Frequently the fix goes onto development's to-do list, beneath a host of other bug fixes and feature requests. Not surprisingly, once the immediate risk of a vulnerability is mediated, it becomes less of a priority for developers, who may delay incorporating it for one or two revision releases. Each new release copies over the old configuration, however, so the hot-fix may disappear as the new release copies over it, causing the vulnerability to reappear, according to White Hat.
"Serious" vulnerabilities fall into one of three categories: High, Critical or Urgent. Only 15 percent of vulnerabilities labeled High returned, but 23 percent of Urgent and Critical flaws recurred.
All that sounds pretty promising; a dropoff in the number of serious vulnerabilities from more than 1,100 to fewer than 100 in just five years is real progress.
On the other hand, even great progress isn't good enough when the result is that there are still 79 serious security vulnerabilities in an average site. And that's an average for professionally maintained, large scale, commercial web sites, not mom-and-pop shops that can't afford to monitor or fix their own servers.
Given the context and the stakes (data breaches, identity theft), it's still the digital-publishing equivalent of raising your grade from an F to a C.
Better, but still not good enough
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.