Fully one-third of all websites surveyed last year were found to be vulnerable on a daily basis to a "serious" flaw like cross-site scripting, information leakage or content spoofing, according to a report on site vulnerabilities released today by WhiteHat Security.
The bad guys just need one vulnerability to ruin your day.
founder and chief technical officer, WhiteHat Security
While industries like entertainment and media were relatively quick to fix website vulnerabilities (an average of 33 days), WhiteHat's survey found that industry-wide the average was 193 days from first notification.
Retail, health care and insurance websites were among the laggards, each taking well over 200 days to fix their sites after notification. Frequently updated retail sites, for instance, generally pose greater security challenges for Web developers, experts said, because each code deployment introduces new vulnerabilities.
"It's an unforgiving environment," stressed Jeremiah Grossman, WhiteHat Security's founder and chief technical officer. The proliferation of "broken code" results in a "race to see who can exploit vulnerabilities." Hence, most security patches for websites don't work.
Still, the remediation rate for all sites surveyed was 61% in 2012, the Web security firm found, compared to only 35% in 2007.
Santa Clara, Calif.-based WhiteHat defines "serious" vulnerabilities as "those in which an attacker could take control over all, or some part, of a website, compromise user accounts on the system, access sensitive data, violate compliance requirements and possibly make headline news. In short, serious vulnerabilities are those that should really be fixed."
Cross-site scripting (43%), content spoofing (13%) and information leakage (11%) again emerged as the top website vulnerabilities during 2012. Half of all scripting vulnerabilities were resolved, but WhiteHat's survey also found that it required an average of 227 days to do so.
On average, websites contained 56 vulnerabilities last year. WhiteHat's Grossman acknowledged that the total seems high, but noted it has been drastically reduced from an average of 230 per year in 2010.
Websites "are getting more secure," said Grossman, a former security specialist at Yahoo. "But the bad guys just need one vulnerability to ruin your day."
Indeed, an actual system or data breach often seems to have a salutary effect on enterprises, much as a heart attack survivor is jolted into a healthier lifestyle, Grossman explained. WhiteHat's survey found that organizations that withstood a website breach resulting from an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster and had a remediation rate 4% higher than average.
Fixing problems still takes on average about three months, but Grossman again noted that remediation times continue to drop steadily. The challenge for enterprises with limited security resources is deciding which vulnerabilities to tackle first.
One reason for this form of triage, WhiteHat found, was that many of the companies they surveyed said the number one driver for Web security was compliance. Paradoxically, respondents said the top reason for why it takes so long to fix a website breach was also compliance.
The takeaway, Grossman said, is that enterprises use up a lot of their security resources on compliance, leaving few resources for other fixes.
Dan Cornell, chief technology officer at the San Antonio-based Denim Group, agreed that compliance programs like PCI have a "distorting effect" on overall Web security efforts. The result is inefficient use of security resources. Instead, Cornell continued, enterprises need to "use that [Web] breach to [develop] a meaningful strategy for how your organization deals with risk."
Grossman stressed that companies need to assign accountability for breaches all the way up to their board of directors. Along with accountability, Web developers must be empowered to take the actions needed to fix vulnerabilities, he added.
Cornell went a step further, saying the onus should be on software developers to change the way they work in order to spot vulnerabilities and move quickly to deploy the appropriate fixes.