10th Website Security Statistics ReportIndustry Benchmarks
Jeremiah GrossmanFounder & Chief Technology Officer
Webcast 09.22.2010
2,000© 2010 WhiteHat Security, Inc.
websites+
© 2010 WhiteHat Security, Inc. | Page
Jeremiah Grossman• WhiteHat Security Founder & CTO
• Technology R&D and industry evangelist(InfoWorld's CTO Top 25 for 2007)
• Frequent international conference speaker
• Co-founder of the Web Application Security Consortium
• Co-author: Cross-Site Scripting Attacks
• Former Yahoo! information security officer
2
© 2010 WhiteHat Security, Inc. | Page 3
• 350+ enterprise customers •Start-ups to Fortune 500
• Flagship offering “WhiteHat Sentinel Service”•1000’s of assessments performed annually
• Recognized leader in website security•Quoted thousands of times by the mainstream press
WhiteHat Security
© 2010 WhiteHat Security, Inc. | Page 4
• 350+ organizations (Start-ups to Fortune listed)• 2,000+ websites• 32,000+ verified custom web application vulnerabilities• Majority of websites assessed multiple times per month• Data collected from January 1, 2006 to August 25, 2010
Data Overview
9
Note: The websites WhiteHat Sen/nel assesses likely represent the most “important” and “secure” websites on the Web, owned by organiza/on that are very serious about their security.
© 2010 WhiteHat Security, Inc. | Page
WhiteHat Sentinel
5
• Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost
• Production Safe – No Performance Impact
• Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point
• Unlimited Assessments – Anytime websites change
• Eliminates False Positives – Security Operations Team verifies all vulnerabilities
• Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes
Complete Website Vulnerability Management Customer Controlled & Expert Managed
© 2010 WhiteHat Security, Inc. | Page 6
Website Classes of Attacks
© 2010 WhiteHat Security, Inc. | Page
Attacker Targeting
7
Random Opportunistic• Fully automated scripts•Unauthenticated scans• Targets chosen indiscriminately
Directed Opportunistic•Commercial and Open Source Tools• Authentication scans•Multi-step processes (forms)
Fully Targeted (APT?)•Customize their own tools• Focused on business logic• Profit or goal driven ($$$)
© 2010 WhiteHat Security, Inc. | Page
Avg. # of Serious* Vulnerabilities
8
* Serious Vulnerabili2es: Those vulnerabili/es with a HIGH, CRITICAL, or URGENT severity as defined by PCI-‐DSS naming conven/ons. Exploita/on could lead to breach or data loss.
(Sorted by Industry)
© 2010 WhiteHat Security, Inc. | Page
Avg. # of Serious* Vulnerabilities
9
!"#$%&
!!#'!&
!!#%(&
!)#))&
!)#*)&
!!#))&
!!#*)&
!%#))&
!%#*)&
!"#))&
!"#*)&
!$#))&
+,-./&0%1*))&,23&45/-&/67+48//9:& 6/3;<6&0!*)&=&%1*))&/67+48//9:& 96,++&0<7&>4&!*)&/67+48//9:&
!"#$%&#'()*
+#$',-'.)/0#
$%+1/12
#3'
4$&%015%2,0'615#'
(Sorted by Size of the Organization)
© 2010 WhiteHat Security, Inc. | Page 10
!"#$%
$"&'%
#("'&%
'")$%
)"#&%
*+"!!%
#'"&*%
#$"&&%
&"'$%
!"*#%
&"$+%
*)",)%
!"!,%
#+"'*%
#)"(!%
##"$#%
#&"*&%
*#"'!%
+"(+%
&"+!%
+"((%
&"+'%
#'"+'%
*&"+)%
##"*,%
#&"'(%
#)"&*%
("((% !"((% #("((% #!"((% *("((% *!"((% '("((% '!"((%
-./01/2%
3456.78/%
91/./61.:%;<=>16<?%
@<.:AB6.=<%
C/?5=./6<%
CD%
E><=.::%
F<A.1:%
;861.:%G<AH8=01/2%
D<:<68II5/16.78/?% ?I.::%J5K%A8%#!(%<IK:8L<<?M%
I<415I%J#!(%N%*O!((%<IK:8L<<?M%
:.=2<%J*O!((%./4%8><=%<IK:8L<<?M%
(Sorted by Organization Size & Industry)
© 2010 WhiteHat Security, Inc. | Page
Overall Top Vulnerability Classes
11
Percentage likelihood of a website having a vulnerability by class
Overall Top Vulnerability Classes
(Sorted by Industry & Percentage Likelihood)
Overall Top Vulnerability Classes
(Sorted by Size of Organization and Percentage Likelihood)
© 2010 WhiteHat Security, Inc. | Page
Time-to-Fix
14
!"
#!"
$!"
%!"
&!"
'!"
(!"
)!"
*!"
+!"
#!!"
#" &" )" #!" #%" #(" #+" $$" $'" $*" %#" %&" %)" &!" &%" &(" &+" '$" '(" '+" ($" ('" (+" )$" )'" )+" *$" *+" +'"#!#"#!&"##!"##+"#$*"#%%"#&$"#'%"$##"
!"##"$%&
'()*
(+,-.()/(01(2.%3()
4'(0%3()5-#(6.768-9):*((;,<))
,-./0.1"2345-67."80.-.50-9":;<=05;>"?;-9@A5-<;"B.>4<-.5;"BC"D=;<-99"E;@-09":750-9"F;@G7</0.1"C;9;57HH4.05-67.>"
(Sorted by Industry)
© 2010 WhiteHat Security, Inc. | Page 15
IndustryLeadersTop 25%
Above AverageMid 25% -‐ 50%
LaggardsLower 50% -‐ 75%
Overall 5 13 30
Banking 2 3 13
Educa5on 5 14 19
Financial Services 6 11 28
Healthcare 3 9 22
Insurance 10 22 39
IT 5 13 29
Retail 6 18 40
Social Networking 3 9 28
Telecommunica5ons 2 5 25
Time-to-Fix(Sorted by Industry & Performance)
!"
#!"
$!"
%!"
&!"
'!"
(!"
)!"
*!"
+!"
#!!"#" &" )" #!"
#%"
#("
#+"
$$"
$'"
$*"
%#"
%&"
%)"
&!"
&%"
&("
&+"
'$"
'("
'+"
($"
('"
(+"
)$"
)'"
)+"
*$"
*+"
+'"
#!#"
#!&"
##!"
##+"
#$*"
#%%"
#&$"
#'%"
$##"
!"##"$%&
'()*
(+,-.()/(01(2.%3()
4'(0%3()5-#(6.768-9):*((;,<))
,-./0"1$2'!!"-34"560."078,5900:;"704<=7"1#'!">"$2'!!"078,5900:;":7-,,"1=8"?5"#'!"078,5900:;"
Size of OrganizaAonLeadersTop 25%
Above AverageMid 25% -‐ 50%
LaggardsLower 50% -‐ 75%
small (up to 150 employees) 4 12 26
medium (150 -‐ 2,500 employees) 5 10 26
large (2,500 and over employees) 6 15 35
(Sorted by Size of the Organization)
Time-to-Fix
!"#
$"#
!%#
$!#
&$#
&"#
!&#
!&#
!!#
!'#
'#
""#
""#
(#
"%#
"%#
")#
"!#
*#
")#
'#
"&#
")#
")#
"$#
+#
+#
")#
""#
")#
!#
"&#
"!#
""#
$#
""#
"*#
"'#
*#
"$#
*!#
!+#
$'#
&!#
!$#
!!#
&"#
$(#
(*#
$+#
)# ")# !)# $)# &)# ()# *)# %)# ')# +)# "))#
,-./0.1#
2345-67.#
80.-.50-9#:;<=05;>#
?;-9@A5-<;#
B.>4<-.5;#
BC#
D;@-09#
:750-9#E;@F7</0.1#
C;9;57GG4.05-67.>#
H=;<-99#
)#I#!)J#
!"J#I#&)J#
&"J#I#*)J#
*"J#I#')J#
'"J#I#"))J#
(Percentage of Websites within Remediation Rate Ranges Sorted by Industry)
Remediation Rate
© 2010 WhiteHat Security, Inc. | Page
Remediation Rate
18
!"#!$#
%&#
&!#
'!#
"!#
!!#
%!#
(!#
$!#
)!#
*+,-.#/&0!11#+23#45.,#.67*48..9:#
6.3;<6#/=!1#>#&0!11#.67*48..9:#
96+**#/<7#?4#=!1#.67*48..9:#
!"#$%&#'(#)
#*+%,-.
'(%/#'
(Sorted by Size of the Organization)
© 2010 WhiteHat Security, Inc. | Page
Remediation Rate
19
!"#
$"#
%"#
""#
&"#
'"#
("#
)"#
*+,-.#/!0"11#+23#45.,#.67*48..9:#
6.3;<6#/="1#>#!0"11#.67*48..9:#
96+**#/<7#?4#="1#.67*48..9:#
!"#$%&#'(#)
#*+%,-.
'(%/#'
0$&%.+1%,-.'2+1#'
@+2A;2-#
B3<C+D42#
E;2+2C;+*#F.,5;C.9#
G.+*?HC+,.#
I29<,+2C.#
IJ#
K5.,+**#
L.?+;*#
F4C;+*#M.?N4,A;2-#
J.*.C466<2;C+D429#
(Sorted by Industry and Organization Size)
© 2010 WhiteHat Security, Inc. | Page 20
• No one at the organization understands or is responsible for maintaining the code.
• Development group does not understand or respects the vulnerability.
• Feature enhancements are prioritized ahead of security fixes.
• Lack of budget to fix the issues.
• Affected code is owned by an unresponsive third-party vendor.
• Website will be decommissioned or replaced “soon.”
• Risk of exploitation is accepted.
• Solution conflicts with business use case.
• Compliance does not require fixing the issue.
Why do vulnerabilities go unfixed?
© 2010 WhiteHat Security, Inc. | Page 21
1) Find your websites (all of them)Identifying an organizations complete Web presence is vital to a successful program. You can’t secure what you don’t know you own. Find out what websites there are, what they do, document the data they posses, who is responsible for them, and other helpful metadata.
2) Website Valuation & PrioritizationEach website provides different value to an organization. Some process highly sensitive data, others contain only marketing brochure-ware. Some websites facilitate thousands of credit card transactions each day, others generate advertising revenue. When resources are limited prioritization must focus those assets offering the best risk reducing return-on-investment consistent with business objectives.
3) Adversaries & Risk ToleranceNot all adversaries, those attempting to compromise websites, have the same technical capability or end-goal. Some adversaries are sentient, others are autonomous, and their methods are different as is their target selection.
4) Measure your current security postureVulnerability assessments and penetration tests are designed to simulate the technical capabilities of a given type of adversary’s (step #3) and measure the success they would have. Finding as many vulnerabilities as possible is a byproduct of the exercise.
5) Remediation & MitigationFrom a risk management perspective it might be best to first fix a medium severity vulnerability on a main transactional website as opposed to a high severity issue in a non-critical system. Using the information obtain from steps 1 - 4 these decisions can be made with the confidence gained from the supporting data.
© 2010 WhiteHat Security, Inc. | Page 22
Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]
Questions?
Top Related