. Banking sites had the fewest number of days (185) in which they were exposed to at least one serious vulnerability, while nonprofit sites were exposed the most (320 days).

Overall, retail sites continued to have the most security issues, with an average of 121 vulnerabilities identified per site in 2011.

WhiteHat found that the higher the severity of the vulnerability, the more likely it would be reopened in the future. The company rated serious vulnerabilities as high, critical and urgent, and found that the percentages reopened after a fix were 23 percent, 22 percent and 15 percent, respectively.

There are many reasons why such mistakes are made, Grossman said. For example, patches sometimes get overwritten with software updates or a software configuration change can damage a fix. "This is a very complicated and murky area," he said.

Cross-site scripting was the most prevalent threat, accounting for 55 percent of serious vulnerabilities. Cross-site scripting is when an attacker injects into a web page malicious scripts that can bypass a browser's security mechanism to gain access to a visiting user's computer.

Information leakage was the second most prevalent vulnerability. The flaw was found in 53 percent of the sites, down from 64 percent in 2010, when the vulnerability was number one. In general, WhiteHat found that Web application firewalls would have helped mitigate slightly more than 70 percent of custom Web application vulnerabilities.

SQL injection vulnerabilities, a favorite hacker target, was the eighth most prevalent flaw. Fully 5 percent of sites had at least one such vulnerability that could be exploited without logging in to the site.

SQL injection is a popular way to attack databases through a website. SQL statements are entered into a field on a web form in an attempt to get the website to pass the command to the database. A typical request is for the database to deliver its content to the attacker.

Such vulnerabilities have been around for years, and the fact that they persist speaks to the difficulty in building a defense. "It just shows us how far we still have yet to go in terms of dealing with them and how difficult it can be to remediate some of these exposures," Enterprise Management Associates' Crawford said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place