WhiteHat Website Security Statistics Report

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006. The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

Spring 2009 – 7th Edition – Website Security Statistics ReportDownload a PDF of the the report ››› PDF
Listen to the presentation (46 minutes) ››› WebEx
Download a PDF of the presentation (1.3 MB PDF) ››› PDF

There is a difference between what is possible and what is probable, something we often lose sight of in the world of information security. For example, a vulnerability represents a possible way for an attacker to exploit an asset, but remember not all vulnerabilities are created equal. Obviously we must also keep in mind that just because a vulnerability exists does not necessarily mean it will be exploited, or indicate by whom or to what extent. Clearly, many vulnerabilities are very serious leaving the door open to compromise of sensitive information, financial loss, brand damage, violation of industry regulations, and downtime. Some vulnerabilities are more difficult to exploit than others and therefore attract different attackers. Autonomous worms & viruses may attack one type of issue, while a sentient targeted attacker may prefer another path. Better understanding of these factors enables us to make informed business decisions about website risk management and what is probable.

Q1 2009 Key Findings

  • 82% of websites have had a HIGH, CRITICAL, or URGENT issue
  • 63% of websites currently have a HIGH, CRITICAL, or URGENT issue
  • 60% vulnerability resolution rate among sample with 7,157 (out of 17,888 historical vulnerabilities) unresolved issues remaining as of 3/31/09
  • Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution.
  • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 17
  • Average number of serious unresolved vulnerabilities per website: 7
  • Average number of inputs (attack surface) per website: 227
  • Average ratio of vulnerability count / number of inputs: 2.58%

December 2008 – 6th Edition – Website Security Statistics ReportDownload a PDF of the the report ››› PDF
Listen to the presentation (55 minutes) ››› WebEx
Download a PDF of the presentation (1.3 MB PDF) ›››PDF

August 2008 – 5th Edition – Website Security Statistics Report

Listen to the presentation ( 68 minutes) ››› WebEx
Download a PDF of the presentation (849 KB PDF) ›››PDF
Download a PDF of the the report ››› PDF

March 2008 – 4th Edition – Website Security Statistics Report

Listen to the presentation (65 minutes) ››› WebEx
Download a PDF of the presentation (849 KB PDF) ››› PDF
Download a PDF of the the report ››› PDF

October 2007 – 3rd Edition – Website Security Statistics Report

Download a PDF of the report ›››PDF

April 2007 – 2nd Edition – Website Security Statistics Report

Download a copy of the report PDF ›››

January 2007 – 1st Edition – Website Security Statistics Report Download a copy of the report PDF ›››

 


Percentage likelihood of websites having a least one vulnerability (sorted by severity)

The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

WhiteHat issues continued installments of the Website Security Statistics Report on a quarterly basis. To ensure the report remains useful and relevant, WhiteHat incorporates feedback and ideas from leading industry thought leaders and influencers. Based on feedback already received, the latest report includes: comparing vulnerability prevalence by severity, top ten vulnerability classes sorted by percentage likelihood and an outline of the types of technology typically encountered during WhiteHat vulnerability assessments mapped with the associated vulnerability percentage breakdown.

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.

 

 

 
 

 
Website Risk Management  |  Sentinel Services  |  Education Services  |  Events & News  |   Resources  |   Partners  |   About WhiteHat
2009 © Copyright  |  WhiteHat Security, Inc.  |  3003 Bunker Hill Lane, Santa Clara, CA 95054  |  408.343.8300  |  Contact the Webmaster