Embracing a proactive stance on application security: A guide to self-hacking for enhanced protection

In the digital age, website security has become a paramount concern for organisations across various industries. A solid understanding of the performance of the software development lifecycle and a developed security metrics program are key to maintaining security for websites and organisations.

Recent studies have revealed some alarming facts about the state of website security. On average, 61% of vulnerabilities were resolved, but it took an average of 193 days from the first customer notification. This lengthy timeframe can lead to significant risks, as website breaches can result in fraud, identity theft, regulatory fines, brand damage, lawsuits, downtime, malware propagation, and loss of customers.

Historically, the consequences of little or no website security were difficult to predict, but after numerous breaches, the industry has a better understanding of the potential impact. For instance, in 2014, a study by WhiteHat Security found that 86% of the examined websites had at least one serious vulnerability, and 56% had multiple serious vulnerabilities.

Remediation is the hardest aspect of application security. To lower the average number of vulnerabilities, speed up time-to-fix, and increase remediation rate, vulnerability results should be fed back to development teams. Interestingly, the remediation rates for industries vary significantly. Professional, scientific, and technical services sites have the lowest rate (16%), while arts, entertainment, and recreation sites have the highest (35%). Conversely, only a small percentage of retail trade sites, healthcare and social assistance sites, and finance/insurance sites had one or more serious vulnerabilities exposed for less than 30 days of the year.

Organisations driven by risk reduction have an average of 23 vulnerabilities per website and a remediation rate of 18%. On the other hand, organisations driven by compliance have the lowest average number of vulnerabilities (12 per website) and the highest remediation rate (86%).

The key to effective application security is identifying the security metrics that matter to the organisation and focusing on fixing specific vulnerabilities. Website security requires timely information and visibility into the performance of security programs. In 2014, applications were most likely to have insufficient transport layer protection (70%) or information leakage (56%).

However, it's important to note that the likelihood of content spoofing, cross-site scripting, and fingerprinting has declined in recent years. This is partly due to the decline in these types of vulnerabilities, but also due to increased awareness and proactive measures taken by organisations.

In the realm of website security, the industry is continually evolving. While the discovery of zero-day vulnerabilities such as Heartbleed has led to a sharp rise in insufficient transport layer protection, the industry is learning and adapting. Educational Services has the highest percentage of rarely vulnerable sites, indicating a proactive approach to security.

Unfortunately, the search results do not contain specific information about which companies had the highest remediation rates for fixing security vulnerabilities on their websites in 2014. Nevertheless, the importance of website security and the need for timely remediation cannot be overstated. Website breaches are an everyday occurrence, often going unnoticed unless they involve major data breaches. Organisations must prioritise security to protect their customers, their brand, and their business.

Embracing a proactive stance on application security: A guide to self-hacking for enhanced protection