WhiteHat Security 2015 Website Security Statistics Report Reveals the Need to Identify Security Metrics Most Important for Vulnerability Remediation

May 21, 2015, 08:00 ET from WhiteHat Security

SANTA CLARA, Calif., May 21, 2015 /PRNewswire/ -- WhiteHat Security, the Web security company, today announced the 2015 edition of the WhiteHat Security Website Security Statistics Report, which provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to safely conduct business online. This year's report found that while no true security best practices exist, the key is in identifying the security metrics that mean the most to the organization and focusing on those activities to remediate specific vulnerabilities.  

"We see no compelling evidence of 'best-practices' in application security," said Jeremiah Grossman, founder of WhiteHat Security. "We instead observed that certain software security activities improve specific metrics, such as the number of vulnerabilities, time-to-fix, and remediation rates, more than other activities. The best approach is for organizations to identify specific security metrics they'd like to improve upon, and then strategically select activities most likely to make a positive impact."

This year's report was generated by examining vulnerabilities of more than 30,000 websites under WhiteHat Sentinel management. Overall, data for 2015 turned out to be far more serious than anticipated.

  • 86% of all websites tested by WhiteHat Sentinel had at least one serious* vulnerability, and most of the time, far more than one – 56% to be precise.   
  • On average, 61% of these vulnerabilities were resolved, but doing so required an average of 193 days from the first customer notification.     
  • Insufficient transport layer protection is the most likely vulnerability across vertical industries including retail trade, health care/social assistance, information technology and financial/insurance, with a range of 65-76% likelihood.

Window of exposure

Window of exposure is defined as the number of days an application has one or more serious vulnerabilities open during a given time period. The 2015 report found that 55% of retail trade sites, 50% of health care and social assistance sites, and 35% of finance and insurance sites are always vulnerable, meaning sites had at least one serious vulnerability exposed every single day of the year. Conversely, only 16% of the retail trade sites, 18% of health care and social assistance sites, and 25% of finance and insurance sites had one or more serious vulnerabilities exposed less than 30 days of the year.

"From our research, what matters between the spectrum of those who are always vulnerable and rarely vulnerable is less about the programming languages, industry vertical, size of the organization, and so on," said Grossman. "What seems to matter more than anything else is organizations having a strong internal driver, and a culture of accountability for fixing identified vulnerabilities in a specific timeframe. The executive level mandate creates an environment for the development groups to create effective remediation processes."

Remediation is what counts

In addition to compiling data from websites under WhiteHat Sentinel management, the company also utilized a version of BSIMM 1(Building Security In Maturity Model), called vBSIMM2 (the 'v' stands for 'vendor'), which is essentially a software security activity checklist for third-party software suppliers. WhiteHat researchers modified the vBSIMM checklist, added some dates and activity frequency questions, and issued it as a survey to WhiteHat customers. The aggregated responses of the survey (118 in total) were compared with results from WhiteHat Sentinel's vulnerability metrics and then mapped to vBSIMM software security activities and to outcomes around activities such as remediation and accountability.

Researchers found that the best way to lower the average number of vulnerabilities, speed up time-to-fix, and increase remediation rates is to feed vulnerability results back to development through established bug tracking or mitigation channels. This approach makes application security front-and-center in a development group's daily work activity and creates an effective process to solve problems. This year's report yielded positive results when priority was given to increasing remediation rates. Notably, results also showed that major vertical industries aren't placing enough focus on remediation.

  • Organizations that are compliance-driven to remediate vulnerabilities have the lowest average number of vulnerabilities (12 per website) and the highest remediation rate (86%).
  • Organizations that have made the vulnerability feed-to-development process connection, exhibited roughly 40% less vulnerabilities, fixed issues nearly a month faster on average and increased remediation rates by 15%.
  • Considering sites in health care, retail trade and finance were found to be "always vulnerable," their remediation rates are relatively low at 20%, 21%, and 27% respectively.

"We realize that using compliance as a driver to remediate vulnerabilities is a double-edged sword, but the data demonstrates that those companies have the best statistics in terms of securing their organization's sites," said Grossman. "This year's report has shown that the amount of time companies are vulnerable to web attacks is much too long. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users."

To view the full 2015 WhiteHat Security Website Security Statistics Report, please click here, or join the conversation on Twitter using #WHStats and by following @whitehatsec.

(*Serious vulnerabilities are defined as those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news. In short, serious vulnerabilities are those that should really be fixed.)

About WhiteHat Security 
Founded in 2001 and headquartered in Santa Clara, California, WhiteHat Security is the leader in application security, enabling businesses to protect critical data, ensure compliance, and manage risk. WhiteHat is different because we approach application security through the eyes of the attacker. Through a combination of technology, more than a decade of intelligence metrics, and the judgment of real people, WhiteHat Security provides complete web security at a scale and accuracy unmatched in the industry. WhiteHat Sentinel, the company's flagship product line, currently manages tens of thousands of websites – including sites in highly regulated industries, such as top e-commerce, financial services, and health care companies. For more information on WhiteHat Security, please visit www.whitehatsec.com.

1The Building Security In Maturity Model (BSIMM): https://www.bsimm.com/
2BSIMM for vendors (vBSIMM): https://www.bsimm.com/related/


SOURCE WhiteHat Security