Almost all websites vulnerable to hackers, experts say

If you've ever been hacked, exploited or compromised online, then you already know that the Web is not a very safe place. It's also not getting much safer.

One study from a high-profile security firm estimates that a staggering 86 percent of websites are one well-executed attack away from being compromised, and that the average site contains 56 serious security flaws.

The experts at Santa Clara, Calif.-based WhiteHat Security, which provides Web security solutions for its clients, surveyed 76 high-profile organizations with active online presences about their 2012 activities, and then correlated the responses with its own databases. The study indicated not only that hackers could infiltrate almost any website, but that most sites are notoriously slow to patch vulnerabilities.

WhiteHat defined "serious vulnerabilities" as "those in which an attacker could take control over all, or some part, of the website; compromise user accounts on the system; access sensitive data; violate compliance requirements; and possibly make headline news. In short," wrote the study's authors, "serious vulnerabilities are those that should really be fixed."

Although 86 percent of websites with one serious flaw and an average of 56 flaws per site are not figures the modern Web could be proud of, they're hardly the most damning numbers from the report. The organizations surveyed fixed only 61 percent of their critical flaws, and took an average of 193 days (over six months) to do so.

More On This...

Results also varied based on industry. WhiteHat found that, ironically, IT websites were the most vulnerable, sporting an average of 114 serious flaws. Everyday citizens can rest easy, though, because government websites had only eight per page.

When it came to fixing the vulnerabilities, entertainment and media sites took an average of just 33 days, whereas education sites took an average of 342 days — just under a year, and over 10 times as long as their entertainment counterparts.

The report contains a little good news: Although the percentage of websites with vulnerabilities and the average response time have not changed much since 2011, the number of vulnerabilities per page is down to 56 from 79 in 2011. While 61 percent of resolved vulnerabilities may sound middling, it's a far sight better than the 35 percent recorded in 2007. [See also: 10 Computer Threats You Didn't Know About]

Because the survey only covers 76 websites, generalizing these results to the Web at large may be a statistician's nightmare. However, the findings may actually be on the conservative side.

The 76 respondents were all WhiteHat clients, which means they are already more security-conscious than the average website. Nevertheless, generalizing the results would require a much more comprehensive study.

"What's needed is more secure software, NOT more security software," the report's authors wrote. "Organizations must demand that software be designed in a way that makes it resilient to attack and does not require additional security products to protect it." Until that happens, websites may be about as safe as they're likely to get.