July 02, 2012, 9:35 AM — Something strange has been happening to commercial web sites in a range of vertical markets, according to security researchers at White Hat Security: They've been bucking the trend of users and site managers who never learn their lesson about routine security risks by becoming steadily more secure.
Data from more than 7,000 sites audited or protected by White Hat's security services during 2011 showed an average of only 79 serious vulnerabilities per site, compared to 230 during 2010 and 1,111 per site in 2007.
"Awareness is building and people are getting better in the fixing [of vulnerabilities]," Jeremiah Grossman, founder and chief technology officer of WhiteHat, told PCWorld. "Web security is definitely getting more important, because the bad guys are showing that they're perfectly capable and willing to hack Web sites that aren't do the best that the can."
Despite the improvement, there is still a 55 percent chance any single site will include at least one cross-site scripting (XSS) security flaw and 64 percent chance of some other form of data leakage, according to analysis by ThreatPost.
Banking sites were the most consistently up to date, showing an average of only 17 serious vulnerabilities per site, according to the report. Retail sites were the most holey, with an average of 121 flaws; insurance sites came in second with an average of 92 flaws (PDF of full report here).
Banks also had the highest rate of remediation; 74 percent reported they had repaired a vulnerability quickly after it was identified.
Although the average number of unfixed vulnerabilities continues to drop and remediation rates continue to rise in many vertical industries, not just banking, White Hat did find that the more serious a vulnerability was, the more likely it was to return after being fixed at least once.
The most likely explanation, the report said, is that many sites use rapid response "hot-fix" processes to patch vulnerabilities on a live server, then hand over responsibility for it to developers, rather than font-line web administrators or security monitors.