According to a study issued by researchers at WhiteHat Security, the average site is exposed about 270 days of the year. "Information Leakage" has replaced cross-site scripting (XSS) as the most common website vulnerability, the report says.
The report examined data from more than 3,000 websites across 400 organizations that are continually tested for vulnerabilities by WhiteHat Security's Sentinel service. The study offers a look at sites' "Window of Exposure," which measures not only the vulnerabilities found in sites, but the length of time it takes those vulnerabilities to be remediated.
"It's inevitable that websites will contain some faulty code -- especially in sites that are continually updated. Window of Exposure is a useful combination of the vulnerability prevalence, the time it takes to fix vulnerabilities, and the percentage of them that are remediated," said Jeremiah Grossman, founder and CTO of WhiteHat Security. "Specifically for CIOs and security professionals, measuring window of exposure offers a look at the duration of risk their business and user data is exposed to by not having sufficient remediation processes in place."
The average website falls into the "always" and "frequently" vulnerable categories -- meaning they were exposed more than 270 days of the year, the report says.
Heavily regulated industries like healthcare and banking have the lowest rates, yet 14 and 16 percent, respectively, of the sites in those industries had serious vulnerabilities throughout the year. Social networking and retail have two of the largest windows of exposure, potentially reflecting the rate at which they update sites and introduce new code. The education industry has the dubious honor of leading the category -- 78 percent of sites in those industries were vulnerable at least nine months of the year.
During 2010, 64 percent of websites had at least one Information Leakage vulnerability, overtaking CSS as the most prevalent vulnerability by a few tenths of a percent. Information Leakage describes a vulnerability in which a website reveals sensitive data, such as technical details of the Web application, environment, or user-specific data.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.