More Than Half of Health, Retail Sites Always Vulnerable

Fifty-five percent of all retail sites and half of all health care sites were vulnerable every day in 2014, according to a report by WhiteHat Security.


Retailers and health care companies continue to be vulnerable to attack through exploitable flaws in their Web applications, according to a report released on May 21 by Web security firm WhiteHat Security.

The analysis of data collected from vulnerability scans of the Web applications created by 118 companies found that more than 55 percent of retailers and 50 percent of health care firms had applications that were always vulnerable, having at least one serious vulnerability remaining unpatched in a Web application every day of 2014. Only 16 percent of retailers and 18 percent of health care firms were rarely vulnerable, where a Web application was vulnerable for less than 30 days during the year, the report stated.

About a third of finance companies had a year-round window of vulnerability as well, Jeremiah Grossman, founder of WhiteHat, told eWEEK.

"These are things that you really need to fix," he said. "The things that could make your company headline news."

Web applications flaws continue to be a major source of vulnerability for companies. In 2014, more than 70 percent of Web applications failed to adequately secure communications to the browser, the WhiteHat report stated. Other common vulnerabilities included information leakage, which impacted 56 percent of applications tested, and cross-site scripting, which impacted 47 percent of applications tested.

Last year, both retailers and health care firms had to deal with significant data breaches. In August, clinic network Community Health Systems said that information on 4.5 million patients had been stolen from its systems. A month later, home improvement chain Home Depot acknowledged that information on more than 56 million credit- and debit-card accounts had been stolen from the retailer's network.

With some Web applications always containing at least one serious vulnerability, attackers will continue to be successful, Grossman said.

"The breaches will continue," he said. "It is not just the number of vulnerabilities that causes that, but I think when we take a step back and look at things, we have not paid enough attention to making the process of fixing these vulnerabilities easier."

Overall, 35 percent of companies are looking beyond just meeting compliance mandates and aim to actively reduce their risk, the study found. Last year, complying with regulations was the top concern for companies.

While the trend is a positive one for security, improving the security of Web applications is a difficult task with few hard and fast rules, according to Grossman. There are no simple best practices, and companies focused on different security measures should formulate different strategies, he said.

For example, companies focused on complying with regulations had the fewest average number of vulnerabilities, 12 per Website, and remediated 86 percent of vulnerabilities, while those focused on risk had an average of 23 vulnerabilities per Website and a low remediation rate of 18 percent. The likely explanation is that a focus on risk can tolerate the existence of lower risk vulnerabilities, while a compliance focus requires any discovered vulnerability to be fixed, according to the report. The time required to fix vulnerabilities showed that risk-focused companies fixed flaws faster, in 115 days on average, compared with 158 days for companies focused on compliance.

"The best advice we can give is for an organization to create a metrics program that tracks the area that they want to improve upon, and then identify activities that'll most likely move the needle," the report stated.

Organizations that used vulnerability feeds to inform their developers had the best metrics overall, with 45 percent fewer vulnerabilities, a month shorter time to fix issues and remediation rates 13 points higher than the average firm, WhiteHat said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...