Sue Marquette Poremba
March 24, 2008

Websites riddled with vulnerabilities: WhiteHat study

Most legitimate websites average seven vulnerabilities, with nine out of 10 containing serious flaws that hackers can exploit, the latest WhiteHat Website Security Statistics Report revealed.

The fourth installment of the report, released Monday, called out the top 10 most prevalent vulnerabilities and provided a vertical industry breakdown based on attacks. The top 10 is determined by the likelihood of that type of vulnerability showing up on the website.

Between 600 and 700 websites were included in the survey sample and included some of the most trafficked sites on the web, Jeremiah Grossman, founder and chief technology officer at WhiteHat Security, said. The sample set included retail, insurance, financial and IT sites.

“These aren't like the well-known vulnerability issues that get patched,” Grossman told SCMagazineUS.com on Monday. “These are largely unknown issues on live websites.”

Leading the list of vulnerabilities is cross-site scripting (XSS), which appeared in approximately 70 percent of websites. Other top vulnerabilities included SQL injection and cross-site request forgery.

“What makes website security so hard is that you can't just patch a system,” Grossman said. “The vulnerability is usually found in the code, and the developer who wrote it has to fix it. So the time-to-fix window tends to be quite lengthy.”

For example, Grossman said the average SQL injection -- which can be used to steal such information as credit card numbers -- takes approximately 138 days to fix.

Developers must write more secure code and the response time to fix an issue has to improve, he said.

With compliance directives, such as the Payment Card Industry Data Security Standard, mandating that by June 30, businesses must hire an expert to review web application code or deploy a web application firewall, the demand for complete website security is greater than ever, he said.

“We have to get better at reacting,” Grossman said. “We can't just wait for a code to become more secure.”
Related Articles
Related Topics

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.