Educational institutions and social networks are the worst when it comes to leaving their Web sites exposed to known vulnerabilities, with health care and banks doing the best, according to a study by WhiteHat Security.
According to its 11th annual Web Site Security Statistics Report, 71% of schools have unpatched software vulnerabilities on their Web servers all the time, while 58% of social networking sites always have such vulnerabilities. By contrast, 14% of health care organizations and 16% of banks have unpatched vulnerabilities all the time. The average for all business sectors was 44%.
IN DEPTH: What do security auditors really think?
Banks also showed well in the percentage that had vulnerabilities less than 30 days per year, with a measure of 51%. Financial services was No. 2 with 22%, the report says. The average was 16%.
WhiteHat's data was drawn from 400 businesses who outsource Web site vulnerability management to the firm.
Banks did well in the overall number of vulnerabilities they had during the year, with an average of 30. The average for all business sectors was 230. Retail stores faced the highest number of vulnerabilities with 404, WhiteHat says.
"While no industry approached anywhere near zero for an annual average, banking, health care and manufacturing performed the best out of all the industries with 30, 33 and 35 serious vulnerabilities respectively per Web site during 2010 for a rough average of 2.5 or so vulnerabilities per month," the WhiteHat report says. "On the opposite end of the spectrum, Retail, Financial Services and Telecommunications, whose Web sites had the most reported issues, measured 404, 266 and 215 serious vulnerabilities per site -- or between 18 and 34 per month."
Simply being exposed doesn't accurately indicate the likelihood a site will suffer an attack, the report says. Some types of vulnerabilities appear more often. For example, the chances that information leakage and cross-site scripting vulnerabilities show up on a Web site are 64%; the chances for content spoofing are No. 3 with 43%, the report says.
The other seven vulnerabilities in the top 10, in order, are cross-site request forgery, brute force, insufficient authorization, predictable resource location, SQL injection, session fixation and abuse of functionality, WhiteHat says.
The time it takes to fix vulnerabilities once they are identified is a key measure of site security, WhiteHat says. Banking does best there, with half of its vulnerabilities remediated within 13 days. Telecommunications sites are the worst, with it taking 205 days to remediate half of its Web site vulnerabilities, the report says. The average across all businesses is 116 days.
"From a risk management perspective, if the organization is a target of opportunity, perhaps a goal of being at or above average is good enough," the report says. "If, however, the organization is a target of choice, either ASAP or being among the fastest is more appropriate."