WhiteHat Security Inc. will begin offering its own Web site vulnerability report. The report, titled the "Web Application Security Risk Report," will focus on e-commerce, financial services, health care and high-tech sites. It will offer a high-level view of vulnerabilities affecting enterprise Web sites and explains the likelihood of vulnerabilities existing on those sites.
WhiteHat is creating the report in response to hackers' increased attacks on Web applications. WhiteHat research reveals that eight out of 10 Web sites have serious flaws, including cross-site scripting and SQL injection, making them susceptible to malicious attack. Common business logic flaws, such as insufficient authorization, that are often undetected but can lead to customer account compromise, top the list as well.
The company is able to create this report thanks in part to the hundreds of Web sites it assesses each moth using its Sentinel service. By sharing its findings, companies will gain a clearer picture of the security issues affecting their Web sites today, WhiteHat said. This data will also help companies realize the possible business impact of these attacks and how to prevent them from occurring.
WhiteHat Security uses the Web Application Security Consortium (WASC) threat Classification of 24 Web application vulnerability classes as a baseline for classifying vulnerabilities. This standard ensures comprehensive coverage of the known types of Web application vulnerabilities. Unlike other methods of common vulnerability assessments in commercial and open source software, the WhiteHat data is compiled and aggregated into a database of previously unknown vulnerabilities in custom Web applications.
"We are excited to be able to offer this insight into the growing issue of Web application security," said Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, in an announcement. "We expect these quarterly reports to shed light on prevalent vulnerabilities and help enterprises combat them efficiently. Through this type of industry awareness we expect to see a decrease in the number and severity of vulnerabilities across the board, especially among businesses which take a proactive approach to protecting their Websites."
WhiteHat's Web Application Security Risk Report will be published quarterly beginning in January 2007.