Hi malware fighters,
WhiteHat Security, the leading provider of SaaS-based website security solutions, today released the fifth installment of the WhiteHat Website Security Statistics Report, providing a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006. During that time, the industry has seen the Web-layer rise to be the number one target for malicious online attacks, with website hacking evolving from exploration and experimentation, to exploitation and monetization. In addition to the regular roster of vulnerabilities that repeatedly make the top ten list, Cross-Site Request Forgery (CSRF) has joined the mix in Q2 of 2008. On a positive note, 66 percent of all vulnerabilities identified have been remediated, underscoring the value of a consistent website vulnerability management program.
The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
In this latest edition, WhiteHat finds 82 percent of websites have had at least one security issue, with 61 percent still having issues of high, critical or urgent severity. Overall vulnerability counts are beginning to decline; however, the likelihood of websites having at least one issue of significant severity has remained constant when compared to previous reports. As a baseline, WhiteHat used the Payment Card Industry Data Security Standard (PCI-DSS) severity rankings (Urgent, Critical, High, Medium, Low) to rate vulnerability severity by the potential business impact if the issue were to be exploited. According to PCI-DSS, any website with urgent, critical or high severity issues cannot be considered compliant.
Within this fifth report, the top ten list saw notable changes. Most noticeably, CSRF cracked the top ten, replacing Directory Indexing; WhiteHat asserts that CSRF is present in approximately three-quarters of the world’s websites. The top ten list also indicates that companies are remediating SQL Injection, Cross-Site Scripting (XSS) and HTTP Response Splitting issues en masse, although achieving 100 percent effectiveness has proved difficult. Business Logic Flaws have remained steady in the top ten, including Insufficient Authorization, Insufficient Authentication, Abuse of Functionality and Content Spoofing – all issues that can be devastating if exploited. While not the most voluminous in raw numbers, Business Logic Flaws are still highly prevalent across websites and can lead directly to business loss through non-sophisticated attacks.
New to this edition of the report, WhiteHat analyzed which website security issues are being addressed as well as how quickly remediation is occurring. For this portion of the report, WhiteHat focused on vulnerabilities identified and resolved between July 31, 2007 and July 31, 2008 and sorted the data by most common urgent, critical and high severity issues. Among urgent severity vulnerabilities, HTTP Response Splitting took the longest to remediate, in an average of 93 days, while Information Leakage was quickest at 26 days. Additionally, HTTP Response Splitting topped the chart for remediation, with 83 percent resolved, whereas only eight percent of the Brute Force attack class were resolved. As could be expected, the overall time-to-fix measurements left room for improvement; however significant headway has been made since the last report.
“Our fifth report highlights many angles of the constantly-evolving website security landscape,” said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. “With malicious Web attacks continuing to become more and more financially motivated, it is crucial that companies take appropriate action to secure their websites. We hope enterprises find this report a useful tool for timely information about the latest attack trends, how websites can be best defended as well as visibility into the vulnerability lifecycle.”
The report statistics were gathered through the deployment of WhiteHat Sentinel, a SaaS-based website vulnerability management solution that integrates the precision of advanced vulnerability assessment technology with the expertise of top-flight security engineers to ensure total, worry-free website security. With more than 600 sites under management, including many of the Fortune 500, WhiteHat has access to an unparalleled amount of website security data, allowing the company to accurately identify which issues are the most prevalent. WhiteHat Security uses the Web Application Security Consortium (WASC) Threat Classification as a baseline for classifying vulnerabilities and the Payment Card Industry Data Security Standard (PCI-DSS) severity system to rate vulnerability severity.
WhiteHat plans to issue continued installments of the Website Security Statistics Report on a quarterly basis. To ensure the report remains useful and relevant, WhiteHat incorporates feedback and ideas from leading industry thought leaders and influencers. Based on feedback already received, the latest report includes: comparing vulnerability prevalence by severity, top ten vulnerability classes sorted by percentage likelihood and an outline of the types of technology typically encountered during WhiteHat vulnerability assessments mapped with the associated vulnerability percentage breakdown. WhiteHat will be hosting a webinar to reveal more of the report findings on Wednesday, August 27, 2008 at 11:00 a.m. PT / 2:00 p.m. ET. For more information visit WhiteHat’s site at www.whitehatsec.com and see the upcoming events section. You can also register at https://whitehatsec.market2lead.com/go/whitehatsec/stats0827 . A full copy of the WhiteHat Website Security Statistics Report can be downloaded at https://whitehatsec.market2lead.com/go/whitehatsec/WPstats0808 .
About WhiteHat Security, Inc.
Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of SaaS-based website security solutions. WhiteHat delivers turnkey solutions that enable companies to secure valuable customer data, comply with industry standards and maintain brand integrity. WhiteHat Sentinel, the company’s flagship service, is the only solution that incorporates expert analysis and industry-leading technology to provide unparalleled coverage to protect critical data from attacks. For more information about WhiteHat Security, please visit our website, www.whitehatsec.com.
SOURCE WhiteHat Security, Inc.
polonus