I'm reading through the WhiteHat Website Security Statistics Report released yesterday, and there's plenty of interesting data points. Here are some nuggets.
First, a word on how this was put together: The company sifted through data from more than 650 organizations and tens of thousands of real-world websites continually monitored by WhiteHat Sentinel Services. Among the high points (or low points, depending on one's perspective):
86 percent of all websites had at least one serious* vulnerability.
The average number of serious* vulnerabilities identified per website was 56, continuing the downward trend from 79 in 2011 and 230 in 2010.
Serious* vulnerabilities were resolved in an average of 193 days from first notification.
61 percent of all serious* vulnerabilities were resolved, slightly less than the 63 percent during from 2011, but still up from 53 percent in 2010 and far better than 2007 when it was just 35 percent.
*Serious vulnerabilities are defined as those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news. In short, serious vulnerabilities are those that should really be fixed.
As far as the Top Ten most prevalent vulnerability classes in 2012, the list is relatively close to last year’s, though Information Leakage surpassed Cross-Site Scripting yet again:
1.) Information Leakage – 55 percent of websites
2.) Cross-Site-Scripting – 53 percent of websites
3.) Content Spoofing – 33 percent of websites
4.) Cross-site Request Forgery – 26 percent of websites
5.) Brute Force –26 percent of websites
6.) Fingerprinting – 23 percent of websites
7.) Insufficient Transport Layer Protection –22 percent of websites
8.) Session Fixation – 14 percent of websites
9.) URL Redirector Abuse – 13 percent of websites
10.) Insufficient Authorization – 11 percent of websites
--57 percent of organizations surveyed provide some amount of instructor-led or computer-based software security training for their programmers. These organizations experienced 40 percent fewer vulnerabilities, resolved them 59 percent faster, but exhibited a 12 percent lower remediation rate.
--39 percent of organizations said they perform some amount of Static Code Analysis on their website(s) underlying applications. These organizations experienced 15 percent more vulnerabilities, resolved them 26 percent slower, and had a 4 percent lower remediation rate.
--Fifty-five percent of organizations said they have a Web Application Firewall (WAF) in some state of deployment. These organizations experienced 11 percent more vulnerabilities, resolved them 8 percent slower, and had a 7 percent lower remediation rate.