While there is growing interest in building more secure software, there is a surprising lack of consensus on best practices for doing so, said Jeremiah Grossman, founder of WhiteHat Security, which offers Web security services. This comes through clearly in WhiteHat's recently published Website Security Statistics Report, which is based on a review of more than 30,000 websites that use the company's Sentinel service.

A sobering 86 percent of all websites tested by WhiteHat Sentinel had at least one vulnerability that WhiteHat classified as "serious," which it defines as "those in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements and possibly make headline news."

While 61 percent of the vulnerabilities were resolved, the report found, doing so required an average 193 days from the first customer notification.

Despite the obvious need for software developers to address Web application security, Grossman said "changing the mindset to develop more secure software is always a challenge because the value produced from it is difficult to quantify," noting that many developers are uncertain how to measure security and see it as a hassle.

When a member of an organization's security team meets with the development group, "it's viewed as more work," he added.

Web Application Security Metrics

In addition, WhiteHat found that best practices such as using penetration testers, incorporating static analysis into the software code review process and performing ad-hoc code reviews of high-risk applications tend to positively impact some metrics while not significantly affecting others.

While security metrics will vary somewhat from organization to organization, number of vulnerabilities, the percentage that get fixed and the speed with which they are fixed are three Web security metrics that every organization should track, Grossman suggested.

"We found that certain activities or best practices will positively impact one or two of those metrics but rarely all three," he said, adding that organizations should determine which metrics are most important to them so they can focus on the activities that are most likely to impact those metrics.

Which Best Practice Works Best?

Feeding vulnerability results back to development teams through established bug tracking or mitigation channels was the activity that yielded the best result across the three key metrics, Grossman said. Organizations that did this reported 40 percent fewer vulnerabilities than the average, fixed them nearly a month faster and increased remediation rates by 15 percent.

Yet only about 20 percent of WhiteHat customers feed vulnerability results to developers in this way, he said. The overall number of companies that do so is probably even lower, he believes, because "[WhiteHat] customers are probably more security conscious than the average."

This finding highlights the need for business processes that enhance communication between security and development teams, Grossman said. Among WhiteHat customers, the most successful security organizations openly share their data with all constituencies.

"Everybody can see the data, and the security team can support improvement at a very laser-focused level. They can offer tools or education to developers," he said. "Both sides can see exactly what they are doing and what they should be doing."

Focus on Remediation

In regard to specific vulnerabilities, the likelihood of content spoofing, fingerprinting and cross-site scripting dropped significantly in the past few years, WhiteHat found. The likelihood of fingerprinting vulnerabilities fell from 23 percent in 2012 to 5 percent in 2014, for example.

Insufficient transport layer, which Grossman called "a kind of catchall term" for zero-day vulnerabilities like Heartbleed, was the single largest potential security issue for websites last year, reaching a 70 percent likelihood.

"Developers only code against vulnerabilities they know of and respect," Grossman explained. "For years they did not know or care about cross-site scripting, and by 2005 websites were riddled with it. Now we're seeing fewer instances of cross-site scripting on newer sites because awareness has grown."

While the security industry has gotten good at identifying vulnerabilities, Grossman said, it needs to shift more focus to eliminating them.

"The next stage of application security is in remediation. How do we make it easier and faster to fix the vulnerabilities we already know about?" he said. "That sounds like common sense, but not enough people are focusing on remediation."

Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.