While a number of trusted sources continually decry the vulnerabilities present in web applications, this vector remains the primary avenue of attack for cybercriminals, according to a WhiteHat Website Security Statistics Report released on Thursday.
Despite metrics that substantiate the claims and any number of security best practices recommendations, many organizations, particularly those building custom web applications, are at risk, says the report, which measured data collected from Jan. 1, 2006 to Oct. 1, 2009, across more than 1,300 websites.
The problem is exacerbated because it is not possible to patch against custom web application software, such as that used by big e-commerce sites, Jeremiah Grossman, founder and CTO of WhiteHat, told SCMagazineUS.com. And that, he said, includes the vast majority of sites.
The amount of time it takes to repair a vulnerability once discovered is also an issue for those charged with maintaining network security. According to the WhiteHat report: "The time to fix should be as short as possible because an open vulnerability represents an opportunity for hackers to exploit the website, but no remedy is instantaneous."
Resolution could take the form of a software update, configuration change, or web application firewall rule, the report said.
But, the good news is that more organizations are repairing the technical issues associated with these threats.
"We have the answers and know how to fix these vulnerabilities," Grossman said. "The task is to motivate the business to do so. It's a matter of resource allocation."
As there are at least 24 different classes of web exploits, enterprises are under a lot of pressure to ensure their sites receive security checkups, said Grossman.
"Taking application security seriously is more than just spending more – it is being strategic," the report said.
Among the sites examined by WhiteHat, only 36 percent were found to be free of any serious vulnerabilities. While they appear similar to those with vulnerabilities, these companies chose to fix any issues they've had, reducing the potential for attack, said Grossman.
Thirty years ago, criminals robbed brick-and-mortar banks, said Grossman. Today, every bank and company is equidistant to a cybercriminal.
"You can rob banks no matter where you are," he said.