Among the 1,364 Websites scanned by WhiteHat and included in the report, 36 percent had no vulnerabilities at all, and 17 percent had never had a serious one. WhiteHat counted 1,800 vulnerabilities. But Jeremiah Grossman, founder and CTO of WhiteHat, says the real tidbit here is what types of bugs the clean sites had eradicated.
"What was striking was not the volume of zero-vulnerability Websites, but that this shows that those that have had vulns [in the past] were characteristically identical to those Websites that do have vulns today," Grossman says. The vulnerability-free sites had experienced the same issues as the bug-ridden ones, he says, demonstrating it is possible to sweep a site clean of vulnerabilities.
"They have the same set of issues," he says. There's nothing "magical" about their approach, Grossman adds, except they had made an effort to clean their sites, and that most had started with about half as many bugs as the ones that are still carrying vulnerabilities. The finding that the bugs were common across the board demonstrates how any Website has the risk of being compromised, according to the report.
Grossman says the data shows those who care about their Web application's security tend to have fewer bugs when they go into production. "This shows that it's then easier to get to zero over time," he says.
WhiteHat found that 83 percent of the Websites have had at least one serious vulnerability -- meaning either high, critical, or urgent as defined by PCI-DSS -- and 64 percent currently harbor at least one serious vulnerability. The average number of serious vulnerabilities per site is 16.7, and there's an average of 6.5 unresolved severe bugs in each Website, according to WhiteHat's findings. Social networking and education markets have the most serious vulnerabilities in their Websites, with 86 percent of social networking sites and 83 percent of education Websites harboring these flaws.
The top 10 vulnerabilities are XSS (66 percent); information leakage (49 percent); content spoofing (31 percent); insufficient authorization (19 percent); SQL injection (18 percent); predictable resource location (14 percent); cross-site request forgery (12 percent); session fixation (12 percent); HTTP response splitting (10 percent); and abuse of functionality (9 percent).
Grossman says SQL injection and CSRF are under-represented in the Top 10. SQL injection flaws can be difficult to detect in scans because developers who disable verbose error messages as a way to protect against SQL injection attack also inadvertently make it difficult to find SQL injection flaws, for instance. And even with this best practice in place, blind SQL injection attacks can still be waged on a Website, according to WhiteHat. CSRF, meanwhile, is notoriously difficult to detect.
On average, it takes 67 days to fix an XSS bug; 62 days for SQL injection; 93 days for CSRF; and 106 for session fixation, for example.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.