Companies are making progress in Web application security, patching throngs of website holes, according to the latest research being presented today by WhiteHat Inc.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The Web application vulnerabilities assessment firm has been analyzing vulnerability data over the last three years, collecting information almost weekly from more than 1,300 of its customer websites using its WhiteHat Sentinel scanning tool. WhiteHat found a 61% vulnerability resolution rate, a slight increase over previous reports it issued. Still, the firm said much work needs to be done. Currently, 64% of websites contain at least one serious vulnerability.
"We want to start answering the harder question of what works for companies resolving the most serious vulnerabilities quickly," said Jeremiah Grossmann, a Web security researcher and founder and chief technology officer of WhiteHat.
For the first time, WhiteHat took a closer look at company websites that didn't have serious vulnerabilities. Those websites were nearly identical to those with serious flaws, but they started out with fewer issues and made progress repairing vulnerabilities quickly. The issue plaguing nearly all websites is cross-site scripting (XSS) vulnerabilities.
Web application security:
Web security firm ranks Firefox, Safari browsers as flaw prone: Penetration testing firm Cenzic says Mozilla Firefox and the Apple Safari browsers contain the most vulnerabilities in a study covering the first half of 2009.
Web-based attacks skyrocket, pirating sites surge, security firms say: Reports highlight surge in spam as well as an increase in malicious Web pages attacking visitors with Trojan malware and downloaders.
SANS: Application threats, website flaws pose biggest security threats: A new report from the SANS Institute calls flaws in client-side applications often the most ignored by IT professionals.
"These sites fix their vulnerabilities," Grossman said. "It comes down to business goals and businesses caring to take [secure software development] seriously; over time they're pushing just as much code, but they're pushing less vulnerabilities."
"SQL injection throws up helpful error messages for hackers," Grossman said. "If it regurgitates a database error message, then a hacker immediately knows there's a way in."
XSS errors are likely to be found in 66% of websites scanned by WhiteHat. Meanwhile, information leakage, in which a website reveals sensitive information such as developer comments, user information, internal IP addresses, source code, software version numbers and other error messages, occurs almost 50% of the time.
Websites that contain errors which lend themselves to content spoofing show up in 31% of scans. Content spoofing allows a hacker to set up phishing scams, forcing legitimate sites to redirect visitors to malicious content.
WhiteHat also found the "time-to-fix" gap increasing for some vulnerabilities, meaning much more work needs to be done to expedite the patching of serious flaws. XSS errors take about 67 days to repair, an increase of 9 days over WhiteHat's previous report. Content spoofing took 87 days to resolve, an increase of 16 days, and cross-site request forgery took 93 days to fix, an increase of 37 days.
A number of problems make it difficult to resolve vulnerabilities quickly: The coding may be old and no one within the organization has the ability to make repairs, or the code may belong to a third party. Compliance is also a major driver for fixing coding errors, Grossman said. If an error does not result in a compliance violation, flaws become less of a priority, he said.
Despite an effort by many organizations to highlight secure software development best practices, the vulnerability scans show developers continuing to produce shoddy code, Grossman said. Communication is a major issue, he said. IT security and development organizations must coordinate when it comes to dealing with website vulnerabilities to close the time-to-fix gap.
"Security pros have to coordinate with the development group when errors are found and that puts them in compromised position, explaining software security problems to developers," he said. "While there's been a lot of chatter about secure coding, it hasn't permeated in the Web application area, which is still relatively new; it's going to take more time."