An examination of thousands of websites across a dozen industries has found a major reduction in the number of serious vulnerabilities exposing the properties to hackers.
The average number of serious vulnerabilities found in 2011 on the 7,000 websites monitored by WhiteHat Security fell 66 percent to 79 from 230 in 2010, according to the vendor's annual report, released Wednesday.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The decline in security flaws has been falling steadily since 2007, when the number was 1,111.
The falling rate shows website managers are more focused on plugging holes. "Awareness is building and people are getting better in the fixing [of vulnerabilities]," Jeremiah Grossman, founder and chief technology officer of WhiteHat, said. "Web security is definitely getting more important, because the bad guys are showing that they're perfectly capable and willing to hack Web sites that aren't do the best that the can."
Hackers are increasingly launching targeted attacks against weak websites, as opposed to automated attacks against tens of thousands of sites at once. The rising danger of a targeted attack is making companies more vigilant, Grossman said.
High-profile hacks against large corporations like AT&T, Sony, and Citigroup have also hammered home the need for better site security. In addition, vendors are supplying chief security officers with better technology for finding vulnerabilities.
"There's been this growing awareness of website vulnerabilities and tools for detecting them that has raised the awareness of what can and should be done to secure websites," Scott Crawford, managing research director of Enterprise Management Associates, said. "That's been the rising tide that has lifted all boats in terms of this general increase knowledge of common Web site exposures."
The study, which examined the sites of 500 organizations ranging from nonprofits to Fortune 500 companies, found that the time it took to fix flaws on sites fell to an average of 38 days last year, from 116 days in 2010.
The industries that fixed flaws the fastest were energy, four days; manufacturing, 17 days; and retail, 27 days. The slowest industries were nonprofits, 94 days; financial services, 80 days; and telecommunications, 50 days. Banking sites had the fewest number of days (185) in which they were exposed to at least one serious vulnerability, while nonprofit sites were exposed the most (320 days).
Overall, retail sites continued to have the most security issues, with an average of 121 vulnerabilities identified per site in 2011.
WhiteHat found that the higher the severity of the vulnerability, the more likely it would be reopened in the future. The company rated serious vulnerabilities as high, critical and urgent, and found that the percentages reopened after a fix were 23 percent, 22 percent and 15 percent, respectively.
There are many reasons why such mistakes are made, Grossman said. For example, patches sometimes get overwritten with software updates or a software configuration change can damage a fix. "This is a very complicated and murky area," he said.