This is the classic glass is half full or half empty: The number of serious vulnerabilities per website fell for the third year in a row, but the average website carried 56 holes in 2012, new research showed.
Half full or half empty? Yes, 56 is better than the 79 flaws per website reported in 2011, and it is quite an improvement on the 230 vulnerabilities per site reported in 2010, according to statistics compiled by WhiteHat Security researchers Jeremiah Grossman, Matt Johansen, and Gabriel Gumbs and based upon data gathered from tens of thousands of websites.
If you really look at it, if WhiteHat Security’s sample is indicative of the whole Internet, then 86 percent of sites on the Web contain at least one serious vulnerability.
WhiteHat defines serious vulnerabilities as “those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news.”
Sixty-one percent of the vulnerabilities uncovered by WhiteHat researchers eventually ended up resolved, though it took, on average, 193 days – or more than half a year — to move from vulnerability detection to resolution.
On the other hand, 18 percent the sites they examined spent fewer than 30 days vulnerable. For the mathematically challenged, this means that 82 percent of websites spent somewhere between 31 and 365 days of last year vulnerable to at least one serious flaw. Thirty-three percent of all the websites in the report were vulnerable every day of 2012.
Entertainment and media sites were the best about resolving vulnerabilities in a timely fashion. Government and gaming sites followed closely behind entertainment and media sites. Education, healthcare, and insurance websites were slowest to plug holes. Gaming, telecommunications, and energy sector sites fixed the highest percentage of their vulnerabilities while non-profits, social networks, gaming, and food and beverage companies were the worst about supplying patches for their bugs.
Information technology and energy sector sites stood out in the report as the two industries that actually had more vulnerabilities per site in 2012 than 2011. IT took tops with an average 114 vulnerabilities per site – narrowly beating out retail sites, which contained 110 vulnerabilities on average. Despite persistent accusations of inefficiency, Government sites contained the fewest vulnerabilities followed closely by banking sites, with eight and 12 per respectively. Banks, traditionally the best sector as far as vulnerability remediation goes, did a poor job with that this year, fixing only slightly more than half of the bugs they encountered.
Among the sites analyzed by WhiteHat, every manufacturing, education, energy, government, and food and beverage website had at least one serious vulnerability.
The top ten most common vulnerability classes uncovered by WhiteHat in 2012 were information leakage in 55 percent of sites, cross-site scripting in 53 percent, content spoofing in 33 percent, cross-site forgery requests in 26 percent, brute force in 26 percent, fingerprinting in 23 percent, insufficient transport layer protection in 22 percent, session fixation in 14 percent, URL redirector abuse in 13 percent, and insufficient authorization in 11 percent. SQL injection vulnerabilities are no longer among the top ten most common types of vulnerabilities.