WhiteHat: Almost All Websites Have One Serious Coding Error


Website vulnerabilities are on the decline at businesses that are proactively hunting down coding errors, but new data released Thursday found that flaws persist, opening up holes that are consistently being targeted by attackers.

The report issued by Santa Clara, Calif.-based WhiteHat Security analyzed data from websites at more than 650 organizations that are monitored by the firm's Sentinel application security platform. The company said the average number of serious vulnerabilities detected by its scanning tool declined from 79 flaws in 2011 to 56 flaws in 2012.

The data provided by WhiteHat represents information gleaned from the most proactive organizations, said Jeremiah Grossman, founder and chief technology officer. Grossman, a recognized application security expert, told CRN that the bugs detected by code scanners are not difficult to fix, but the volume of errors found often overwhelms organizations.

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches]

Information leakage and cross-site scripting (XSS) errors continue to persist, identified in 55 percent and 53 percent of websites, respectively. Content spoofing vulnerabilities, a favorite coding error used by phishing campaigns, were found in 33 percent of sites scanned by WhiteHat.

"Website hacks are occurring all the time," Grossman said. "We can reduce the number of both these issues, but it is difficult to reduce each class down to zero."

WhiteHat found that 86 percent of all websites it tested had at least one serious vulnerability. Website vulnerabilities increased in the IT and energy sectors, while government websites had the fewest serious vulnerabilities.

Web application vulnerabilities and website coding errors are a common way for attackers to gain an initial foothold into organizations. The 2013 Verizon Data Breach Investigations Report said it is impossible to make a "blanket statement" that Web application vulnerabilities are the most popular attack vector. Cybercriminals choose the easiest way in and the most effective way to bypass security technologies and avoid detection.

"What I have seen every year is that Web apps are responsible for the bulk of breaches themselves, if not for vast majority of the stolen data as well," Grossman said. "A lot of breaches happen in places that are not necessarily Web-related, yet all the data loss happens right through the website."

Brute force attacks, in which an attacker attempts to gain access by using an automated tool to guess passwords in website login fields, increased 10 percent and were found in 26 percent of sites scanned. Brute force was a common attack vector of financially motivated cybercriminals, according to the Verizon data breach analysis.

SQL injection, which has long been a popular Web vulnerability among attackers, continued to decline. SQL injection fell off the top 10 list of most prevalent vulnerabilities, currently residing in 14th at 7 percent of websites, WhiteHat said. The attack is a popular method with credit card thieves who conduct smash-and-grab-style website attacks on smaller e-commerce vendors, retailers and hotel and food franchises.

"The flaw is exploitable because there are automated tools to detect and exploit it, but the attacks are generating awareness of it and an interest in fixing them among our customer base," Grossman said.

PUBLISHED MAY 2, 2013