Your SlideShare is downloading. ×
WhiteHat Security Website Security Statistics Report, MAY 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WhiteHat Security Website Security Statistics Report, MAY 2013

1,028
views

Published on

Jeremiah Grossman and Gabriel Gumbs the WhiteHat Security Website Security Statistics Report, MAY 2013 …

Jeremiah Grossman and Gabriel Gumbs the WhiteHat Security Website Security Statistics Report, MAY 2013

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006. The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,028
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
43
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. WHITEHAT SECURITY WEBSITESTATISTICS REPORT (2013)
  • 2. Jeremiah Grossman© 2013 WhiteHat Security, Inc. 2ME•  Founder and CTO of WhiteHat Security•  TED Alumni•  InfoWorld Top 25 CTO•  Co-founder of the WASC•  Co-author: XSS Attacks•  Former Yahoo! Information Security Officer•  Brazilian Jiu-Jitsu Black BeltGabriel Gumbs•  Director, Solutions Architecture•  Multi-domain Information Security Professional•  13 years’ enterprise industry experience•  Avid triathlete
  • 3. WhiteHat Security, Inc.•  Founded 2001•  Head quartered in Santa Clara, CA•  Employees: 270+•  WhiteHat Sentinel: SaaS end-to-end website riskmanagement platform (static and dynamic analysis)•  Customers: 650+ (banking, retail, healthcare, etc.)© 2013 WhiteHat Security, Inc. 3THE COMPANY
  • 4. What we knew going in to 2012...© 2013 WhiteHat Security, Inc. 4HISTORY•  “Web applications abound in many larger companies, andremain a popular (54% of breaches) and successful (39% ofrecords) attack vector.” –Verizon Data Breach Investigations Report (2012)•  “SQL injection was the means used to extract 83 percent of thetotal records stolen in successful hacking-related databreaches from 2005 to 2011.” –Privacyrights.org
  • 5. REASONS:1) LEGACY WEB CODE2) BUDGET MISALLOCATION3) “BEST-PRACTICES”© 2013 WhiteHat Security, Inc. 5
  • 6. ABOUT THE DATA© 2013 WhiteHat Security, Inc. 6
  • 7. Average annual amount of new serious*vulnerabilities introduced per website© 2013 WhiteHat Security, Inc. 7AT A GLANCE* Serious Vulnerability: A security weakness that if exploited may lead to breach or dataloss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
  • 8. © 2013 WhiteHat Security, Inc. 8AT A GLANCE: INDUSTRY2012
  • 9. © 2013 WhiteHat Security, Inc. 9WINDOW OF EXPOSUREThe average number of days in a year a website is exposed toat least one serious* vulnerability.
  • 10. © 2013 WhiteHat Security, Inc. 10MOST COMMON VULNSTop 15 Vulnerability Classes (2012)Percentage likelihood that at least one serious* vulnerability will appear in a website2011
  • 11. © 2013 WhiteHat Security, Inc. 11TOP 7: BY INDUSTRY
  • 12. © 2013 WhiteHat Security, Inc. 12OVERALLOverall Vulnerability Population (2012)Percentage breakdown of all the serious* vulnerabilities discovered(Sorted by vulnerability class)
  • 13. WASC: Web Hacking Incident Database© 2013 WhiteHat Security, Inc. 13ATTACKS IN-THE-WILDhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 14. SURVEY: APPLICATIONSECURITY IN THE SDLC(76 ORGANIZATIONS)© 2013 WhiteHat Security, Inc. 14
  • 15. © 2013 WhiteHat Security, Inc. 15INDUSTRY CORRELATION
  • 16. © 2013 WhiteHat Security, Inc. 16INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 17. © 2013 WhiteHat Security, Inc. 17INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 18. © 2013 WhiteHat Security, Inc. 18INDUSTRY CORRELATION
  • 19. © 2013 WhiteHat Security, Inc. 19INDUSTRY CORRELATION
  • 20. © 2013 WhiteHat Security, Inc. 20INDUSTRY CORRELATION
  • 21. © 2013 WhiteHat Security, Inc. 21INDUSTRY CORRELATION
  • 22. © 2013 WhiteHat Security, Inc. 22INDUSTRY CORRELATION
  • 23. © 2013 WhiteHat Security, Inc. 23INDUSTRY CORRELATION
  • 24. © 2013 WhiteHat Security, Inc. 24INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 25. © 2013 WhiteHat Security, Inc. 25SDLC SURVEYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 26. © 2013 WhiteHat Security, Inc. 26SDLC SURVEYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 27. SURVEY: BREACHCORRELATION© 2013 WhiteHat Security, Inc. 27
  • 28. © 2013 WhiteHat Security, Inc. 28BREACH CORRELATIONOrganizations that provided instructor-led or computer-based softwaresecurity training for their programmers had 40% fewer vulnerabilities,resolved them 59% faster, but exhibited a 12% lower remediation rate.
  • 29. © 2013 WhiteHat Security, Inc. 29BREACH CORRELATIONOrganizations with software projects containing an application libraryor framework that centralizes and enforces security controls had64% more vulnerabilities, resolved them 27% slower, butdemonstrated a 9% higher remediation rate.
  • 30. © 2013 WhiteHat Security, Inc. 30BREACH CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 31. © 2013 WhiteHat Security, Inc. 31BREACH CORRELATIONOrganizations that performed Static Code Analysis on theirwebsite(s) underlying applications had 15% more vulnerabilities,resolved them 26% slower, and had a 4% lower remediation rate.
  • 32. © 2013 WhiteHat Security, Inc. 32BREACH CORRELATIONOrganizations with a Web Application Firewall deployment had 11%more vulnerabilities, resolved them 8% slower, and had a 7% lowerremediation rate.
  • 33. © 2013 WhiteHat Security, Inc. 33BREACH CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 34. © 2013 WhiteHat Security, Inc. 34BREACH CORRELATIONOrganizations whose website(s) experienced a data or system breach as aresult of an application layer vulnerability had 51% fewer vulnerabilities,resolved them 18% faster, and had a 4% higher remediation rate.
  • 35. SURVEY: DRIVERS ANDACCOUNTABILITYCORRELATION© 2013 WhiteHat Security, Inc. 35
  • 36. © 2013 WhiteHat Security, Inc. 36ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 37. © 2013 WhiteHat Security, Inc. 37ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 38. © 2013 WhiteHat Security, Inc. 38ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 39. © 2013 WhiteHat Security, Inc. 39ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 40. © 2013 WhiteHat Security, Inc. 40ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 41. © 2013 WhiteHat Security, Inc. 41ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 42. © 2013 WhiteHat Security, Inc. 42ACCOUNTABILITY
  • 43. © 2013 WhiteHat Security, Inc. 43ACCOUNTABILITY
  • 44. © 2013 WhiteHat Security, Inc. 44ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 45. SOME LESSONS LEARNED(SO FAR)© 2013 WhiteHat Security, Inc. 45
  • 46. © 2013 WhiteHat Security, Inc. 46LESSONS•  “Best-Practices”─there aren’t any!•  Assign an individual or group that is accountable for website security•  Find your websites – all of them – and prioritize•  Measure your current security posture from an attacker’s perspective•  Trend and track the lifecycle of vulnerabilities•  Fast detection and response
  • 47. 47Questions & Answers
  • 48. JEREMIAH GROSSMANFounder and CTOTwitter: @jeremiahgEmail: jeremiah@whitehatsec.comThank you!GABRIEL GUMBSDirector, Solutions ArchitectureTwitter: @gabrielgumbsEmail: gabriel.gumbs@whitehatsec.com