Website Vulnerability Statistics Summer 2012

WhiteHat Security in the United States has published the 12th edition of its Security Statistics Report for summer 2012).

As with the previous edition, the new Volume 12 provides a detailed breakdown of the number of higher-risk vulnerabilities found, types, remediation rates and time to fix by industry sector from work with its own clients. These were over 500 organisations with web sites ranging from highly complex and interactive, to static brochureware sites.

This time there is also an analysis of re-open rates — application vulnerabilities that had been identified, and later has been remediated or mitigated, but then re-appears at a later date. WhiteHat found that 20% of identified vulnerabilities were re-opened at some time, and in some cases many times. The report examines why this rate is relatively high and examines the re-open rate by vulnerability type.

WhiteHat define the included vulnerabilities as those with a High, Critical or Urgent severity as defined by PCI DSS naming conventions, exploitation of which "could lead to server breach, user account take-over, data loss or compliance failure".

Those names were defined in PCI DSS Security Scanning Procedures, Version 1.1, September 2006, also known as "high-level vulnerabilities", but which are not explicitly named in the document that supersedes it: Approved Scanning Vendors - Program Guide Reference 1.0 PCI DSS, Version 1.2, March 2010. The terms Urgent, Critical, and High are however still mentioned in PCI DSS v2.0 requirement 11.2 on vulnerability scanning. The naming does not matter; at least WhiteHat has defined their categorisation and has been consistent with its use. But remember your own organisation's definition of severity, and how it prioritises application vulnerabilities, could be quite different.