WhiteHat Report Finds Web Site Security Vulnerabilities Persist

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

WhiteHat Security’s latest report on Web site vulnerabilities has found the Internet in slightly better shape-emphasis on slightly.

In the fifth installment of the “WhiteHat Website Security Statistics Report,” the company has found that 82 percent of the 687 Web sites assessed by the company have had at least one security issue since WhiteHat began assessing them, a drop-off from the previous report released in March. In the March report, the proportion was nine out of 10 sites.

In addition, 66 percent of all vulnerabilities identified have been remediated. On the other hand, the latest report counted 72 percent of the Web sites as having critical flaws, virtually identical to the 70 percent found with critical vulnerabilities in the March report. The vulnerabilities were rated using the PCI DSS (Payment Card Industry Data Security Standard) severity system as a baseline.

While the company reported that overall vulnerability counts have started to decline, the most common vulnerabilities listed in the report will seem familiar to those who follow Web security. The most commonly cited one is cross-site scripting, which was found in seven out of 10 Web sites. Next were information leakage issues-found in two out of five sites-and content spoofing, which was found in one out of five.

A new entry to the top 10 was cross-site request forgery, which allows an attacker to force a victim’s browser to make an authorized Web request. Since the forged request appears to be coming from the legitimate user, the Web site will accept it as being the intent of that user.

Now for some practical advice-enterprises should prioritize fixing Web site vulnerabilities according to the site’s value to the business. WhiteHat CTO Jeremiah Grossman also recommended that developers practice input validation and output filtering properly. In addition, all database queries should be parameterized to protect against SQL injection, he told eWEEK.