WhiteHat Security has recently issued its Website Security Statistics Report for the year 2011 and the results are optimistic. Compared to 2010, when the average number of serious vulnerabilities per website per year was 230, in 2011 the number dropped to 79.
If we compare last year’s numbers to 2007 (1,111 security holes per website), a steady improvement clearly exists.
Around 7,000 websites, belonging to more than 500 organizations, were tested and the best scores were obtained by banking sites that recorded only 17 critical weaknesses on average. Furthermore, financial institutions also recorded the best remediation rates with 74%.
While most industries have shown a significant improvement in this area, there are a couple of exceptions: healthcare and insurance firms.
“It's imperative that organizations utilize this real-world overview of application security, an area that is often overlooked until a weakness or vulnerability is exposed, to understand their own security posture and avoid costly data breaches,” Jeremiah Grossman, CTO of WhiteHat Security, explained.
“By focusing on the facts and building a website security program that fits into their overall business strategy, organizations can improve product development, lower costs, and raise customer confidence.”
Unfortunately, many companies don’t know how to manage “hot-fix” processes. As a result, many of the security holes were reopened because they were fixed on the website, but not in the new software release.
According to the report, Web Application Firewalls may have played an important role in the mitigation of risks posed by more than 70% of the vulnerabilities.
As far as the types of flaws were concerned, in 2011, cross-site scripting (XSS) made a comeback and once again became the most common website vulnerability. XSS (55%) was followed by information leakage (53%), content spoofing (36%), insufficient authorization (21%), and cross-site request forgery (19%).
Surprisingly, SQL Injection, which we saw quite often in the past few months, scored at only 11%.