Usual Suspects Top List of Website Vulnerabilities
A new report on Web site vulnerabilities claims 9 out of 10 sites have critical vulnerabilities with 7 out of 10 vulnerable to Cross-Site Scripting (XSS). Other top vulnerabilities include information leaks, content spoofing, SQL injection, insufficient authentication and insufficient authorization. (See Web Developers Guide to Preventing Cross Site Scripting Attacks in the Web Security Digital Library for more on CSS as well as articles on preventing SQL Injection and Web Portal security.)
There are a couple of unexpected findings, though.
The WhiteHat Website Security Statistics Report found that Cross-Site Request Forgery (CSRF) had not made it to the top 10 yet. Given that there are not well established and effective techniques for dealing with this it is a welcome surprise to see it is not a top problem yet. On the down side, the researchers expect the use of this vulnerability to grow; eWeek reports:
The company expects CSRF eventually to land in the No. 2 spot, right behind XSS.
The other surprising finding is that retail is a top performing vertical but, as the WhiteHat press release says, others are not doing so well:
Verticals not faring as well include Insurance, which tops the list with 84 percent of websites having vulnerabilities that fall into the urgent, critical or high severity ranking, followed closely by Information Technology at 72 percent, and Healthcare and Financial Services neck-and-neck at 64 and 60 percent respectively
It's not clear what types of vulnerabilities are plaguing the healthcare and financial services - information leaks would be the most troubling.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
