Based on an assessment of more than 7,000 websites, the WhiteHat Security report concluded that there has been a significant reduction in the number of serious vulnerabilities in websites.
WhiteHat defines a serious vulnerability as one with a high, critical, or urgent severity as defined by the Payment Card Industry’s Data Security Standards’ naming conventions. Exploitation could lead to server breach, user account takeover, data loss, or compliance failure.
The annual average number of serious bugs discovered per website has declined steadily over the last five years: 1,111 in 2007, 795 in 2008, 480 in 2009, 230 in 2010, and 79 in 2011.
At the same time, cross-site scripting has reclaimed its title as the most prevalent website bug, identified in 55% of websites.
The WhiteHat report judged that web application firewalls could have mitigated the risk of a least 71% of all custom web application vulnerabilities identified.
Banking websites had the fewest serious vulnerabilities, only 17 per site; this compares with retail websites, which had 121 per site.
Serious vulnerabilities were fixed in an average of 38 days or faster, a significant improvement over the 116 days it took during 2010. The overall percentage of serious vulnerabilities that were fixed was 63%, up from 53% in 2010, and a marked improvement from 2007, when it was just 35%, according to the report.
WhiteHat found that the higher severity that a vulnerability had, the higher the likelihood that the vulnerability would reopen: urgent 23%, critical 22%, and high 15%.
The average number of days a website was exposed to at least one serious vulnerability improved slightly to 231 days in 2011, from 233 days in 2010, the report said.