PCI News

Birdseye View Into Real-World Website Risks Provided by Seventh WhiteHat Security Statistics Report

(May 19, 2009) -One of the leading provider of website risk management solutions, WhiteHat Security released the seventh installment of the WhiteHat Website Security Statistics Report, providing a unique high-level perspective on the most prevalent website security issues using aggregate data from real-world production websites. WhiteHat's report reveals the top ten website vulnerabilities, a vertical market breakout and insight into the evolving threats facing organizations today. WhiteHat recently reached 1,000 websites under management and because all assessments are conducted on production websites, businesses get a realistic view into attacks that can cause damage to their sites and also learn how to implement an effective website risk management program, reduce exposure and improve their overall security posture.

As the leading Software-as-a-Service (SaaS) website vulnerability assessment solution, WhiteHat has singular access to a vast sample of vulnerabilities in custom Web applications across vertical markets. This unique perspective results in a report that presents the dominant website security issues affecting the enterprise. The data collected is the only in the industry that links attacks that are possible to what is actually probable.

WhiteHat's latest report contains data collected between January 1, 2006 and March 31, 2009, and finds 82 percent of websites have had a high, critical or urgent issue over their lifetime. Currently, WhiteHat finds that 63 percent of websites have a high, critical or urgent issue, proving that the consistency, thoroughness and frequency of WhiteHat Sentinel assessments leads to a decrease in vulnerabilities and therefore a decrease in overall risk. Of the 17,000 plus vulnerabilities identified, a little more than 7,000 remain open, which means that more than half (60 percent) have been closed. Additionally, WhiteHat Sentinel's SaaS offering arms organizations with the information they need to protect their brands, attain PCI Compliance and avoid costly and damaging breaches.

The top ten vulnerabilities remain largely unchanged, with Cross-Site Scripting continuing to top the list. Business logic flaws, an often-overlooked issue that enables hackers to take advantage of the functionality of a site, occupied more than half of the top spots. WhiteHat's report also presents statistics showing that 70 percent of websites have at least one critical vulnerability, while another 63 percent fall into the high category.

In addition, the report sheds light on the breadth of website security issues through its vertical market breakout. Social Networking sites topped the list this time around with 82 percent having an urgent, critical or high severity vulnerability. Education sites were bumped to the number two spot with 76 percent and IT came in a close third with 75 percent. "One of the biggest takeaways from this report is that not all vulnerabilities are created equal, but many are very serious -- leaving the door open to exploit sensitive information and cause some serious damage," said Jeremiah Grossman, founder and chief technology officer at WhiteHat Security. "Because the information in our report is the only one in the industry that looks at real production websites, we are able to provide businesses with unparalleled visibility into their website risk management posture. We remain vigilant in helping businesses combat the constantly changing threat landscape and will continue to do our best to arm them with the necessary tools and data to protect their sites."

The report statistics were gathered through the deployment of WhiteHat Sentinel, a SaaS-based website risk management solution. With more than 1,000 sites under management, including many of the Fortune 500, WhiteHat has access to an unmatched amount of website security data, allowing the company to accurately identify which issues are the most prevalent. WhiteHat Security uses the Web Application Security Consortium (WASC) Threat Classification as a baseline for classifying vulnerabilities and the Payment Card Industry Data Security Standard (PCI-DSS) severity system to rate vulnerability severity.

For more information, visit - www.whitehatsec.com

Share or bookmarklet this web page at: