Website security vastly improves, WhiteHat finds

Falling rate shows website managers more focused on plugging holes

An examination of thousands of websites across a dozen industries has found a major reduction in the number of serious vulnerabilities exposing the properties to hackers.

The average number of serious vulnerabilities found in 2011 on the 7,000 websites monitored by WhiteHat Security fell 66 percent to 79 from 230 in 2010, according to the vendor's annual report, released Wednesday.

The decline in security flaws has been falling steadily since 2007, when the number was 1,111.

The falling rate shows website managers are more focused on plugging holes. "Awareness is building and people are getting better in the fixing [of vulnerabilities]," Jeremiah Grossman, founder and chief technology officer of WhiteHat, said. "Web security is definitely getting more important, because the bad guys are showing that they're perfectly capable and willing to hack Web sites that aren't do the best that the can."

Hackers are increasingly launching targeted attacks against weak websites, as opposed to automated attacks against tens of thousands of sites at once. The rising danger of a targeted attack is making companies more vigilant, Grossman said.

High-profile hacks against large corporations like AT&T, Sony and Citigroup have also hammered home the need for better site security. In addition, vendors are supplying chief security officers with better technology for finding vulnerabilities.

"There's been this growing awareness of website vulnerabilities and tools for detecting them that has raised the awareness of what can and should be done to secure websites," Scott Crawford, managing research director of Enterprise Management Associates, said. "That's been the rising tide that has lifted all boats in terms of this general increase knowledge of common Web site exposures."

The study, which examined the sites of 500 organizations ranging from nonprofits to Fortune 500 companies, found that the time it took to fix flaws on sites fell to an average of 38 days last year, from 116 days in 2010.

The industries that fixed flaws the fastest were energy, four days; manufacturing, 17 days; and retail, 27 days. The slowest industries were nonprofits, 94 days; financial services, 80 days; and telecommunications, 50 days. Banking sites had the fewest number of days (185) in which they were exposed to at least one serious vulnerability, while nonprofit sites were exposed the most (320 days). 

Overall, retail sites continued to have the most security issues, with an average of 121 vulnerabilities identified per site in 2011.

WhiteHat found that the higher the severity of the vulnerability, the more likely it would be reopened in the future. The company rated serious vulnerabilities as high, critical and urgent, and found that the percentages reopened after a fix were 23 percent, 22 percent and 15 percent, respectively.

There are many reasons why such mistakes are made, Grossman said. For example, patches sometimes get overwritten with software updates or a software configuration change can damage a fix. "This is a very complicated and murky area," he said.

Cross-site scripting was the most prevalent threat, accounting for 55 percent of serious vulnerabilities. Cross-site scripting is when an attacker injects into a web page malicious scripts that can bypass a browser's security mechanism to gain access to a visiting user's computer.

Information leakage was the second most prevalent vulnerability. The flaw was found in 53 percent of the sites, down from 64 percent in 2010, when the vulnerability was number one. In general, WhiteHat found that Web application firewalls would have helped mitigate slightly more than 70 percent of custom Web application vulnerabilities.

SQL injection vulnerabilities, a favorite hacker target, was the eighth most prevalent flaw. Fully 5 percent of sites had at least one such vulnerability that could be exploited without logging in to the site.

SQL injection is a popular way to attack databases through a website. SQL statements are entered into a field on a web form in an attempt to get the website to pass the comman to the database. A typical request is for the database to deliver its content to the attacker.

Such vulnerabilities have been around for years, and the fact that they persist speaks to the difficulty in building a defense. "It just shows us how far we still have yet to go in terms of dealing with them and how difficult it can be to remediate some of these exposures," Enterprise Management Associates' Crawford said.

Copyright © 2012 IDG Communications, Inc.

8 pitfalls that undermine security program success