Most Websites Have Web Security Vulnerabilities

Nearly two thirds of Websites have at least one serious vulnerability, according to new research from WhiteHat Security.

New research from WhiteHat Security painted a bleak picture for Website security.

In its latest iteration of its Website Security Statistics report, WhiteHat found 64 percent of the 1,364 sites the company analyzed have at least one serious vulnerability. But the news isn’t all bad—according to the company, 17 percent of the sites have never had a serious vulnerability.

Of the verticals the researchers studied, social networks had the highest percentage of Websites with vulnerabilities classified as “urgent,” “critical” or “high,” coming in at 86 percent. Education Websites were a close second, with 83 percent having at least one vulnerability.

According to the company, the Websites without any serious issues were nearly identical to those with them in terms of their characteristics. To WhiteHat, this suggests the difference between the ones that get compromised and the ones that don’t has to do with how proactively businesses identify and remediate security issues.

“It is extremely interesting to see that all the Websites that are no longer vulnerable are so similar characteristically in technology and site format to those that have vulnerabilities,” said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security, in a statement. “The big difference right now seems to be that these organizations set an internal mandate to actively fix their flaws and reduce the potential for damage to their Website, reputation and customers.”

According to the report, it took an average of 67 days for site owners to fix a cross-site scripting vulnerability, and more than 100 days to address session fixation.

“Once vulnerabilities are identified, it does not necessarily mean they are fixed quickly, or ever,” the report states. “It is interesting to analyze the types and severity of the vulnerabilities that do get fixed (or not) and in what volumes. Some organizations target the easier issues first to demonstrate their progress by vulnerability reduction. Others prioritize the high severity issues to reduce overall risk. Still, resources and security interest are not infinite, so some issues will remain unresolved for extended periods of time.”