SOURCE: WhiteHat Security

WhiteHat Security

March 07, 2011 09:00 ET

WhiteHat Security Winter Website Security Statistics Report Finds Average Website Has Serious Vulnerabilities Almost Every Day of the Year

Retail, Social Networking, Education Among the Most Underperforming Industries; Banking and Healthcare Industries Lead in New Window of Exposure Metric but Still Fall Far Short of Rigorous Security Processes

SANTA CLARA, CA--(Marketwire - March 7, 2011) - WhiteHat Security, the leading provider of website risk management solutions, today released the eleventh installment of the WhiteHat Security Website Security Statistics Report. The report reviewed vulnerabilities in websites during the 2010 calendar year, examining the severity and duration of serious critical vulnerabilities from more than 3,000 websites. Among the findings in the report, WhiteHat researchers found that the average website has serious vulnerabilities more than nine months of the year and Information Leakage has overtaken Cross-Site Scripting as the most common website vulnerability. 

Open Windows of Exposure

The report examined data from more than 3,000 websites across 400 organizations that are continually tested for vulnerabilities by WhiteHat Security's Sentinel service. This process provides a real-world look at website security across a range of vertical markets. By evaluating total window of exposure, it offers a more complete analysis of the state of an individual website's security, not only including the number of vulnerabilities, but also remediation rates and time-to-fix metrics.

"It's inevitable that websites will contain some faulty code -- especially in sites that are continually updated. Window of Exposure is a useful combination of the vulnerability prevalence, the time it takes to fix vulnerabilities, and the percentage of them that are remediated," said Jeremiah Grossman, founder and CTO of WhiteHat Security. "Specifically for CIOs and security professionals, measuring window of exposure offers a look at the duration of risk their business and user data is exposed to by not having sufficient remediation processes in place."

The average website falls into the "always" and "frequently" vulnerable categories -- meaning they were exposed more than 270 days of the year. When looking at window of exposure across industries it becomes apparent there's a vast difference in the approach to website security. Heavily regulated industries like healthcare and banking have the lowest rates, yet still 14 and 16 percent (respectively) of the sites had a serious vulnerability throughout the year. Social networking and retail have two of the largest windows of exposure, potentially reflecting the rate at which they update sites and introduce new code. The education industry has the dubious honor of leading the category -- with 78 percent of sites being vulnerable at least nine months of the year. Figure one highlights window of exposure by industry.

Information Leakage overtakes Cross-Site Scripting

Also of particular note, in 2010, 64 percent of websites had at least one Information Leakage vulnerability, which overtook Cross-Site Scripting as the most prevalent vulnerability by a few tenths of a percent. Information Leakage describes a vulnerability in which a website reveals sensitive data, such as technical details of the Web application, environment, or user-specific data.

The report statistics were gathered through the deployment of WhiteHat Sentinel, a Software-as-a-Service (SaaS)-based website vulnerability management platform, providing the most accurate and complete vulnerability assessments in the industry. WhiteHat Sentinel executes rigorous and ongoing website security assessments on more than 3,000 websites that helps companies protect their brands, attain PCI Compliance and avoid costly and damaging breaches.

Serious Vulnerabilities: Those vulnerabilities with a HIGH, CRITICAL, or URGENT severity as defined by PCI-DSS naming conventions. Exploitation could lead to breach or data loss.

The complete report, including more data and detailed analysis on Windows of Exposure, Time-to-Fix, Remediation Time and Vulnerability Prevalence across industries is available for download at:

About WhiteHat Security
Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of website risk management solutions that protect critical data, ensure compliance and narrow the window of risk. WhiteHat Sentinel, the company's flagship product family, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of website security and prevent Web attacks. Furthermore, WhiteHat Sentinel enables automated mitigation of website vulnerabilities via integration with Web application firewalls and Snort-based intrusion prevention systems. To learn more about WhiteHat Security, please visit our website at