The good news is that three quarters of nearly 300 financial institutions haven't experienced an urgent security issue related to their Web sites in more than two years; the flip side is that close to 75 FIs have, according to a new report from Web-site security watchdog WhiteHat Security.
The Santa Clara, CA-based consultant monitored 700 Web sites across various industries from Jan. 1, 2006 to July 31, 2008 to judge the risk factors of these sites based on the Payment Card Industry Data Security Standard (PCI-DSS) severity system: urgent, critical, high, medium and low. White Hat then rated vulnerabilities "by the potential business impact if the issue were to be exploited."
What it found was that 25 percent of FI Web sites experienced at least one issue of "urgent" severity, although that was eight percent lower than all industries combined. Furthermore, while 60 percent of FIs experienced at least one "critical" issue and 43 percent faced at least one "high" severity issue, that's still 12 percent and 14 percent lower, respectively, than the total group.
The most pressing issue facing FIs is cross-site scripting, followed by content spoofing and information leakage.
WhiteHat recommends companies make one person responsible for securing all company Web sites; be proactive in securing the site; implement a secure software development process and, finally, utilize a defense-in-depth security strategy that includes a Web application firewall.