Even though software bugs such as Heartbleed and Shellshock exposed weaknesses in hundreds of thousands of company websites, many are still vulnerable to being hacked.
Data from a recent study by WhiteHat Security which examined the vulnerabilities of more than 30,000 websites showed the majority of organisations have some kind of weakness in their systems.
WhiteHat found that 86 per cent of all websites tested had at least one flaw considered serious enough to potentially allow a hacker to take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news.
There were also 56 per cent of websites that had more than one of these vulnerabilities. Of the sectors WhiteHat studied, the report found 55 per cent of retail trade sites, 50 per cent of healthcare and social assistance sites, and 35 per cent of finance and insurance sites were always vulnerable to a serious breach.
Transport layer protection, which is a protocol that ensures communications security over a computer network, was the most likely vulnerability on their websites.
Jeremiah Grossman, founder of WhiteHat Security, says: “This year’s report has shown that the amount of time companies are vulnerable to web attacks is much too long. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users.”
The study showed remediation rates were low for these sites considered to be “always vulnerable” to web attacks. The remediation rates for healthcare, retail, trade and finance were set at 20 per cent, 21 per cent and 27 per cent respectively.
According to WhiteHat, the best way to lower the average number of vulnerabilities, speed up time-to-fix, and increase remediation rates is to feed vulnerability results back to development through established bug-tracking or mitigation channels.
Firms that feed vulnerability results back to the development team had 40 per cent fewer vulnerabilities, fixed issues nearly a month faster, and had their remediation rates increase by 15 per cent.
The report explained this approach makes application security front-and-centre in a development group’s daily work activity and creates an effective process to solve problems. Grossman says: “From our research, what matters between the spectrum of those who are always vulnerable and rarely vulnerable is less about the programming languages, industry vertical, size of the organisation, and so on.
“What seems to matter more than anything else is organisations having a strong internal driver, and a culture of accountability for fixing identified vulnerabilities in a specific timeframe. The executive-level mandate creates an environment for the development groups to create effective remediation processes.”
Organisations that were compliant-driven to remediate vulnerabilities had the lowest average number of vulnerabilities, at around 12 per website and the highest remediation rate, at 86 per cent.
WhiteHat also recommend that organisations create a metrics program that tracks the areas they want to improve upon, and then identify the activities that will most likely improve the weakness, to help mitigate vulnerabilities.
WhiteHat also advises, however, that if there is no measurable benefit, companies should save time and energy and try something else. Grossman says: “The best approach is for organisations to identify specific security metrics they’d like to improve upon, and then strategically select activities most likely to make a positive impact.”
Source: Business Reporter