In yet another example of trying to stay ahead of the bad guys: Coding mistakes on websites continue to fall as companies become more savvy on fixing issues, but hackers’ level of skill is continuing to elevate.
The average number of serious vulnerabilities introduced to websites by developers in 2011 was 148, down from 230 in 2010 and 480 in 2009, said Jeremiah Grossman, chief technology officer for WhiteHat Security, which specializes in testing websites for security issues.
The vulnerabilities remain contained within custom website code and are not issues that a patch can fix, Grossman said. On a whole, it takes organizations an average of 100 days to fix about half of their vulnerabilities, according to WhiteHat Security.
The risk is a hacker can find the vulnerabilities which a company does not fix expeditiously, resulting in a high-profile data breach.
Hackers are honing their skills and continue to gain a stronger focus. They are using a wider array of improved tools in order to find coding problems in websites. “Offense gets better every year,” Grossman said.
Security analysts in Grossman’s company constantly try to hack websites belonging to major financial institutions and other companies — with permission. Developers in those companies don’t tell WhiteHat when they roll out new features or make changes. WhiteHat’s hackers go to work, trying to find cross-site scripting flaws, SQL injection or information leakage vulnerabilities.
“We are constantly smashing [websites],” Grossman said. “We’re LulzSec or Anonymous 24/7. We don’t stop.”
In a world revolving around risk assessment, companies decide whether they want to fix the problems, which often involves reassigning a developer working on a new feature the business needs to roll out. It’s a gamble whether or not to fix, since the vulnerability may never be found by a hacker but could cost the company dearly if it is.
The best scenario, he said, is to think security from the start and then write a solid software program.