WhiteHat Security Releases Security Statistics Report

WhiteHat Security Releases Security Statistics Report
07.06.2016 02:30 pm

WhiteHat Security Releases Security Statistics Report


WhiteHat Security, the only application security provider that combines the best of technology and human intelligence, today announced the release of the eleventh annual Web Applications Security Statistics Report. Compiled using data collected from tens of thousands of websites, the report reveals that the majority of web applications exhibit, on average, two or more serious vulnerabilities per application for every industry at any given point in time.

The Report’s findings are based on the aggregated vulnerability scanning and remediation data from web applications that use the WhiteHat Sentinel service for application security testing. The research shows that no industry has mastered application security, and of the 12 industries analysed in this Report, the information technology (IT), education, and retail industries suffer the highest number of critical or high-risk vulnerabilities per web application, at 17, 15 and 13 respectively.

The findings also highlight that the IT and retail industries struggle to remediate in a timely manner. It takes approximately 250 days for IT and 205 days for retail businesses to fix their software vulnerabilities.

According to the “Window of Exposure” data in the Report, another key metric organisations need to pay attention to is the number of days an application has one or more serious vulnerabilities open during a given time period.  Across all industries, a substantial number of web applications remain always vulnerable. A few key highlights: 

·      Information Technology (IT) -- 60 percent of web applications are always vulnerable.

·      Retail -- half of all web applications are always vulnerable.

·      Banking and Financial Services -- 40 and 41 percent of web applications are always vulnerable, respectively. 

·      Healthcare -- 47 percent of web applications are always vulnerable.

“We’ve observed that organisations have hundreds, if not thousands, of consumer-facing web applications, and each of these web apps has anywhere from five to 32 vulnerabilities,” said Tamir Hardof, Chief Marketing Officer, WhiteHat Security. “This means that there are thousands of vulnerabilities across the average organisation’s web applications.  While this number is overwhelming, risk ratings can really help security teams prioritise which vulnerabilities they work on fixing first.  Unfortunately, what this year’s report tells us once again is that organisations are not really relying on risk levels as a baseline to inform their application security strategies.”

Remediation rates

The report also captures data on vulnerabilities that are fixed once they are discovered. Generally, the more critical the vulnerability, the more complex they are to understand and remediate. For nine of the 12 industries analysed, remediation rates are below 50 percent. In IT, less than 25 percent of open vulnerabilities are remediated, and vulnerabilities in this industry have an average age of 875 days. The average time-to-fix for vulnerabilities varies by industry from approximately 15 weeks in the energy industry to 35 weeks in IT.

Key trends from 2013 – 2015 include:

  • ·      Remediation rates declined significantly in IT, which saw a drop from 46 percent to 24 percent, and in banking, which dropped from 52 percent to 42 percent.

·      Financial services and retail saw modest increases in their remediation rates, from 41 percent to 48 percent for financial services, and from 42 percent to 48 percent for retail.
·      The greatest improvement was in the food & beverage industry, where remediation rates quadrupled, from 17 percent to 62 percent.
·      In manufacturing, rates almost doubled from 34 percent to 66 percent, while healthcare and insurance increased from 26percent to 42 percent, and 26 percent to 44 percent, respectively.

“Since 2013, the average time to fix vulnerabilities has trended upward overall, but we’ve seen some great successes with customers who have embedded security into the software development process,” said Ryan O’Leary, Vice President, Threat Research Center and Technical Support, WhiteHat Security. “Discovering vulnerabilities in development is key to reducing vulnerabilities when the application is staged. Introducing source scanning, or SAST, has the potential to eliminate 80-90% of well-known vulnerabilities.  We look forward to seeing how this report will evolve as security and development teams work together more closely around shared security and risk management goals.”

WhiteHat Security can be found in stand B47 at the Infosecurity Europe show, taking place from today through June 9th.  Ryan O’Leary will be speaking about the new Stats Report during his talk, Ten Years On: Lessons From A Decade of Website Security Statistics, Thursday, June 9 at 13:20.

Related News

Trezeo launches new products to expand its safety net for independent workers

Trezeo today announced a major extension to its existing offering, that enables independent workers to access a wider range of urgently needed product ‘bundles’. Trezeo’s... Read more »

Erste Bank Hungary Improves and Secures the Remote Banking Experience with OneSpan Mobile Security

OneSpan™ (NASDAQ: OSPN), the global leader in securing remote banking transactions, today announced that Erste Bank Hungary, a subsidiary of Erste Group Bank AG, one of the... Read more »

Semafone bolsters security with new PCI DSS certification for Cardprotect Relay+

Semafone®, the leading provider of data security and compliance solutions for call and contact centres, has achieved global... Read more »

Emirates NBD COVID-19 Coronavirus Precautionary Measures

Given the developing situation around the Coronavirus – COVID-19 outbreak, the safety and wellbeing of our customers, our employees and the community, remains our top priority... Read more »

Fraudsters Taking Advantage of Coronavirus With New Scam Emails, Warns Tax Partner at Haines Watts

EMAILS are starting to surface, targeting individuals with an email that looks like it is from Gov.uk, says Martin Gurney, a tax partner at Haines Watts.


He... Read more »

EMVCo Supports Security Evaluation for IoT Products

Global technical body EMVCo has confirmed its security evaluation methodologies and processes support IoT payment use cases, enabling emerging solutions and devices to be... Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel