June 1, 2015 By Shane Schick 2 min read

Going online might just mean learning to live in fear, based on the results of a research study that showed website vulnerabilities in 86 percent of 30,000 properties that were analyzed.

The “2015 Website Security Statistics Report,” which was produced by California-based WhiteHat Security, went on to say that 56 percent of the online properties it studied actually contained multiple website vulnerabilities. Although 61 percent of the issues had already been resolved, WhiteHat suggested that many of them went neglected or unnoticed for months.

As CSO noted, there were some significant differences in the degree of website vulnerabilities based on industry sector. For example, public administration organizations were the No. 1 most vulnerable market, even though it could be argued they are likely to be dealing with extremely sensitive citizen information. Also, despite the awareness that followed major security breaches at Home Depot and Target, retail organizations ranked second-worst in the number of vulnerabilities. In follow-up interviews, WhiteHat determined that organizations focused on compliance with industry regulations tended to be safer than those who were more concerned with risk reduction.

Help Net Security, meanwhile, described the numbers from the report as a nasty surprise, given the wave of attacks that struck organizations throughout 2014 and the first half of this year. Although the scope of website vulnerabilities varied, one of the most frequently cited in the research was transport layer protection. For example, when data travels between or across a computer system, secure sockets layer (SSL) might be used during the authentication process but not in other parts of an application. That’s when cybercriminals can potentially harvest passwords or other personal information.

Experts told eWEEK that hackers are not giving up on the opportunity to make money off their victims, so patching the various website vulnerabilities is not necessarily the answer. What may be more important is how quickly organizations can fix their sites and, if necessary, notify any customers or visitors whose data may have been exposed. Although the study showed overall improvement in time to remediation, there was still a number of sectors that probably need to do better.

The IT industry often talks about best practices, or common ways organizations do something well, but in an interview with SC Magazine, WhiteHat Security said there aren’t any real best practices to minimize website vulnerabilities. The only thing the firm could suggest is to make sure those developing websites work hand-in-hand with computer security professionals, who can make as many fixes as possible along the way. It may not make the Web error-free, but it might make things a little safer when we’re surfing it.

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today