SANTA CLARA, CA – A new report, which reviewed vulnerabilities online during 2010, shows that even in industries that are heavily regulated like healthcare, 14 percent of sites had a serious vulnerability throughout the year.

The report, by WhiteHat Security, a provider of website risk management solutions, found the average website falls into the "always" and "frequently" vulnerable categories – meaning they were exposed more than 270 days of the year. When looking at "window of exposure" across industries, researchers said it becomes apparent there's a vast difference in the approach to website security.

[See also:  Healthcare organizations at risk for more breaches]

Researchers reviewed 3,000 websites across 400 organizations and found that the average website has serious vulnerabilities more than nine months of the year and data leakage has overtaken cross-site scripting as the most common website vulnerability.

Researchers said that, next to social networking and retail, which have two of the largest windows of exposure (58 and 51 percent, respectively), healthcare websites have one of the lowest exposure rates. They suggest that social networking sites' vulnerability may be a reflection of the rate at which they update sites and introduce new code.

"It's inevitable that websites will contain some faulty code – especially in sites that are continually updated,"  said Jeremiah Grossman, founder and CTO of Whitehat Security. "Window of exposure is a useful combination of the vulnerability prevalence, the time it takes to fix vulnerabilities, and the percentage of them that are remediated. Specifically for CIOs and security professionals, measuring window of exposure offers a look at the duration of risk their business and user data is exposed to by not having sufficient remediation processes in place."

Although healthcare industries lead in the new window of exposure metric, they still fall far short of rigorous security processes researchers conclude.