When it comes to computer security, there is usually a river of bad news on an almost daily basis. New vulnerabilities are found and new massive data breaches reported. So any positive news is good for those with an information technology degree. And there is some: website security has greatly improved. According to security firm WhiteHat Security, last year saw radical reduction in online vulnerabilities as seen in 7,000 websites from 500 organizations across major vertical markets.
Among the findings in the report, WhiteHat research suggests that the average number of serious vulnerabilities found per website per year in 2011 was 79, a substantial reduction from 230 in 2010 and down from 1,111 in 2007.
Banking websites had the smallest number of serious vulnerabilities — 17 per website. On the good side, website managers are trying to fill gaps. However, that gets to the beginning of the bad news, which is that no matter how long and well vulnerabilities are known, corporate websites continue to exhibit these documented weaknesses, as WhiteHat shows:
Cross-Site Scripting (XSS) regained its title as the most prevalent website vulnerability, found in 55% of websites in 2011. In second place on the WhiteHat Top Ten was Information Leakage, identified in 53% of websites, as compared to being the number one website vulnerability in 2010 at 64%. Figures three and four compare 2011’s most prevalent website vulnerabilities with those of 2010, showcasing significant reductions in most categories.
Even with the reductions, there are clearly many sites at risk for known issues. Often they are unnecessary; WhiteHat estimates that 71 percent of the custom Web application weaknesses it found could be handled by Web Application Firewalls. Companies fixed vulnerabilities in 38 days or faster, which is much better than the 116 days in 2010, but still means that vulnerabilities remain long enough for attackers to get into a system and possible leave backdoor access for a later time. And then there is the continuing stream of new security issues that companies must address. One of the latest is Google Now, which offers recommendations based on such information as someone’s search history, calendar, and location. Although the new service has not caused a problem yet, the possibilities are there. Aside from the privacy issues for individuals who use Now, in an age of IT consumerization and bring your own device to work (BYOD), companies wonder about the security implications when people use one device for both work and their own lives, particularly when IT people cannot be sure about exactly how much data, and what type, is sent back to Google. Going forward, IT departments will have to not only manage the existing security weaknesses, but to anticipate new ones as they appear.