Web site security improves from appalling to merely bad

Average number of serious vulnerabilities drops to 79

Something strange has been happening to commercial web sites in a range of vertical markets, according to security researchers at White Hat Security: They've been bucking the trend of users and site managers who never learn their lesson about routine security risks by becoming steadily more secure.

Data from more than 7,000 sites audited or protected by White Hat's security services during 2011 showed an average of only 79 serious vulnerabilities per site, compared to 230 during 2010 and 1,111 per site in 2007.

"Awareness is building and people are getting better in the fixing [of vulnerabilities]," Jeremiah Grossman, founder and chief technology officer of WhiteHat, told PCWorld. "Web security is definitely getting more important, because the bad guys are showing that they're perfectly capable and willing to hack Web sites that aren't do the best that the can."

Despite the improvement, there is still a 55 percent chance any single site will include at least one cross-site scripting (XSS) security flaw and 64 percent chance of some other form of data leakage, according to analysis by ThreatPost.

Banking sites were the most consistently up to date, showing an average of only 17 serious vulnerabilities per site, according to the report. Retail sites were the most holey, with an average of 121 flaws; insurance sites came in second with an average of 92 flaws (PDF of full report here).

Banks also had the highest rate of remediation; 74 percent reported they had repaired a vulnerability quickly after it was identified.

Although the average number of unfixed vulnerabilities continues to drop and remediation rates continue to rise in many vertical industries, not just banking, White Hat did find that the more serious a vulnerability was, the more likely it was to return after being fixed at least once.

The most likely explanation, the report said, is that many sites use rapid response "hot-fix" processes to patch vulnerabilities on a live server, then hand over responsibility for it to developers, rather than font-line web administrators or security monitors.

Frequently the fix goes onto development's to-do list, beneath a host of other bug fixes and feature requests. Not surprisingly, once the immediate risk of a vulnerability is mediated, it becomes less of a priority for developers, who may delay incorporating it for one or two revision releases. Each new release copies over the old configuration, however, so the hot-fix may disappear as the new release copies over it, causing the vulnerability to reappear, according to White Hat.

"Serious" vulnerabilities fall into one of three categories: High, Critical or Urgent. Only 15 percent of vulnerabilities labeled High returned, but 23 percent of Urgent and Critical flaws recurred.

All that sounds pretty promising; a dropoff in the number of serious vulnerabilities from more than 1,100 to fewer than 100 in just five years is real progress.

On the other hand, even great progress isn't good enough when the result is that there are still 79 serious security vulnerabilities in an average site. And that's an average for professionally maintained, large scale, commercial web sites, not mom-and-pop shops that can't afford to monitor or fix their own servers.

Given the context and the stakes (data breaches, identity theft), it's still the digital-publishing equivalent of raising your grade from an F to a C.

Better, but still not good enough

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon