Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    More Than Half of Health, Retail Sites Always Vulnerable

    By
    Robert Lemos
    -
    May 22, 2015
    Share
    Facebook
    Twitter
    Linkedin
      vulnerabilities

      Retailers and health care companies continue to be vulnerable to attack through exploitable flaws in their Web applications, according to a report released on May 21 by Web security firm WhiteHat Security.

      The analysis of data collected from vulnerability scans of the Web applications created by 118 companies found that more than 55 percent of retailers and 50 percent of health care firms had applications that were always vulnerable, having at least one serious vulnerability remaining unpatched in a Web application every day of 2014. Only 16 percent of retailers and 18 percent of health care firms were rarely vulnerable, where a Web application was vulnerable for less than 30 days during the year, the report stated.

      About a third of finance companies had a year-round window of vulnerability as well, Jeremiah Grossman, founder of WhiteHat, told eWEEK.

      “These are things that you really need to fix,” he said. “The things that could make your company headline news.”

      Web applications flaws continue to be a major source of vulnerability for companies. In 2014, more than 70 percent of Web applications failed to adequately secure communications to the browser, the WhiteHat report stated. Other common vulnerabilities included information leakage, which impacted 56 percent of applications tested, and cross-site scripting, which impacted 47 percent of applications tested.

      Last year, both retailers and health care firms had to deal with significant data breaches. In August, clinic network Community Health Systems said that information on 4.5 million patients had been stolen from its systems. A month later, home improvement chain Home Depot acknowledged that information on more than 56 million credit- and debit-card accounts had been stolen from the retailer’s network.

      With some Web applications always containing at least one serious vulnerability, attackers will continue to be successful, Grossman said.

      “The breaches will continue,” he said. “It is not just the number of vulnerabilities that causes that, but I think when we take a step back and look at things, we have not paid enough attention to making the process of fixing these vulnerabilities easier.”

      Overall, 35 percent of companies are looking beyond just meeting compliance mandates and aim to actively reduce their risk, the study found. Last year, complying with regulations was the top concern for companies.

      While the trend is a positive one for security, improving the security of Web applications is a difficult task with few hard and fast rules, according to Grossman. There are no simple best practices, and companies focused on different security measures should formulate different strategies, he said.

      For example, companies focused on complying with regulations had the fewest average number of vulnerabilities, 12 per Website, and remediated 86 percent of vulnerabilities, while those focused on risk had an average of 23 vulnerabilities per Website and a low remediation rate of 18 percent. The likely explanation is that a focus on risk can tolerate the existence of lower risk vulnerabilities, while a compliance focus requires any discovered vulnerability to be fixed, according to the report. The time required to fix vulnerabilities showed that risk-focused companies fixed flaws faster, in 115 days on average, compared with 158 days for companies focused on compliance.

      “The best advice we can give is for an organization to create a metrics program that tracks the area that they want to improve upon, and then identify activities that’ll most likely move the needle,” the report stated.

      Organizations that used vulnerability feeds to inform their developers had the best metrics overall, with 45 percent fewer vulnerabilities, a month shorter time to fix issues and remediation rates 13 points higher than the average firm, WhiteHat said.

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×