'Not Much Resistance at the Door'

Websites are as vulnerable as ever, according to a survey of Web application security professionals who test sites for security holes.

The survey, conducted by researcher Jeremiah Grossman on his blogsite, polled more than 60 security pros, 63 percent who work for vendors or consultants, 23 percent for enterprises, 5 percent for government, and 10 percent for other types of organizations. These are the guys in the trenches who hammer on Websites regularly -- 53 percent said all or almost all of their job is dedicated to Web app security (versus development, general security, and incident response); 28 percent said about half; and 20 percent said "some."

Not much has changed in Web security, according to the survey respondents. The average Website's level of security has stayed the same this year as in 2005, 50 percent of the respondents said. And 28 percent said Websites are slightly more secure, and 20 percent said they are worse. Only 3 percent said they are "way more secure."

According to 53 percent of the respondents, the main reason organizations conduct vulnerability assessments is to measure how secure they are (or aren't), and only 25 percent said it's for regulatory and compliance reasons. Ten percent said the organizations' customers or partners had asked them for independent validation. (See The Web App Security Gap and Review: Web Application Firewalls.)

They aren't finding much resistance at the "door" of the Websites: 73 percent said they never, or almost never, come across a Web app firewall blocking them when they perform a VA test; 10 percent said they sometimes do; another 10 percent said it's hard to tell; 5 percent said half the time; and 3 percent said "a lot."

And 50 percent said they never, or almost never, encounter Websites with multi-factor authentication, 35 percent said they sometimes do, 8 percent said half the time they do, 5 percent said they encounter it a lot, and 3 percent said it's hard to tell.

But it was their thoughts on disclosure of vulnerabilities that surprised researchers familiar with the study. The respondents were asked what they do with information about a vulnerability on a Website they didn't have permission to test. Only 8 percent said they would post it publicly on sla.ckers.org, and 36 percent said they would inform the Website administrator, and another 36 percent said they would keep it to themselves to avoid jail or lawsuits. Only 3 percent said they would sell their findings, with the other 18 percent answering "other."

"The Internet got pretty beat up this year, security-wise," says sla.ckers.org member maluc. "These surveys Jeremiah comes up with each month are quite invaluable, because there really isn't any other collaborative benchmark like this straight from the Web app sec professionals' mouths."

But the survey is just a snapshot of the bigger picture. "Web business is at significant risk as we move into 2007," says Grossman, who is CTO of White Hat Security, a Website security assessment service provider. Most of the respondents said they perform about 20 assessments per year, he says, at about 30 hours of time per Website. "If you consider the number of Websites out there that need assessments, you can quickly see the scale of the problem."

The scary unknown is intranet Website vulnerability, however, which the survey did not address. "There are no good metrics for how many intranet Websites there are, or how vulnerable they are. That's a big unknown in the industry," Grossman says. "It's a whole other world inside the firewall."

— Kelly Jackson Higgins, Senior Editor, Dark Reading