Verizon's 2015 Data Breach Investigations Report recently shared that for the financial services industry, web application vulnerabilities are the second leading cause of breach incidents

"We see no compelling evidence of 'best-practices' in application security," Jeremiah Grossman, founder of WhiteHat Security said. "We instead observed that certain software security activities improve specific metrics, such as the number of vulnerabilities, time-to-fix, and remediation rates, more than other activities. The best approach is for organizations to identify specific security metrics they'd like to improve upon, and then strategically select activities most likely to make a positive impact."

Overall, data for 2015 turned out to be far more serious than anticipated. Of all websites tested by WhiteHat Sentinel, 86% had at least one serious vulnerability where an attacker could take control over all, or some part, of the website, and 56% of the time the site had far more than one vulnerability. On average, 61% of these vulnerabilities were resolved, but doing so required an average of 193 days from the first customer notification.

Insufficient transport layer protection was the most likely vulnerability across vertical industries including retail trade, healthcare/social assistance, information technology and financial/insurance, with a range of 65-76% likelihood. Insufficient transport layer protection was a security flaw caused by applications not taking measures to shield network traffic.

"From our research, what matters between the spectrum of those who are always vulnerable and rarely vulnerable is less about the programming languages, industry vertical, size of the organization, and so on," Grossman said. "What seems to matter more than anything else is organizations having a strong internal driver, and a culture of accountability for fixing identified vulnerabilities in a specific timeframe. The executive level mandate creates an environment for the development groups to create effective remediation processes."

Researchers found that the best way to lower the average number of vulnerabilities, speed up time-to-fix and increase remediation rates is to feed vulnerability results back to development through established bug tracking or mitigation channels. This approach makes application security front-and-center in a development group's daily work activity and creates an effective process to solve problems.

Compliance-driven organizations that seek to remediate vulnerabilities had the lowest average number of vulnerabilities (12 per website) and the highest remediation rate (86%).  Those that had made the vulnerability feed-to-development process connection exhibited roughly 40% fewer vulnerabilities.

"We realize that using compliance as a driver to remediate vulnerabilities is a double-edged sword, but the data demonstrates that those companies have the best statistics in terms of securing their organization's sites," Grossman said. "This year's report has shown that the amount of time companies are vulnerable to web attacks is much too long. Increasing the rate at which these vulnerabilities are remediated is the only way to protect users."