14 DAY TRIAL // WhiteHat Security has published its 2013 Website Security Statistics Report. The study is based on vulnerability data collected from tens of thousands of websites belonging to over 650 organizations.
It turns out that, last year, the average number of security holes plaguing a website decreased to 56. In the previous year, 79 vulnerabilities had been identified per site.
Of all the sites tested by the security firm, 86% contained at least one serious vulnerability. 61% of the security holes were addressed, but only 18% of websites were vulnerable for less than 30 days.
When it comes to the time needed to address the flaws, WhiteHat has found that, on average, it took a company 193 days after the first notification.
Despite the fact that the overall number of vulnerabilities has dropped, the websites of companies from the IT and the energy sectors were found to be more vulnerable compared to previous years. In fact, last year, the IT industry saw the highest number of security holes per website (114).
Interestingly, the fewest bugs were found in government and banking websites.
Media and entertainment websites were the best when it came to remediating security issues.
The report shows that information leakage vulnerabilities were most common, found in 55% of sites, followed by the “classic” cross-site scripting (XSS) which plagued 53% of the tested websites. The chart is completed by content spoofing (33%), cross-site request forgery (26%), brute force (26%) and fingerprinting (23%).
“This collective data has shown that many organizations do not yet consider they need to proactively do something about software security. It is apparent that these organizations take the approach of ‘wait-until-something-goes-wrong’ before kicking into gear unless there is some sense of accountability,” said Jeremiah Grossman, co-founder and CTO of WhiteHat Security.
“This needs to change, and we believe there is now an opportunity for a new generation of security leaders to emerge and distinguish themselves with an understanding of real business and security challenges. Our hope is that they will address these issues we have identified and base their decisions on a foundation of data to improve the state of Web security over time.”
The complete report is available for download here (registration required).