More than one-fifth (21 percent) of sites have known vulnerabilities, including Web server and PHP issues, according to Menlo Security's State of the Web March 2015 study that scanned 750,000 unique domains.
"The home page of each of the 750,000 domains in the Alexa 1 million [Alexa's top 1 million Websites] was visited once," Kowsik Guruswamy, CTO of Menlo Security, told eWEEK. "This was not an active scan against a single site to crawl the various pages; it was a single page load through a browser that also fetched all of the assets from CDNs [content delivery networks], iframes ad networks, etc."
Looking into the data, Guruswamy said that the breakdown of vulnerable software shows that 10 percent of scanned sites were running a vulnerable version of PHP, where "vulnerable" means the site was running any of the versions of PHP that show at least one outstanding vulnerability in the CVE database. PHP is an open-source language that is commonly deployed on Web server infrastructure and used by many content management systems (CMSes), including WordPress, Drupal and Joomla.
Vulnerable Web server software was also common, with 4 percent of sites running a vulnerable version of Apache HTTP and 4 percent running a vulnerable version of Microsoft Internet Information Services (IIS).
The risk of older unpatched software is an issue that other vendors have been pointing out in recent months. Hewlett-Packard's 2015 Cyber Risk report published on Feb. 23 found that 44 percent of breaches could be attributed to patched vulnerabilities that were between two and four years old.
In addition to the issue of unpatched software, Menlo Security found that 4 percent of the scanned sites were serving malware, while 1 percent were involved in phishing and botnet activity. Guruswamy said that his company made use of multiple third-party domain classification services, including Google Safe Search, Cyren, AlienVault and Malware Domain Blocklist, to identify if the sites were part of a botnet.
To scan the sites, Menlo Security built a custom tool to simulate the full-page browser load on each domain, according to Guruswamy. In addition, the company used its own technology to collect and report on the data.
As a company, Menlo Security is still in stealth mode and has not yet fully disclosed its product and technology offerings. In November 2014, the company announced that it had raised $10.5 million in a Series A funding round led by General Catalyst Partners that also involved the participation of Osage University Partners.
In a November interview, Amir Ben-Efraim, the company's co-founder and CEO, explained that the promise of Menlo Security is to bring security virtualization and cloud technology together with intelligent people to help solve the challenge of modern malware.
Since the company's funding announcement, Guruswamy said that Menlo Security has continued to develop its product and is already seeing traction with early customers.
"Menlo Security will emerge from stealth in Q2 2015," Guruswamy said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.