Website holes fall but xss still dominates

By on

Five per cent of web sites vulnerable to XSS.

While SQL injection remains a prevalent website vulnerability, it only affects 11 per cent of websites and flaws are fixed in an average of 53 days.

According to research by White Hat Security, five per cent of all websites had at least one SQL injection vulnerability that was exploitable without first needing to login to the website.

For its website security statistics report for June 2012, more than 7,000 websites across more than 500 organisations across 12 industries were evaluated. The sector with the most vulnerabilities was retail with 404 and a 328-day window of exposure; next it was financial services with 266 flaws and a 184-day window of exposure; and third worst was telecommunications with 215 vulnerabilities and a 260-day window of exposure.

The industries that fixed their serious vulnerabilities the fastest were energy (four days), manufacturing (17 days) and retail (27 days). The research found that retail websites improved dramatically over the last year, yet remain the industry possessing the most security issues, with an average of 121 serious vulnerabilities identified per website.

However 20 per cent of the vulnerabilities identified by White Hat Sentinel have been reopened at some point in time, often several times.

Of the vulnerabilities identified, cross-site scripting (XSS), information leakage and content spoofing were the most prominent at 50 per cent, 14 per cent and nine per cent respectively. Just under half (48 per cent) of XSS vulnerabilities were fixed and to do so required an average of 65 days.

It said that information leakage is a term that describes a vulnerability in which a website reveals sensitive data, such as technical details of the web application, environment or user-specific data.

The number of serious vulnerabilities found per website per year by White Hat Security has dropped from 230 identified in 2010 to 79 in 2011. “While this vulnerability reduction trend is welcome news, there are several possible explanations that must be taken into consideration as the ‘real' numbers may not be as rosy,” it said.

The company said that this could be due to organisations often choosing a less comprehensive form of vulnerability assessment, such as a standard or baseline product over a premium edition, or its sampling of websites.

To avoid these issues, it recommended finding all of your websites and prioritising fixes based upon business criticality, data sensitivity, revenue generation, traffic volume, number of users or other criteria the organisation deems important.

White Hat Security also recommended measuring your current security posture from an attacker perspective. It said that this step is not just about identifying vulnerabilities, it is about understanding what classes of adversaries need to be defended against and your exposure to them.

Finally, it recommended trending and tracking the lifecycle of vulnerabilities: is the development lifecycle behind the website producing too many vulnerabilities? Is the time required to fix issues lagging, simply not fixing enough of them, or some combination? The answer to these questions will serve as a guide for which new and/or improved SDL-related activities are likely to make the most impact and drive toward organisational goals.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

New Windows 10 users, are you upgrading from...
Windows 8
Windows 7
Windows XP
Another operating system
Windows Vista
How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?