A lot of attention has been paid this year to credentials theft through phishing attacks as a prime entry point leading to data theft. But a new report says website vulnerabilities still have to be paid attention to.
Application security solutions vendor Whitehat Security found that last year 86 per cent of 30,000 websites of customers it tested had at least one serious vulnerability. Just over half had more than one.
On average, 61 per cent of these vulnerabilities were resolved, but it took an average of 193 days from the first customer notification.
Globally, 55 per cent of the retail trade sites, 50 per cent of health care/social assistance sites, and 35 per cent of finance / insurance sites were always vulnerable. Conversely, educational services was the best performing industry with the highest percentage of rarely vulnerable sites (40 per cent). arts, entertainment, and recreation were the next best industries with 39 per cent of sites in rarely vulnerable category.
The good news is that — at least among the sites tested — content spoofing, cross-site scripting and fingerprinting has sharply declined in recent years. But the bad news is that insufficient transport layer protection has become the most likely vulnerability (70 per cent), followed by information leakage (56 per cent) and cross-site scripting (47 per cent).
The report quotes the 2015 Verizon Data Breach report saying that for the financial services industry web applications are the second leading cause of incidents (behind crimeware) last year, while in the healthcare and information technology industries web applications were the fourth and second causes of breaches.
“The answer to Web security, and much of information security, is we need more secure software, not more security software,” the WhiteHat report says in part. “While this is easy to say and has been said by us many times in the past, the process of actually doing so is anything but solved or widely agreed upon – despite the plethora of so-called best practices and maturity models.
No single best practice will benefit every organization, the report adds. “What we found is that certain software security activities (for example static analysis, architectural analysis, operational monitoring, etc.) would help certain application security metrics, but have little-to-no impact on others. For example, an activity might reduce the average number of vulnerabilities in a given application, not improve the speed of which vulnerabilities are fixed or how often.
“The best advice we can give is for an organization to create a metrics program that tracks the area they want to improve upon, and then identify activities that’ll most likely move the needle. If an activity does work – great! Keep doing it! If there is no measurable benefit, stop, save the time and energy, and try something else. Frankly, this process is much easier and more effective than blindly following maturity models.”
Statistically, it adds, the best way to lower the average number of vulnerabilities, speed up time-to-fix, and increase remediation rates is to feed vulnerability results back to development through established bug tracking or mitigation channels. That makes application security the heart of a development group’s daily work activity and creates an effective process to solve problems. For organizations that have made the vulnerability feed to development process connection, WhiteHat found they exhibit roughly 45 per cent fewer vulnerabilities, fixed issues nearly a month faster on average, and increased remediation rates by 13 points.