The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat's report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
This latest installment includes data obtained between January 1, 2006 and December 1, 2008 and finds 82 percent of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity. Vulnerability time-to-fix metrics are slowly improving, but continue to show significant room for improvement, typically requiring weeks to months to achieve resolution. Only about 50 percent of the most prevalent urgent severity issues were resolved during the assessment time frame.
Within this sixth report, some areas of the top ten list remained static; but, notable changes were seen overall. Most noticeably, while CSRF just cracked the top ten in the fifth report, it moved up to number eight in this edition. Business logic flaws have remained steady in the top ten, demonstrating that these workflow flaws, which include Insufficient Authorization, Insufficient Authentication, Abuse of Functionality and Content Spoofing, are still overlooked at many organizations. The fact that the majority of the top ten list remained largely static as compared to previous reports demonstrates that the data contained within this report is a representative sampling of the security of the Web's more important e-commerce related websites.
New to this edition of the report, WhiteHat added the pharmaceutical vertical to its comparison of the percentage of websites across industry verticals with an urgent, critical or high severity vulnerability. Sixty-five percent of pharmaceutical websites contain an urgent, critical or high severity vulnerability, while education websites remain the most vulnerable with 88 percent. Retail sector website security continues to outperform other verticals since the last report, and WhiteHat credits this to the large volume of battlefield testing these websites undergo.
"Web security is a moving target. So, enterprises need timely information about the latest attack trends, how they can best defend their websites, and visibility into their vulnerability life-cycle," said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. "We hope this report continues to be a beneficial tool for actionable information today's enterprises can use to stay on top of evolving website security challenges."
The report statistics were gathered through the deployment of WhiteHat Sentinel, a SaaS-based website vulnerability management solution. With more than 700 sites under management, including many of the Fortune 500, WhiteHat has access to an unparalleled amount of website security data, allowing the company to accurately identify which issues are the most prevalent. WhiteHat Security uses the Web Application Security Consortium (WASC) Threat Classification as a baseline for classifying vulnerabilities and the Payment Card Industry Data Security Standard (PCI-DSS) severity system to rate vulnerability severity.
WhiteHat plans to issue continued installments of the Website Security Statistics Report on a quarterly basis. To ensure the report remains useful and relevant, WhiteHat incorporates feedback and ideas from leading industry thought leaders and influencers. Based on feedback already received, the latest report includes:
* Comparing vulnerability prevalence by severity; * Top ten vulnerability classes sorted by percentage likelihood; * Comparing the security of websites across key industry verticals; * Analysis of which website security issues are being addressed as well as how quickly remediation is occurring; and, * An outline of the types of technology typically encountered during WhiteHat vulnerability assessments mapped with the associated vulnerability percentage breakdown.
WhiteHat will be hosting a webinar to reveal more of the report findings on Wednesday, January 14, 2009 at 11:00 a.m. PT / 2:00 p.m. ET. For more information, visit WhiteHat's site at www.whitehatsec.com
About WhiteHat Security, Inc.
Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of website security solutions that protect critical data, ensure compliance and narrow the window of risk. WhiteHat Sentinel, the company's flagship product family, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of website security and prevent Web attacks. Furthermore, WhiteHat Sentinel enables automated mitigation of website vulnerabilities via integration with Web application firewalls. To learn more about WhiteHat Security, please visit our website at www.whitehatsec.com