While SQL injection remains a prevalent website vulnerability, it only affects 11 per cent of websites and flaws are fixed in an average of 53 days.
According to research by White Hat Security, five per cent of all websites had at least one SQL injection vulnerability that was exploitable without first needing to login to the website.
For its website security statistics report for June 2012, more than 7,000 websites across more than 500 organisations across 12 industries were evaluated. The sector with the most vulnerabilities was retail with 404 and a 328-day window of exposure; next it was financial services with 266 flaws and a 184-day window of exposure; and third worst was telecommunications with 215 vulnerabilities and a 260-day window of exposure.
The industries that fixed their serious vulnerabilities the fastest were energy (four days), manufacturing (17 days) and retail (27 days). The research found that retail websites improved dramatically over the last year, yet remain the industry possessing the most security issues, with an average of 121 serious vulnerabilities identified per website.
However 20 per cent of the vulnerabilities identified by White Hat Sentinel have been reopened at some point in time, often several times.
Of the vulnerabilities identified, cross-site scripting (XSS), information leakage and content spoofing were the most prominent at 50 per cent, 14 per cent and nine per cent respectively. Just under half (48 per cent) of XSS vulnerabilities were fixed and to do so required an average of 65 days.
It said that information leakage is a term that describes a vulnerability in which a website reveals sensitive data, such as technical details of the web application, environment or user-specific data.
The number of serious vulnerabilities found per website per year by White Hat Security has dropped from 230 identified in 2010 to 79 in 2011. “While this vulnerability reduction trend is welcome news, there are several possible explanations that must be taken into consideration as the ‘real' numbers may not be as rosy,” it said.
The company said that this could be due to organisations often choosing a less comprehensive form of vulnerability assessment, such as a standard or baseline product over a premium edition, or its sampling of websites.
To avoid these issues, it recommended finding all of your websites and prioritising fixes based upon business criticality, data sensitivity, revenue generation, traffic volume, number of users or other criteria the organisation deems important.
White Hat Security also recommended measuring your current security posture from an attacker perspective. It said that this step is not just about identifying vulnerabilities, it is about understanding what classes of adversaries need to be defended against and your exposure to them.
Finally, it recommended trending and tracking the lifecycle of vulnerabilities: is the development lifecycle behind the website producing too many vulnerabilities? Is the time required to fix issues lagging, simply not fixing enough of them, or some combination? The answer to these questions will serve as a guide for which new and/or improved SDL-related activities are likely to make the most impact and drive toward organisational goals.