A new study from WhiteHat Security has found that the vast majority of websites have at least one serious vulnerability.
So what’s defined as a serious vulnerability? In this case, it’s a flaw which could allow an attacker to take control over the website, or part of the site, or one that could be used to access sensitive data such as usernames and passwords.
And no less than 86 per cent of the web pages studied were found to have such a critical vulnerability. Possibly even more worrying, 56 per cent of websites had more than one of these flaws.
The WhiteHat Security Website Security Statistics Report for 2015 drew its data from some 30,000 websites which are covered by WhiteHat’s Sentinel management.
It also found that the majority of these vulnerabilities were resolved, 61 per cent of them in fact, although the time taken to plug these holes was a further worry – on average it took just over six months from the initial notification of the issue.
The WhiteHat researchers noted that the most likely vulnerability to be present across all industry sectors was insufficient transport layer protection, which ranged from between 65 to 76 per cent likelihood depending on the exact sector in question.
The report also found that 55 per cent of retail websites had at least one serious vulnerability plaguing their web page on every single day of the year. That was also the case for 50 per cent of healthcare websites, and 35 per cent of finance and insurance websites.
WhiteHat also further advised that the best way to tackle these sort of flaws and increase the speed of resolution was to feed vulnerability results back to development via existing bug tracking channels.
The company observed: “This approach makes application security front-and-centre in a development group’s daily work activity and creates an effective process to solve problems. This year’s report yielded positive results when priority was given to increasing remediation rates.”
Jeremiah Grossman, founder of WhiteHat Security, commented: “We realise that using compliance as a driver to remediate vulnerabilities is a double-edged sword, but the data demonstrates that those companies have the best statistics in terms of securing their organization’s sites.
“This year’s report has shown that the amount of time companies are vulnerable to web attacks is much too long. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users."