Author Topic: 80% of websites have a security issue!  (Read 3090 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
80% of websites have a security issue!
« on: August 28, 2008, 10:08:04 PM »
Hi malware fighters,

WhiteHat Security, the leading provider of SaaS-based website security solutions, today released the fifth installment of the WhiteHat Website Security Statistics Report, providing a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006. During that time, the industry has seen the Web-layer rise to be the number one target for malicious online attacks, with website hacking evolving from exploration and experimentation, to exploitation and monetization. In addition to the regular roster of vulnerabilities that repeatedly make the top ten list, Cross-Site Request Forgery (CSRF) has joined the mix in Q2 of 2008. On a positive note, 66 percent of all vulnerabilities identified have been remediated, underscoring the value of a consistent website vulnerability management program.

The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat's report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

In this latest edition, WhiteHat finds 82 percent of websites have had at least one security issue, with 61 percent still having issues of high, critical or urgent severity. Overall vulnerability counts are beginning to decline; however, the likelihood of websites having at least one issue of significant severity has remained constant when compared to previous reports. As a baseline, WhiteHat used the Payment Card Industry Data Security Standard (PCI-DSS) severity rankings (Urgent, Critical, High, Medium, Low) to rate vulnerability severity by the potential business impact if the issue were to be exploited. According to PCI-DSS, any website with urgent, critical or high severity issues cannot be considered compliant.

Within this fifth report, the top ten list saw notable changes. Most noticeably, CSRF cracked the top ten, replacing Directory Indexing; WhiteHat asserts that CSRF is present in approximately three-quarters of the world's websites. The top ten list also indicates that companies are remediating SQL Injection, Cross-Site Scripting (XSS) and HTTP Response Splitting issues en masse, although achieving 100 percent effectiveness has proved difficult. Business Logic Flaws have remained steady in the top ten, including Insufficient Authorization, Insufficient Authentication, Abuse of Functionality and Content Spoofing -- all issues that can be devastating if exploited. While not the most voluminous in raw numbers, Business Logic Flaws are still highly prevalent across websites and can lead directly to business loss through non-sophisticated attacks.

New to this edition of the report, WhiteHat analyzed which website security issues are being addressed as well as how quickly remediation is occurring. For this portion of the report, WhiteHat focused on vulnerabilities identified and resolved between July 31, 2007 and July 31, 2008 and sorted the data by most common urgent, critical and high severity issues. Among urgent severity vulnerabilities, HTTP Response Splitting took the longest to remediate, in an average of 93 days, while Information Leakage was quickest at 26 days. Additionally, HTTP Response Splitting topped the chart for remediation, with 83 percent resolved, whereas only eight percent of the Brute Force attack class were resolved. As could be expected, the overall time-to-fix measurements left room for improvement; however significant headway has been made since the last report.

"Our fifth report highlights many angles of the constantly-evolving website security landscape," said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. "With malicious Web attacks continuing to become more and more financially motivated, it is crucial that companies take appropriate action to secure their websites. We hope enterprises find this report a useful tool for timely information about the latest attack trends, how websites can be best defended as well as visibility into the vulnerability lifecycle."

The report statistics were gathered through the deployment of WhiteHat Sentinel, a SaaS-based website vulnerability management solution that integrates the precision of advanced vulnerability assessment technology with the expertise of top-flight security engineers to ensure total, worry-free website security. With more than 600 sites under management, including many of the Fortune 500, WhiteHat has access to an unparalleled amount of website security data, allowing the company to accurately identify which issues are the most prevalent. WhiteHat Security uses the Web Application Security Consortium (WASC) Threat Classification as a baseline for classifying vulnerabilities and the Payment Card Industry Data Security Standard (PCI-DSS) severity system to rate vulnerability severity.

WhiteHat plans to issue continued installments of the Website Security Statistics Report on a quarterly basis. To ensure the report remains useful and relevant, WhiteHat incorporates feedback and ideas from leading industry thought leaders and influencers. Based on feedback already received, the latest report includes: comparing vulnerability prevalence by severity, top ten vulnerability classes sorted by percentage likelihood and an outline of the types of technology typically encountered during WhiteHat vulnerability assessments mapped with the associated vulnerability percentage breakdown. WhiteHat will be hosting a webinar to reveal more of the report findings on Wednesday, August 27, 2008 at 11:00 a.m. PT / 2:00 p.m. ET. For more information visit WhiteHat's site at www.whitehatsec.com and see the upcoming events section. You can also register at https://whitehatsec.market2lead.com/go/whitehatsec/stats0827 . A full copy of the WhiteHat Website Security Statistics Report can be downloaded at https://whitehatsec.market2lead.com/go/whitehatsec/WPstats0808 .

About WhiteHat Security, Inc.

Headquartered in Santa Clara, California, WhiteHat Security is the leading provider of SaaS-based website security solutions. WhiteHat delivers turnkey solutions that enable companies to secure valuable customer data, comply with industry standards and maintain brand integrity. WhiteHat Sentinel, the company's flagship service, is the only solution that incorporates expert analysis and industry-leading technology to provide unparalleled coverage to protect critical data from attacks. For more information about WhiteHat Security, please visit our website, www.whitehatsec.com.

SOURCE WhiteHat Security, Inc.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: 80% of websites have a security issue!
« Reply #1 on: August 29, 2008, 12:12:55 AM »
I feel certain I have seen a similar Hyped topic Title in the forums before and the 80% figure was absolute rubbish.

I mean that is billions of sites and there is absolutely no way they could gather information on billions of sites as to their security issues, perhaps 80% of a sample and depending on that sample size it may be statistically insignificant when compared to the total web sites.

Quote
The report statistics were gathered through the deployment of WhiteHat Sentinel, a SaaS-based website vulnerability management solution that integrates the precision of advanced vulnerability assessment technology with the expertise of top-flight security engineers to ensure total, worry-free website security.

So to me this sample size is totally insignificant to the total web sites and the title is. To any statistical analyst worth their salt this would be laughed out of court, the sample is too small and isn't a random sample of all web sites.

Sorry but there are lies, damn lies and statistics, it sounds like they are trying to give is a headache so they can sell us an aspirin.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: 80% of websites have a security issue!
« Reply #2 on: August 29, 2008, 12:33:39 AM »
Hi DavidR,

Well it might be just a statistical arrangement, I cannot comment on the conclusions of the article, I gave it as I have found it, and the original is a subscription-only from WhiteHat's. Security issue here means just an issue or minor issue that could be abused or is not according to the standards, and there aren't many sites that with a periscope we cannot find such an issue on. What site is totally free from code errors? 20% is a high number there, the rest must be the mentioned 80%. The report did not say malicious sites or infection vector laden sites. Read and then comment, and do not read into it what is not there....

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88898
  • No support PMs thanks
Re: 80% of websites have a security issue!
« Reply #3 on: August 29, 2008, 12:46:08 AM »
The title is reading into it what is not there, because that statement doesn't limit its scope to a sample. So the title implies 80% of the whole internet have a security issue when that clearly isn't the case;  it derives that from a flawed analysis statistically insignificant sample.

A slightly more correct title might be, 80% of sites using WhiteHat Sentinel were found to have a security issue (as that is what the report was based on). However that title wouldn't have made such good copy and would even look like WhiteHat Sentinel wasn't very good ;D

It is so easy to manipulate statistics as to make most of what we see and hear to be taken with a giant pinch of salt. So to me the title bears no relationship to what is being said.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security