In the latest report on Website vulnerabilities by WhiteHat Security, researchers found 64 percent of Websites have at least one serious vulnerability. The most common flaw - cross-site scripting.
New research from WhiteHat
Security painted a bleak picture for Website security.
In its latest iteration of
its Website Security Statistics report, WhiteHat found 64 percent of the 1,364
sites the company analyzed have at least one serious
. But the news isn't all bad-according to the company, 17
percent of the sites have never had a serious vulnerability.
Of the verticals the
researchers studied, social networks had the highest percentage of Websites
with vulnerabilities classified as "urgent," "critical" or "high,"
coming in at 86 percent. Education Websites were a close second, with 83
percent having at least one vulnerability.
According to the company,
the Websites without any serious issues were nearly identical to those with
them in terms of their characteristics. To WhiteHat, this suggests the
difference between the ones that get compromised and the ones that don't has to
do with how proactively businesses identify and remediate
"It is extremely
interesting to see that all the Websites that are no longer vulnerable are so
similar characteristically in technology and site format to those that have
vulnerabilities," said Jeremiah Grossman, founder and chief technology officer
at WhiteHat Security, in a statement. "The big difference right now seems to be
that these organizations set an internal mandate to actively fix their flaws
and reduce the potential for damage to their Website, reputation and
According to the report,
it took an average of 67 days for site owners to fix a cross-site scripting
vulnerability, and more than 100 days to address session fixation.
"Once vulnerabilities are
identified, it does not necessarily mean they are fixed quickly, or ever," the
report states. "It is interesting to analyze the types and severity of the
vulnerabilities that do get fixed (or not) and in what volumes. Some
organizations target the easier issues first to demonstrate their progress by
vulnerability reduction. Others prioritize the high severity issues to reduce
overall risk. Still, resources and security interest are not infinite, so some
issues will remain unresolved for extended periods of time."