Following up on yesterday’s post on the time to detect hackers inside your systems, a new report today says that about half of the web sites of Retail and Healthcare businesses are always vulnerable, mostly because of slow remediation rates.
WhiteHat Security’s report (see article) says that 47% of applications tested had cross site scripting vulnerabilities, 56% leaked information and 70% did not secure communications sufficiently.
The developers argued that the 70% number wasn’t fair because that included sites that had not fixed heartbleed from last year and heartbleed is really an infrastructure problem, not an application problem, (which kind of validates the slow remediation rate comment above).
But we have been talking about cross site scripting issues for years, so what are the developer’s excuses for that.
My take is that vulnerabilities are vulnerabilities and ONE person needs to be accountable for removing vulnerabilities. Whether it is the developer or some other person, it needs to be someone that you can corner and say fix it.
One thing that helps developers of custom apps/web sites is that each site is a one-off. If you figure out how to compromise Microsoft Office, you can use that to attack, say, “quite a few” people. If I attack Joe’s plumbing’s web site, all I get is Joe’s 50,000 customers to infect.
Still, people (hackers) build automated tools to crawl the web to find vulnerabilities, so Joe shouldn’t rest too easy. Also, Joe probably doesn’t understand static and dynamic code analysis techniques and other risk reduction techniques as well as Microsoft does, so there are probably way more vulnerabilities per 1,000 lines of code in Joe’s internal and public facing apps than in Office. And, we never seem to run out of vulnerabilities in Office, so what does that say about Joe’s apps.
So, if you are Joe, you shouldn’t rest – get to fixin’ those vulnerabilities!