"These are real-world Web sites," Grossman says. "I would guarantee that you have accounts and data in many of the sites we test."
Of course, that single statistic doesn't tell the whole story. While the average came in at 79 serious vulnerabilities, the standard deviation was 670: Some Web sites expose a lot more vulnerabilities than others. Also, according to Netcraft, there are roughly 700 million Web sites on the Internet and tens of millions more are coming online each month. While it's a large sample, 7,000 Web sites is just a tiny fraction of the whole.
Still, WhiteHat's findings paint a picture of the state of Web site security today; a picture in which Web site security is slowly improving. The banking vertical continued to show its dedication to security: Banking Web sites again possessed the fewest serious vulnerabilities of any industry with an average of 17 serious vulnerabilities per Web site. Banking also had the highest remediation rate of any industry at 74%. Every industry, with the notable exceptions of healthcare and insurance, showed improvement from 2010.
Additionally, time-to-fix showed vast improvement, dropping to an average of 38 days-much shorter than the average of 116 days in 2010. "The developers know that 38 days is actually a really, really good number because they know how long it does take," Grossman says. "But to the end users, 38 days is unacceptable."
Steps to Improve Your Security Posture
To improve your application security posture and make the best possible use of your IT security budget, Grossman suggests you first determine whether you are a target of opportunity or a target of choice. Targets of opportunity are breached when their security posture is weaker than the average organization in their industry. Targets of choice possess some type of unique and valuable information, or perhaps a reputation or brand that is particularly attractive to a motivated attacker.
"On the Web, if you're doing business of any kind, you're going to be a target of opportunity," Grossman says. "Everybody has something worth stealing to a bad guy these days. Other companies are a target of choice because they have something the bad guys want: your credit card numbers or IP or customer lists. This aligns with how secure you need to be. No one needs perfect security."
If you determine you're a target of opportunity, Grossman says, you need to make sure that you are a little bit more secure than the average business in your category. He notes organizations can use the data in its free WhiteHat Security Website Security Statistics Report to benchmark where they need to be.
Targets of choice, on the other hand, need to make themselves as secure as they possibly can and then prepare plans for how to react when they are breached so they can minimize the damage as much as possible.