Report: Online Social Networks, Education Sites Harbor Most Security Risk
WhiteHat Security, a leading provider of Web site risk management solutions, recently released the eighth installment of the WhiteHat Security Web site Security Statistics Report, a high-level perspective on major Web site security issues that continue to compromise corporate data across all industries. WhiteHat's report, assembled from real-world Web site security data, cites the Top 10 Web site vulnerabilities and provides insight into the evolving challenges facing organizations today.
WhiteHat's Statistics Report provides an opportunity for businesses to understand the most prevalent vulnerabilities so they can develop and implement an effective Web site risk management program, reduce exposure and improve their overall security posture. WhiteHat created the report to educate the business community and general public about the most prevalent vulnerabilities that can lead to Web site compromises.
Unsurprisingly, only 36 percent of Web sites in the report currently do not have any serious vulnerabilities. From a historical perspective, this percentage drops to 17. Through its research, WhiteHat found that the characteristics of Web sites currently without any serious issues were nearly identical to those with them, with the exception that they had about half as many from the start.
This proves to be significant in that no Web site can be deemed immune -- all Web sites have an opportunity to be compromised. These odds are reduced when the business decides to proactively identify and remediate their vulnerabilities.
"It is extremely interesting to see that all the Web sites that are no longer vulnerable are so similar characteristically in technology and site format to those that have vulnerabilities," said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security. "The big difference right now seems to be that these organizations set an internal mandate to actively fix their flaws and reduce the potential for damage to their Web site, reputation and customers."
Recent attacks on thousands of Web properties including Twitter, Facebook and MySpace also validate WhiteHat's findings that these platforms have what hackers are eager to steal -- user supplied data. With 86 percent of these sites hosting urgent, critical or high severity vulnerabilities, social networks lead all verticals. A close second, education Web sites are also highly vulnerable, with 83 percent having at least one serious vulnerability. This is not surprising, as educational institutions have many public-facing applications and often do not have significant resources dedicated to Web site security.
WhiteHat's latest report contains data collected between January 1, 2006 and October 1, 2009, and finds that the percentage of high, critical or urgent issues continue to slowly increase. WhiteHat also finds that 83 percent of Web sites have had a high, critical or urgent issue over their lifetime and 64 percent of Web sites currently have a high, critical or urgent issue. Of the 22,000 vulnerabilities identified, almost 9,000 remain open, which means encouragingly that the majority – more than 13,000 -- have been closed.
As in previous reports, Cross-Site Scripting and SQL Injection continue to be fixtures in the Top 10 list along with many other common classes of attack. The report also shows that fix percentages are climbing for some and decreasing for others. In particular, more organizations are repairing technical issues such as SQL Injection and Cross-Site Scripting in larger volumes, an indication that awareness is building regarding the prevalence of easy exploitations of these specific vulnerabilities.
The report statistics were gathered through the deployment of WhiteHat Sentinel, a Software-as-a-Service (SaaS) based Web site risk management solution, providing the most accurate vulnerability information in the industry. WhiteHat Sentinel executes rigorous and ongoing Web site security assessments on more than 1,500 Web sites that helps companies protect their brands, comply with PCI Compliance and avoid costly and damaging breaches.