The fourth installment of the report, released Monday, called out the top 10 most prevalent vulnerabilities and provided a vertical industry breakdown based on attacks. The top 10 is determined by the likelihood of that type of vulnerability showing up on the website.
Between 600 and 700 websites were included in the survey sample and included some of the most trafficked sites on the web, Jeremiah Grossman, founder and chief technology officer at WhiteHat Security, said. The sample set included retail, insurance, financial and IT sites.
“These aren't like the well-known vulnerability issues that get patched,” Grossman told SCMagazineUS.com on Monday. “These are largely unknown issues on live websites.”
Leading the list of vulnerabilities is cross-site scripting (XSS), which appeared in approximately 70 percent of websites. Other top vulnerabilities included SQL injection and cross-site request forgery.
“What makes website security so hard is that you can't just patch a system,” Grossman said. “The vulnerability is usually found in the code, and the developer who wrote it has to fix it. So the time-to-fix window tends to be quite lengthy.”
For example, Grossman said the average SQL injection -- which can be used to steal such information as credit card numbers -- takes approximately 138 days to fix.
Developers must write more secure code and the response time to fix an issue has to improve, he said.
With compliance directives, such as the Payment Card Industry Data Security Standard, mandating that by June 30, businesses must hire an expert to review web application code or deploy a web application firewall, the demand for complete website security is greater than ever, he said.
“We have to get better at reacting,” Grossman said. “We can't just wait for a code to become more secure.”