WhiteHat founder and CTO Jeremiah Grossman fingered the culprits during Wednesday's presentation. Cross-site scripting vulnerabilities were found in 71% of the 300 sites WhiteHat researched. Grossman pointed out that this percentage jumps to 90% when sites offering e-commerce were evaluated. No other category of vulnerability--including information leakage, predictable resource location, or content spoofing--was found in more than 30% of the sites WhiteHat evaluated.
Of course, not all vulnerabilities are created equal: more than one-third of the sites evaluated had a high level of severity, meaning the exploitation of a vulnerability could lead to the loss of customer data, passwords, or other critical information. Nearly three-quarters of the sites contained a vulnerability--in most cases a cross-site scripting problem--that would have a middling-level of impact on a business. Many sites have multiple vulnerabilities with different levels of severity.
"If there are 100 million Web sites out there, it's a Swiss cheese type of environment," said Grossman, who's the embodiment of converged IT and physical security, given that he's a well-respected security researcher and holds a blue belt in Brazilian jujitsu.
That's not to say the news is all bad. The prevalence of buffer overflows has dropped, to the point where they didn't even make WhiteHat's list. Grossman pointed out that buffer overflows aren't too common in custom-built Web applications, which were present in all of the sites evaluated.
Does this mean that e-tailers will continue to leave money on the table when potential customers are scared off by security risks? Gartner thinks so, saying that $1 billion is lost because of shoppers who refuse to spend money online, while another $913 million is lost because those who do shop online are wary of online security.
One obvious measure of relief is for businesses to regularly audit their Web applications for security vulnerabilities, particularly after changes have been made to those apps. Although no online shopping strategy is foolproof, consumers should stick with well-known retailers and use their credit cards rather than debit cards when making a purchase (gift cards are best, but you probably won't have many of those until after the holidays). They should also save all e-mails sent to them by the e-tailer acknowledging the purchase.
If a loss of confidence in online transactions seems like a big deal, that's because it is. Businesses can offer all of the discounts, personalization features, and customer conveniences they want, but that won't help them win back the business of a customer who's been burned by identity theft.