At Least One Critical Vulnerability in Nearly Every Website: Study

The astonishing claim was revealed in a recent report by WhiteHat Security which covered statistics and data from over 30,000 websites. 86 % of all websites are said to have one serious vulnerability and more often than not, contain more than one vulnerability. The reason such numbers can be addressed to:

  • Insufficient transport layer protection which is more than likely at a 70 % rate.
  • Probable information leakage is also more likely than otherwise at 56 %.

The inherent industry problem

While the wider industry is able to keep track of and identify these vulnerabilities, it falls short with the response, in having timely updates and remediation efforts done on time, according to Jeremiah Grossman, founder of WhiteHat.

“The breaches will continue,” Grossman said. “It is not just the number of vulnerabilities that causes that, but I think when we take a step back and look at things, we have not paid enough attention to making the process of fixing these vulnerabilities easier.”

The report for example, shows that 50 % of healthcare and social assistance websites as well as 55 % of retail and trade websites along with 35 % of healthcare websites are “always vulnerable”. This distinction means that means that these websites are eternally vulnerable and open to attack, with at-least one or more serious vulnerabilities, every single day of the year.

“We’ve gotten good at finding vulnerabilities and need to start shifting to the remediation side,” Grossman said. “Secure sites that are infrequently exposed are just fast and thorough about fixing [vulnerabilities].

Report research

Among other surveys, a study was involved to ascertain what the general opinion was when it came to data breaches. Who is to be held accountable for a website or an organization’s data and/or system breach?

  • 56% said that it was an inevitable consequence and shunned responsibility, saying no one was responsible or could be held accountable.
  • 29 % said the security department, responsible for shielding, strengthening and safeguarding an organization’s cybersecurity is to be held accountable.
  • 26% pointed to the software development team, presumably addressing the notion that the initial set up of the network infrastructure should be able to protect itself from data breaches and other malicious activities by hackers.

“Across the board accountability paired with the right tools and processes achieve the best outcomes,” Grossman added. “That’s going to be the direction where people need to look.”

Organizations which took accountability seriously stood at 33 % of having an average remedial rate. Those without, dropped down to just 24 %.

“This year’s report has shown that the amount of time companies are vulnerable to web attacks is much too long. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users,” noted Grossman.