WhiteHat Security Fifth Quarterly Website Security Statistics Report Unveils New...

WhiteHat Security Fifth Quarterly Website Security Statistics Report Unveils
New Trends Amid Increased Attacks
Sixty-one Percent of Websites Have Issues of High, Critical or Urgent
Severity; Cross-Site Request Forgery Takes Place in Top Ten

SANTA CLARA, Calif., Aug. 27 /PRNewswire/ -- WhiteHat Security, the
leading provider of SaaS-based website security solutions, today released the
fifth installment of the WhiteHat Website Security Statistics Report,
providing a one-of-a-kind perspective on the state of website security and the
issues that organizations must address to avert attack.  WhiteHat has been
publishing the report, which highlights the top ten vulnerabilities, vertical
market trends and new attack vectors, since 2006.  During that time, the
industry has seen the Web-layer rise to be the number one target for malicious
online attacks, with website hacking evolving from exploration and
experimentation, to exploitation and monetization.  In addition to the regular
roster of vulnerabilities that repeatedly make the top ten list, Cross-Site
Request Forgery (CSRF) has joined the mix in Q2 of 2008.  On a positive note,
66 percent of all vulnerabilities identified have been remediated,
underscoring the value of a consistent website vulnerability management
program.
    The WhiteHat report presents a statistical picture of current website
vulnerabilities, accompanied by WhiteHat expert analysis and recommendations.
WhiteHat's report is the only one in the industry to focus solely on unknown
vulnerabilities in custom Web applications, code unique to an organization,
within real-world websites.
    In this latest edition, WhiteHat finds 82 percent of websites have had at
least one security issue, with 61 percent still having issues of high,
critical or urgent severity.  Overall vulnerability counts are beginning to
decline; however, the likelihood of websites having at least one issue of
significant severity has remained constant when compared to previous reports.
As a baseline, WhiteHat used the Payment Card Industry Data Security Standard
(PCI-DSS) severity rankings (Urgent, Critical, High, Medium, Low) to rate
vulnerability severity by the potential business impact if the issue were to
be exploited.  According to PCI-DSS, any website with urgent, critical or high
severity issues cannot be considered compliant.
    Within this fifth report, the top ten list saw notable changes.  Most
noticeably, CSRF cracked the top ten, replacing Directory Indexing; WhiteHat
asserts that CSRF is present in approximately three-quarters of the world's
websites.  The top ten list also indicates that companies are remediating SQL
Injection, Cross-Site Scripting (XSS) and HTTP Response Splitting issues en
masse, although achieving 100 percent effectiveness has proved difficult.
Business Logic Flaws have remained steady in the top ten, including
Insufficient Authorization, Insufficient Authentication, Abuse of
Functionality and Content Spoofing -- all issues that can be devastating if
exploited.  While not the most voluminous in raw numbers, Business Logic Flaws
are still highly prevalent across websites and can lead directly to business
loss through non-sophisticated attacks.
    New to this edition of the report, WhiteHat analyzed which website
security issues are being addressed as well as how quickly remediation is
occurring.  For this portion of the report, WhiteHat focused on
vulnerabilities identified and resolved between July 31, 2007 and July 31,
2008 and sorted the data by most common urgent, critical and high severity
issues.  Among urgent severity vulnerabilities, HTTP Response Splitting took
the longest to remediate, in an average of 93 days, while Information Leakage
was quickest at 26 days.  Additionally, HTTP Response Splitting topped the
chart for remediation, with 83 percent resolved, whereas only eight percent of
the Brute Force attack class were resolved.  As could be expected, the overall
time-to-fix measurements left room for improvement; however significant
headway has been made since the last report.
    "Our fifth report highlights many angles of the constantly-evolving
website security landscape," said Jeremiah Grossman, founder and chief
technology officer at WhiteHat Security.  "With malicious Web attacks
continuing to become more and more financially motivated, it is crucial that
companies take appropriate action to secure their websites.  We hope
enterprises find this report a useful tool for timely information about the
latest attack trends, how websites can be best defended as well as visibility
into the vulnerability lifecycle."
    The report statistics were gathered through the deployment of WhiteHat
Sentinel, a SaaS-based website vulnerability management solution that
integrates the precision of advanced vulnerability assessment technology with
the expertise of top-flight security engineers to ensure total, worry-free
website security.  With more than 600 sites under management, including many
of the Fortune 500, WhiteHat has access to an unparalleled amount of website
security data, allowing the company to accurately identify which issues are
the most prevalent.  WhiteHat Security uses the Web Application Security
Consortium (WASC) Threat Classification as a baseline for classifying
vulnerabilities and the Payment Card Industry Data Security Standard (PCI-DSS)
severity system to rate vulnerability severity.
    WhiteHat plans to issue continued installments of the Website Security
Statistics Report on a quarterly basis.  To ensure the report remains useful
and relevant, WhiteHat incorporates feedback and ideas from leading industry
thought leaders and influencers.  Based on feedback already received, the
latest report includes: comparing vulnerability prevalence by severity, top
ten vulnerability classes sorted by percentage likelihood and an outline of
the types of technology typically encountered during WhiteHat vulnerability
assessments mapped with the associated vulnerability percentage breakdown.
WhiteHat will be hosting a webinar to reveal more of the report findings on
Wednesday, August 27, 2008 at 11:00 a.m. PT / 2:00 p.m. ET.  For more
information visit WhiteHat's site at www.whitehatsec.com and see the upcoming
events section.  You can also register at
https://whitehatsec.market2lead.com/go/whitehatsec/stats0827 .  A full copy of
the WhiteHat Website Security Statistics Report can be downloaded at
https://whitehatsec.market2lead.com/go/whitehatsec/WPstats0808 .
    About WhiteHat Security, Inc.
    Headquartered in Santa Clara, California, WhiteHat Security is the leading
provider of SaaS-based website security solutions. WhiteHat delivers turnkey
solutions that enable companies to secure valuable customer data, comply with
industry standards and maintain brand integrity. WhiteHat Sentinel, the
company's flagship service, is the only solution that incorporates expert
analysis and industry-leading technology to provide unparalleled coverage to
protect critical data from attacks. For more information about WhiteHat
Security, please visit our website, www.whitehatsec.com.
SOURCE  WhiteHat Security, Inc.

Dawn van Hoegaerden, WhiteHat Security, +1-408-343-8300, dawn@whitehatsec.com;
Rachel Miller, SHIFT Communications, +1-617-779-1856, whitehat@shiftcomm.com,
for WhiteHat Security, Inc.