• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
WhiteHat Security WEBSITE SECURITY STATISTICS REPORT MAY 2013
 

WhiteHat Security WEBSITE SECURITY STATISTICS REPORT MAY 2013

on

  • 164 views

Jeremiah Grossman and Gabriel Gumbs the WhiteHat Security Website Security Statistics Report, MAY 2013 ...

Jeremiah Grossman and Gabriel Gumbs the WhiteHat Security Website Security Statistics Report, MAY 2013

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006. The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

Statistics

Views

Total Views
164
Views on SlideShare
164
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WhiteHat Security WEBSITE SECURITY STATISTICS REPORT MAY 2013 WhiteHat Security WEBSITE SECURITY STATISTICS REPORT MAY 2013 Document Transcript

    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 1WEBSITE SECURITYSTATISTICS REPORTMAY 2013
    • WEBSITE SECURITY STATISTICS REPORT | MAY 20132INTRODUCTIONWhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state ofwebsite security and the issues that organizations must address in order to conduct business online safely.Website security is an ever-moving target. New website launches are common, new code is releasedconstantly, new Web technologies are created and adopted every day; as a result, new attack techniques arefrequently disclosed that can put every online business at risk. In order to stay protected, enterprises mustreceive timely information about how they can most efficiently defend their websites, gain visibility into theperformance of their security programs, and learn how they compare with their industry peers. Obtainingthese insights is crucial in order to stay ahead and truly improve enterprise website security.To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This reportis the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code thatis unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytesin size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of themost well-known organizations, and collectively represents the largest and most accurate picture of websitesecurity available. Inside this report is information about the most prevalent vulnerabilities, how many getfixed, how long the fixes can take on average, and how every application security program may measurablyimprove. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis andrecommendations.Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positionedto deliver the depth of knowledge that organizations require to protect their brands, attain compliance, andavert costly breaches.ABOUT WHITEHAT SECURITYFounded in 2001 and headquartered in Santa Clara, California, WhiteHat Security provides end-to-endsolutions for Web security. The company’s cloud website vulnerability management platform and leadingsecurity engineers turn verified security intelligence into actionable insights for customers. Through acombination of core products and strategic partnerships, WhiteHat Security provides complete Web securityat a scale and accuracy unmatched in the industry. WhiteHat Sentinel, the company’s flagship product line,currently manages more than 15,000 websites – including sites in the most regulated industries, such as tope-commerce, financial services and healthcare companies.
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 3NEXECUTIVE SUMMARY
    • WEBSITE SECURITY STATISTICS REPORT | MAY 20134
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 5
    • WEBSITE SECURITY STATISTICS REPORT | MAY 20136
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 7KEY FINDINGS
    • WEBSITE SECURITY STATISTICS REPORT | MAY 20138
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 9200710008004006002002008 2009 2009 2010 2011AT A GLANCE:THE CURRENT STATE OF WEBSITE SECURITY
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201310
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 11
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201312
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 13
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201314
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 15MOST COMMON VULNERABILITIES
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201316
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 17
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201318
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 19Cross-Site ScriptingInformation LeakageContent SpoofingCross-Site Request ForgeryBrute ForceInsufficient Transport Layer ProtectionInsufficient AuthorizationSQLOther43%11%7%12%13%injection
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201320C-level executives, managers, and software developers often ask their security teams, “How arewe doing? Are we safe, are we secure?” The real thing they may be asking for is a sense of howthe organization’s current security posture compares to their peers or competitors. They wantto know if the organization is leading, falling way behind, or is somewhere in between withrespect to their security posture. The answers to that question are extremely helpful for progresstracking and goal setting.What many do not first consider is that some organizations (or particular websites) are ‘targetsof opportunity,’ while others are ‘targets of choice.’ Targets of opportunity are breached whentheir security posture is weaker than the average organization (in their industry) – and they getunlucky in the total pool of potential victims. Targets of choice possess some type of uniqueand valuable information, or perhaps a reputation or brand that is particularly attractive to amotivated attacker. The attackers know precisely whom – or what – they want to penetrate.Here’s the thing: since ‘100% security’ is an unrealistic goal – mostly because it is flatlyimpossible, and the attempt is prohibitively expensive and for many completely unnecessary– it is imperative for every organization to determine if they most likely represent a target ofopportunity or choice. In doing so an organization may establish and measure against a “secureenough” bar.If an organization is a target of opportunity, a goal of being just above average with respect towebsite security among peers is reasonable. The bad guy will generally prefer to attack weaker,and therefore easier to breach, targets. On the other hand, if an organization is a target ofchoice, that organization must elevate its website security posture to a point where an attacker’sefforts are detectable, preventable, and in case of a compromise, survivable. This is due to thefact that an adversary will spend whatever time is necessary looking for gaps in the defenses toexploit.Whether an organization is a target of choice or a target of opportunity, the following IndustryScorecards have been prepared to help organizations to visualize how its security posturecompares to its peers (provided they know their own internal metrics, of course).INDUSTRY SCORECARDS
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 21MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR81%54%107DAYS11Cross-SiteScripting*InformationLeakage*ContentSpoofing*Cross-SiteRequest Forgery*Brute Force* Fingerprinting* InsufficientAuthorization*30%20%10% 26% 21% 9% 9% 8% 8% 5%Banking Industry ScorecardApril 201324% 33% 9% 11% 24%THE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 57% 29%57%29% 71%24% Always Vulnerable33% Frequently Vulnerable 271-364 days a year9% Regularly Vulnerable 151-270 days a year11% Occasionally Vulnerable 31-150 days a yearRarely Vulnerable 30 days or less a year
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201322MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR81%67%226DAYS50Cross-SiteScripting*InformationLeakage*ContentSpoofing*SQL injection*Cross-Siterequest Forgery*Brute Force* DirectoryIndexing*30%20%10% 31% 25% 12% 9% 8% 7% 7%Financial ServicesIndustry ScorecardTHE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 64% 70%50%50% 40%28% Always Vulnerable38% Frequently Vulnerable 271-364 days a year10% Regularly Vulnerable 151-270 days a year10% Occasionally Vulnerable 31-150 days a year23% Rarely Vulnerable 30 days or less a year28% 28% 10% 10% 23%
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 23MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR90%53%276DAYS22Cross SiteScripting*InformationLeakage*ContentSpoofing*Brute Force*InsufficentTransportLayer Protection*Cross SiteRequestForgery*SessionFixation*30%20%10% 40% 29% 22% 13% 12% 10% 9%Healthcare Industry ScorecardApril 2013THE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 67% 67%83%50% 34%48% Always Vulnerable22% Frequently Vulnerable 271-364 days a year12% Regularly Vulnerable 151-270 days a year7% Occasionally Vulnerable 31-150 days a year10% Rarely Vulnerable 30 days or less a year49% 22% 12% 7% 10%
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201324MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR91 %54%224DAYS106Cross SiteScripting*InformationLeakage*ContentSpoofing*Brute Force* SQL Injection*Cross SiteRequestForgery*DirectoryIndexing*30%20%10% 31% 25% 12% 9% 8% 7% 7%Retail Industry ScorecardApril 2013THE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 73% 60%90%70% 70%54% Always Vulnerable21% Frequently Vulnerable 271-364 days a year6% Regularly Vulnerable 151-270 days a year5% Occasionally Vulnerable 31-150 days a year13% Rarely Vulnerable 30 days or less a year54% 21% 6% 5% 13%
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 25MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR85%61 %71DAYS18Cross-SiteScripting*InformationLeakage*ContentSpoofing*Cross-SiteRequest Forgery*Brute Force*Fingerprinting* URL RedirectorAbuse*30%20%10% 41% 35% 19% 18% 14% 12% 12%TechnologyIndustry ScorecardApril 20135% 64% 10% 9% 11%THE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 48% 52%96%72% 32%5% Always Vulnerable64% Frequently Vulnerable 271-364 days a year10% Regularly Vulnerable 151-270 days a year9% Occasionally Vulnerable 31-150 days a year11% Rarely Vulnerable 30 days or less a year
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201326SURVEY
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 27
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201328(Figure 7) (Figure 8)
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 29(Figure 9)
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201330(Figure 11).(Figure 10)
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 31
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201332(Figure 14) (Figure 15)
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 33(Figure 16) (Figure 17)(Figure 18)
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201334(Figure 20)
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 35(Figure 24)(Figure 21) (Figure 22)(Figure 23)
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201336Figure 25).
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 37
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201338
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 39Answer:SOFTWAREDEVELOPMENTAnswer:SECURITYDEPARTMENTAnswer:BOARD OF DIRECTORSAnswer:EXECUTIVEMANAGEMENTQuestion:If an organization experiences a website(s) dataor system breach, which part of the organization is heldaccountable and and what is its performance?3rd1St2nd4th4th3rd3rd1st3rd2nd1st2ndAverage Vulnerabilitiesper Site RankingAverage Time to Fix aVulnerability RankingAverage Number ofVulnerabilities Fixed Ranking
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201340
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 41
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201342
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 43
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201344
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 45
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201346(Figure 37). (Figure 38).(Figure 39). (Figure 40).
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 47RECOMMENDATIONS
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201348
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 49
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201350
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 51•••••
    • WEBSITE SECURITY STATISTICS REPORT | MAY 201352
    • WEBSITE SECURITY STATISTICS REPORT | MAY 2013 53Top 10 Vulnerability Classes (2011)(Sorted by vulnerability class)Overall Vulnerability Population (2011)Percentage breakdown of all the serious* vulnerabilities discovered(Sorted by vulnerability class)