While web security used to be a reactionary afterthought, it has evolved to become a necessity for organizations that wish to conduct online business safely. Companies have switched from playing defense to playing offense in a game that is still difficult to win. In an effort to change the game, WhiteHat Security has been publishing its Website Security Statistics Report since 2006 in the hope of helping organizations improve web security before they become victim to an attack.
After several editions, this is by far the most data rich, educational, insightful and useful application security report I have ever read. I may be biased, but I believe this report is unique: something special and different that is an essential read for application security professionals. In creating this report, I have learned more about what works and what doesn’t work than I have learned doing anything else in my many years of working in application security. I am extremely confident that our readers will appreciate what we have created for them.
In this year’s report, we examine the activities of real-world application security programs along with the most prevalent vulnerabilities based on data collected from more than 30,000 websites under WhiteHat Sentinel management. From there, we can then determine how many vulnerabilities get fixed, the average time it takes to fix them, and how every application security program can measurably improve. Our research provides insights into how organizations can better determine which security metric to improve upon.
We’ve learned that vulnerabilities are plentiful, that they stay open for weeks or months, and that typically only half get fixed. We have become adept at finding vulnerabilities. The next phase is to improve the remediation process. In order to keep up with the increase in vulnerabilities, we need to make the remediation process faster and easier. The amount of time companies are vulnerable to web attacks is much too long – an average of 193 days from the first notification. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users.
The best way to lower the average number of vulnerabilities, speed up time-to-fix, and increase remediation rates is to feed vulnerability results back to development through established bug tracking or mitigation channels. This places application security at the forefront of development and minimizes the need for remediation further down the road. The goal is more secure software, not more security software.
For security to improve, organizations need to set aside the idea of ‘best practices’ and not stop at compliance controls. Multiple parts of the organization must determine which teams should be held accountable for their specific job function. Organizations that don’t hold specific teams accountable have an average remediation rate of 24% versus 33% for companies that do. When you empower those who are also accountable, the organization has a higher likelihood of being effective.
In this year’s edition, the WhiteHat Website Security Statistics Report drives home the point that we now have a very clear understanding of what vulnerabilities are out there. Based on that information, we must create a solid, measurable remediation program to remove those vulnerabilities and increase the safety and security of the web.
To view the full report, click here. I would also invite you to join the conversation on Twitter at #WHStats @whitehatsec.