Study finds 64 percent of websites contain serious flaws

Share this article:

While a number of trusted sources continually decry the vulnerabilities present in web applications, this vector remains the primary avenue of attack for cybercriminals, according to a WhiteHat Website Security Statistics Report released on Thursday.

Despite metrics that substantiate the claims and any number of security best practices recommendations, many organizations, particularly those building custom web applications, are at risk, says the report, which measured data collected from Jan. 1, 2006 to Oct. 1, 2009, across more than 1,300 websites.

The problem is exacerbated because it is not possible to patch against custom web application software, such as that used by big e-commerce sites, Jeremiah Grossman, founder and CTO of WhiteHat, told SCMagazineUS.com. And that, he said, includes the vast majority of sites.

The amount of time it takes to repair a vulnerability once discovered is also an issue for those charged with maintaining network security. According to the WhiteHat report: "The time to fix should be as short as possible because an open vulnerability represents an opportunity for hackers to exploit the website, but no remedy is instantaneous."

Resolution could take the form of a software update, configuration change, or web application firewall rule, the report said.

But, the good news is that more organizations are repairing the technical issues associated with these threats.

"We have the answers and know how to fix these vulnerabilities," Grossman said. "The task is to motivate the business to do so. It's a matter of resource allocation."

As there are at least 24 different classes of web exploits, enterprises are under a lot of pressure to ensure their sites receive security checkups, said Grossman.

Cross-site scripting and SQL injection remain the top method of attack, while social networking and education sites are the top two verticals with the most vulnerabilities, according to the report.

"Taking application security seriously is more than just spending more – it is being strategic," the report said.

Among the sites examined by WhiteHat, only 36 percent were found to be free of any serious vulnerabilities. While they appear similar to those with vulnerabilities, these companies chose to fix any issues they've had, reducing the potential for attack, said Grossman.

Thirty years ago, criminals robbed brick-and-mortar banks, said Grossman. Today, every bank and company is equidistant to a cybercriminal.

"You can rob banks no matter where you are," he said.


Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

CyberMaryland conference returns, hosts job fair for military vets

The conference will be anchored by the Maryland Cyber Challenge and Competition, a security job fair, and more.

Andromeda bot spreads Tor-using CTB-Locker ransomware

Andromeda bot spreads Tor-using CTB-Locker ransomware

Kaspersky Lab has observed Andromeda bot being used to deliver CTB-Locker, a new ransomware that hides its command-and-control server on the Tor network.

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.