While some best practices such as software security training are effective in getting developers to write secure code, following best practices does not necessarily lead to better security, WhiteHat Security has found.
Software security controls and best practices had some impact on the actual security of organizations, but not as much as one would expect, WhiteHat Security found in its Website Security Statistics Report released Thursday. The report correlated vulnerability data from tens of thousands of Websites with the software development lifecycle (SDLC) activity data obtained via a survey.
"Organizations need to understand how different parts of the SDLC affects how vulnerabilities are introduced during software development," Jeremiah Grossman, co-founder and CTO of WhiteHat Security, said in a statement.
There was good news and bad news. As organizations introduced best practices in secure software development, the average number of serious vulnerabilities identified per Website have declined dramatically over the past two years, according to the report. There were 56 vulnerabilities per Website found in 2012, compared to 79 in 2011 and 230 in 2010.
WhiteHat defined "Serious" vulnerabilities as those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, and violate compliance requirements.
"In short, serious vulnerabilities are those that should really be fixed," the company said.
All the industry sectors—with the exception of IT and energy—found fewer vulnerabilities in 2012 than in past years. Government and banking websites had the fewest serious vulnerabilities, with an average of eight and 11 per Website found. The IT industry experienced the highest number of vulnerabilities per Website, 114 on average, in 2012.
In previous iterations of the report, the banking industry had the fewest vulnerabilities and fixed the most vulnerabilities. This year, its remediation rate was below the 61 percent average across all industries, at just 54 percent.
On the other hand, vulnerabilities aren't being fixed immediately. On average, resolving vulnerabilities took 193 days from the time the organization was first notified of the issue, WhiteHat said. Of all the Websites tested, 86 percent had at least one serious vulnerability exposed to attack every single day in 2012, White Hat said. About 61 percent of the serious vulnerabilities were resolved. Only 18 percent of the sites tested were vulnerable less than 30 days throughout the year.
Entertainment and media Websites were better at remediation than other sectors, with 81 percent of serious vulnerabilities resolved on average.
WhiteHat found that the existence of compliance regulations determined whether organizations were likely to resolve vulnerabilities. If compliance mandates required that vulnerabilities be fixed, the organization was more likely to fix them, but if the regulations don't mention them, the vulnerability was more likely to remain, despite possible implications to the overall security posture of the site, WhiteHat said.
"It is apparent that these organizations take the approach of 'wait-until-something-goes-wrong' before kicking into gear unless there is some sense of accountability," said Grossman.
A little over half, or 57 percent, of organizations surveyed provided some form of software security training for their developments teams. These organizations experiences 40 percent fewer vulnerabilities than organizations who did not offer training, and resolved issues 59 percent faster. About 39 percent of organizations claimed to perform some kind of static code analysis on their Websites and applications, and they experienced 15 percent more vulnerabilities while resolving them 26 percent slower. Finally, 55 percent of organizations reported having a Web Application Firewall in place. These organizations tended to have 11 percent more vulnerabilities and resolved them 8 percent slower than average.
"This collective data has shown that many organizations do not yet consider they need to proactively do something about software security," Grossman said, before adding, "This needs to change."
The full report from White Hat Security is available here.