Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:45 AM
Connect Directly

'Not Much Resistance at the Door'

Website security hasn't improved much over the past year, according to a survey of Web app security pros

Websites are as vulnerable as ever, according to a survey of Web application security professionals who test sites for security holes.

The survey, conducted by researcher Jeremiah Grossman on his blogsite, polled more than 60 security pros, 63 percent who work for vendors or consultants, 23 percent for enterprises, 5 percent for government, and 10 percent for other types of organizations. These are the guys in the trenches who hammer on Websites regularly -- 53 percent said all or almost all of their job is dedicated to Web app security (versus development, general security, and incident response); 28 percent said about half; and 20 percent said "some."

Not much has changed in Web security, according to the survey respondents. The average Website's level of security has stayed the same this year as in 2005, 50 percent of the respondents said. And 28 percent said Websites are slightly more secure, and 20 percent said they are worse. Only 3 percent said they are "way more secure."

According to 53 percent of the respondents, the main reason organizations conduct vulnerability assessments is to measure how secure they are (or aren't), and only 25 percent said it's for regulatory and compliance reasons. Ten percent said the organizations' customers or partners had asked them for independent validation. (See The Web App Security Gap and Review: Web Application Firewalls.)

They aren't finding much resistance at the "door" of the Websites: 73 percent said they never, or almost never, come across a Web app firewall blocking them when they perform a VA test; 10 percent said they sometimes do; another 10 percent said it's hard to tell; 5 percent said half the time; and 3 percent said "a lot."

And 50 percent said they never, or almost never, encounter Websites with multi-factor authentication, 35 percent said they sometimes do, 8 percent said half the time they do, 5 percent said they encounter it a lot, and 3 percent said it's hard to tell.

But it was their thoughts on disclosure of vulnerabilities that surprised researchers familiar with the study. The respondents were asked what they do with information about a vulnerability on a Website they didn't have permission to test. Only 8 percent said they would post it publicly on sla.ckers.org, and 36 percent said they would inform the Website administrator, and another 36 percent said they would keep it to themselves to avoid jail or lawsuits. Only 3 percent said they would sell their findings, with the other 18 percent answering "other."

"The Internet got pretty beat up this year, security-wise," says sla.ckers.org member maluc. "These surveys Jeremiah comes up with each month are quite invaluable, because there really isn't any other collaborative benchmark like this straight from the Web app sec professionals' mouths."

But the survey is just a snapshot of the bigger picture. "Web business is at significant risk as we move into 2007," says Grossman, who is CTO of White Hat Security, a Website security assessment service provider. Most of the respondents said they perform about 20 assessments per year, he says, at about 30 hours of time per Website. "If you consider the number of Websites out there that need assessments, you can quickly see the scale of the problem."

The scary unknown is intranet Website vulnerability, however, which the survey did not address. "There are no good metrics for how many intranet Websites there are, or how vulnerable they are. That's a big unknown in the industry," Grossman says. "It's a whole other world inside the firewall."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • WhiteHat Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Why Vulnerable Code Is Shipped Knowingly
    Chris Eng, Chief Research Officer, Veracode,  11/30/2020
    Inside North Korea's Rapid Evolution to Cyber Superpower
    Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-12-04
    An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the...
    PUBLISHED: 2020-12-04
    Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, and GT2103-PMBD all versions), GS21 model of GOT series (GS2110-WTBD all versions and GS2107-WTBD all versions), and Tension Controller LE...
    PUBLISHED: 2020-12-04
    The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
    PUBLISHED: 2020-12-04
    hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
    PUBLISHED: 2020-12-04
    An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does not avoid acquiring a reservation in the case where a load translates successfully but still generates an exception.