SOURCE: WhiteHat Security

WhiteHat Security

June 27, 2012 13:55 ET

WhiteHat Security Marks 2011 as the Year of Radical Reduction in Online Vulnerabilities in Twelfth Edition of Website Security Statistics Report

Serious Vulnerabilities in Online Applications Are Dropping With Increasing Speed Across Major Industries; Large-Scale Breaches Still Prevalent as Security Strategies Remain Varied

SANTA CLARA, CA--(Marketwire - Jun 27, 2012) - WhiteHat Security, the Web security company, today released the twelfth installment of the WhiteHat Security Website Security Statistics Report. The report reviewed serious vulnerabilities* in websites during the 2011 calendar year, examining the severity and duration of the most critical vulnerabilities from 7,000 websites across major vertical markets. Among the findings in the report, WhiteHat research suggests that the average number of serious vulnerabilities found per website per year in 2011 was 79, a substantial reduction from 230 in 2010 and down from 1,111 in 2007. Despite the significant improvement in the state of website security, organizational challenges in creating security programs that balance breadth of coverage and depth of testing leave large-scale attack surfaces or small, but very high-risk vulnerabilities open to attackers.

The Current State of Website Security

The report examined data from more than 7,000 websites across over 500 organizations that are continually assessed for vulnerabilities by WhiteHat Security's family of Sentinel Services. This process provides a real-world look at website security across a range of vertical markets, including findings from the energy and non-profit verticals for the first time this year. The metrics provided serve as a foundation for improving enterprise application security online.

This year's report found a notable improvement in application vulnerability management across all verticals in 2011. Banking websites continued to possess the fewest amount of serious vulnerabilities of any industry with an average of 17 serious vulnerabilities identified per website and had the highest remediation rate of any other industry at 74%. Figure two highlights the average number of serious vulnerabilities found per website in 2011 -- all industries showed improvements since 2010 with the exception of the Healthcare and Insurance verticals.

"It's imperative that organizations utilize this real-world overview of application security, an area that is often overlooked until a weakness or vulnerability is exposed, to understand their own security posture and avoid costly data breaches," said Jeremiah Grossman, Chief Technology Officer, WhiteHat Security. "By focusing on the facts and building a website security program that fits into their overall business strategy, organizations can improve product development, lower costs, and raise customer confidence."

WhiteHat researchers also found that though Remediation Rates continue to increase, the higher the severity of vulnerability, the more likely the vulnerability would reopen in the future. While there are likely to be a number of causes, one likely explanation is a deficient 'hot-fix' process. This is when a high-severity vulnerability is fixed quickly, live on the website, but the change is back-ported to development, and a future software release overwrites the patch.

With serious vulnerabilities categorized as High, Critical, to Urgent severity, the report found that 23% of vulnerabilities marked as Urgent severity were reopened, while 22% of Critical severity vulnerabilities and 15% of High severity vulnerabilities reopened respectively. It is also important to note that Web Application Firewalls (WAFs) may have helped mitigate the risk of at least 71% of all custom Web application vulnerabilities identified. It just so happens that the most voluminous security vulnerabilities are those against which WAFs are most adept at defending.

WhiteHat Top 10

Cross-Site Scripting (XSS) regained its title as the most prevalent website vulnerability, found in 55% of websites in 2011. In second place on the WhiteHat Top Ten was Information Leakage, identified in 53% of websites, as compared to being the number one website vulnerability in 2010 at 64%. Figures three and four compare 2011's most prevalent website vulnerabilities with those of 2010, showcasing significant reductions in most categories.

Report statistics were gathered through enterprise deployments of WhiteHat Sentinel, a Software-as-a-Service (SaaS)-based website (or application) vulnerability management solution, providing the most accurate and complete vulnerability assessments in the industry. The WhiteHat Sentinel line of services conducts ongoing static (Sentinel Source) and dynamic (Sentinel PE, SE, and BE) security assessments for websites. These services help companies protect their brands, attain PCI Compliance, mitigate risk and drive actionable security programs across the entire Software Development Life Cycle (SDLC).

The complete report, including additional data and detailed analysis on Windows of Exposure, Time-to-Fix, Remediation Time and Vulnerability Prevalence across industries is available for download here: WhiteHat Security Statistics Report. Or, share the report with your network by clicking here: Twitter, Facebook or LinkedIn.

About WhiteHat Security
Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of Website risk management solutions that protect critical data, ensure compliance and narrow the window of risk. WhiteHat Sentinel, the company's flagship product family, is the most accurate, complete and cost-effective Website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of Website security and prevent Web attacks. Furthermore, WhiteHat Sentinel enables automated mitigation of Website vulnerabilities via integration with Web application firewalls and Snort-based intrusion prevention systems. To learn more about WhiteHat Security, please visit our Website at

*Serious Vulnerabilities: Those vulnerabilities with a HIGH, CRITICAL, or URGENT severity as defined by PCI-DSS naming conventions. Exploitation could lead to breach or data loss.

Contact Information