Website Security Statistics Report (2010) - Industry Bechmarks (Slides)
Upcoming SlideShare
Loading in...5
×
 

Website Security Statistics Report (2010) - Industry Bechmarks (Slides)

on

  • 5,322 views

Every organization needs to know where they stand with their application security program, especially against its adversaries. Verizon Business' 2010 Data Breach Investigations Report (DBIR), a study ...

Every organization needs to know where they stand with their application security program, especially against its adversaries. Verizon Business' 2010 Data Breach Investigations Report (DBIR), a study conducted in cooperation with the United States Secret Service, provides insight. The report analyzes over 141 confirmed data breaches from 2009 which resulted in the compromise of 143 million records. To be clear, this data set is restricted to incidents of a "data" breach, which is different than those only resulting in financial loss. Either way, the data is overwhelming. The majority of breaches and almost all of the data stolen in 2009 (95%) were perpetrated by remote organized criminal groups hacking "servers and applications." That is, hacking Web Servers and Web applications — "websites" for short. The attack vector of choice was SQL Injection, typically a vulnerability that can't readily be "patched," and used to install customized malware.

Until now no metrics have been published which organizations can use as a benchmark to compare themselves against their industry peers. These benchmarks may help answer the question, "How are we doing?" or "Are we secure enough?" WhiteHat Security's 10th Website Security Statistics Report presents a statistical picture of the vulnerability assessment results from over 2,000 websites across 350 organizations under WhiteHat Sentinel management. For the first time, we've broken down the numbers by industry and size of organization. The data provides a unique perspective on the state of website security that may begin answering some of these pressing questions.

Statistics

Views

Total Views
5,322
Views on SlideShare
5,322
Embed Views
0

Actions

Likes
1
Downloads
181
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Website Security Statistics Report (2010) - Industry Bechmarks (Slides) Website Security Statistics Report (2010) - Industry Bechmarks (Slides) Presentation Transcript

  • 10th Website Security Statistics Report Industry Benchmarks 2,000 + websites Jeremiah Grossman Founder & Chief Technology Officer Webcast 09.22.2010 © 2010 WhiteHat Security, Inc.
  • Jeremiah Grossman • WhiteHat Security Founder & CTO • Technology R&D and industry evangelist (InfoWorld's CTO Top 25 for 2007) • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2010 WhiteHat Security, Inc. | Page 2
  • WhiteHat Security • 350+ enterprise customers •Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” •1000’s of assessments performed annually • Recognized leader in website security •Quoted thousands of times by the mainstream press © 2010 WhiteHat Security, Inc. | Page 3
  • Data Overview • 350+ organizations (Start-ups to Fortune listed) • 2,000+ websites • 32,000+ verified custom web application vulnerabilities • Majority of websites assessed multiple times per month • Data collected from January 1, 2006 to August 25, 2010 Note:  The  websites  WhiteHat  Sen/nel   assesses  likely  represent  the  most   “important”  and  “secure”  websites  on   the  Web,  owned  by  organiza/on  that   are  very  serious  about  their  security. © 2010 WhiteHat Security, Inc. | Page 9 4
  • WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2010 WhiteHat Security, Inc. | Page 5
  • Website Classes of Attacks © 2010 WhiteHat Security, Inc. | Page 6
  • Attacker Targeting Fully Targeted (APT?) • Customize their own tools • Focused on business logic • Profit or goal driven ($$$) Directed Opportunistic • Commercial and Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2010 WhiteHat Security, Inc. | Page 7
  • Avg. # of Serious* Vulnerabilities (Sorted by Industry) *  Serious  Vulnerabili2es:  Those  vulnerabili/es  with  a  HIGH,  CRITICAL,  or  URGENT  severity  as   defined  by  PCI-­‐DSS  naming  conven/ons.  Exploita/on  could  lead  to  breach  or  data  loss. © 2010 WhiteHat Security, Inc. | Page 8
  • Avg. # of Serious* Vulnerabilities (Sorted by Size of the Organization) !$#))& !"#$%& !"#$%&#'()*+#$',-'.)/0#$%+1/12#3' !"#*)& !"#))& !%#*)& !%#))& !!#'!& !!#*)& !!#%(& !!#))& !)#*)& !)#))& +,-./&0%1*))&,23&45/-&/67+48//9:& 6/3;<6&0!*)&=&%1*))&/67+48//9:& 96,++&0<7&>4&!*)&/67+48//9:& 4$&%015%2,0'615#' © 2010 WhiteHat Security, Inc. | Page 9
  • (Sorted by Organization Size & Industry) D<:<68II5/16.78/?% +"(+% ?I.::%J5K%A8%#!(%<IK:8L<<?M% !"*#% I<415I%J#!(%N%*O!((%<IK:8L<<?M% :.=2<%J*O!((%./4%8><=%<IK:8L<<?M% #)"&*% ;861.:%G<AH8=01/2% *#"'!% &"'$% #&"'(% F<A.1:% #&"*&% #$"&&% ##"*,% E><=.::% ##"$#% #'"&*% *&"+)% CD% #)"(!% *+"!!% C/?5=./6<% )"#&% #'"+'% @<.:AB6.=<% #+"'*% '")$% &"+'% 91/./61.:%;<=>16<?% !"!,% #("'&% +"((% 3456.78/% *)",)% $"&'% &"+!% -./01/2% &"$+% !"#$% ("((% !"((% #("((% #!"((% *("((% *!"((% © 2010 WhiteHat Security, Inc. | Page 10 '("((% '!"((%
  • Overall Top Vulnerability Classes Percentage likelihood of a website having a vulnerability by class © 2010 WhiteHat Security, Inc. | Page 11
  • Overall Top Vulnerability Classes (Sorted by Industry & Percentage Likelihood)
  • Overall Top Vulnerability Classes (Sorted by Size of Organization and Percentage Likelihood)
  • Time-to-Fix (Sorted by Industry) #!!" +!" *!" !"##"$%&'()*(+,-.()/(01(2.%3() )!" (!" ,-./0.1" '!" 2345-67." 80.-.50-9":;<=05;>" &!" ?;-9@A5-<;" %!" B.>4<-.5;" BC" $!" D=;<-99" #!" E;@-09" :750-9"F;@G7</0.1" !" C;9;57HH4.05-67.>" #" &" )" #!" #%" #(" #+" $$" $'" $*" %#" %&" %)" &!" &%" &(" &+" '$" '(" '+" ($" ('" (+" )$" )'" )+" *$" *+" +'"#!#" !&" #!" #+" $*" %%" &$" '%" ##" # # # # # # # $ 4'(0%3()5-#(6.768-9):*((;,<)) © 2010 WhiteHat Security, Inc. | Page 14
  • Time-to-Fix (Sorted by Industry & Performance) Leaders Above  Average Laggards Industry Top  25% Mid  25%  -­‐  50% Lower  50%  -­‐  75% Overall 5 13 30 Banking 2 3 13 Educa5on 5 14 19 Financial  Services 6 11 28 Healthcare 3 9 22 Insurance 10 22 39 IT 5 13 29 Retail 6 18 40 Social  Networking 3 9 28 Telecommunica5ons 2 5 25 © 2010 WhiteHat Security, Inc. | Page 15
  • (Sorted by Size of the Organization) Time-to-Fix #!!" +!" !"##"$%&'()*(+,-.()/(01(2.%3() *!" )!" (!" '!" &!" %!" ,-./0"1$2'!!"-34"560."078,5900:;" $!" 704<=7"1#'!">"$2'!!"078,5900:;" #!" :7-,,"1=8"?5"#'!"078,5900:;" !" #" &" )" $'" %#" ('" )'" +'" #!#" #!&" ##!" ##+" #$*" #%%" #&$" #'%" $##" #!" #%" #(" #+" $$" $*" %&" %)" &!" &%" &(" &+" '$" '(" '+" ($" (+" )$" )+" *$" *+" 4'(0%3()5-#(6.768-9):*((;,<)) Leaders Above  Average Laggards Size  of  OrganizaAon Top  25% Mid  25%  -­‐  50% Lower  50%  -­‐  75% small  (up  to  150  employees) 4 12 26 medium  (150  -­‐  2,500  employees) 5 10 26 large  (2,500  and  over  employees) 6 15 35
  • Remediation Rate (Percentage of Websites within Remediation Rate Ranges Sorted by Industry) H=;<-99# !'# ")# ")# "$# $+# C;9;57GG4.05-67.># !!# *# ""# *# (*# :750-9#E;@F7</0.1# !&# "!# ")# "'# $(# )#I#!)J# !"J#I#&)J# D;@-09# !&# ")# +# "*# &"# &"J#I#*)J# BC# &"# "%# +# ""# !!# *"J#I#')J# '"J#I#"))J# B.>4<-.5;# &$# "%# "$# $# !$# ?;-9@A5-<;# $!# (# ")# ""# &!# 80.-.50-9#:;<=05;># !%# ""# ")# "!# $'# 2345-67.# $"# ""# "&# "&# !+# ,-./0.1# !"# '# '# !# *!# )# ")# !)# $)# &)# ()# *)# %)# ')# +)# "))#
  • Remediation Rate (Sorted by Size of the Organization) )!# !"#$%&#'(#)#*+%,-.'(%/#' $!# (!# %!# %&# !$# !"# !!# "!# '!# &!# *+,-.#/&0!11#+23#45.,# 6.3;<6#/=!1#>#&0!11# 96+**#/<7#?4#=!1#.67*48..9:# .67*48..9:# .67*48..9:# © 2010 WhiteHat Security, Inc. | Page 18
  • Remediation Rate (Sorted by Industry and Organization Size) )"# @+2A;2-# !"#$%&#'(#)#*+%,-.'(%/#' ("# B3<C+D42# '"# E;2+2C;+*#F.,5;C.9# &"# G.+*?HC+,.# ""# I29<,+2C.# %"# IJ# $"# K5.,+**# !"# L.?+;*# *+,-.#/!0"11#+23#45.,# 6.3;<6#/="1#>#!0"11# 96+**#/<7#?4#="1#.67*48..9:# F4C;+*#M.?N4,A;2-# .67*48..9:# .67*48..9:# 0$&%.+1%,-.'2+1#' J.*.C466<2;C+D429# © 2010 WhiteHat Security, Inc. | Page 19
  • Why do vulnerabilities go unfixed? • No one at the organization understands or is responsible for maintaining the code. • Development group does not understand or respects the vulnerability. • Feature enhancements are prioritized ahead of security fixes. • Lack of budget to fix the issues. • Affected code is owned by an unresponsive third-party vendor. • Website will be decommissioned or replaced “soon.” • Risk of exploitation is accepted. • Solution conflicts with business use case. • Compliance does not require fixing the issue. © 2010 WhiteHat Security, Inc. | Page 20
  • 1) Find your websites (all of them) Identifying an organizations complete Web presence is vital to a successful program. You can’t secure what you don’t know you own. Find out what websites there are, what they do, document the data they posses, who is responsible for them, and other helpful metadata. 2) Website Valuation & Prioritization Each website provides different value to an organization. Some process highly sensitive data, others contain only marketing brochure-ware. Some websites facilitate thousands of credit card transactions each day, others generate advertising revenue. When resources are limited prioritization must focus those assets offering the best risk reducing return-on- investment consistent with business objectives. 3) Adversaries & Risk Tolerance Not all adversaries, those attempting to compromise websites, have the same technical capability or end-goal. Some adversaries are sentient, others are autonomous, and their methods are different as is their target selection. 4) Measure your current security posture Vulnerability assessments and penetration tests are designed to simulate the technical capabilities of a given type of adversary’s (step #3) and measure the success they would have. Finding as many vulnerabilities as possible is a byproduct of the exercise. 5) Remediation & Mitigation From a risk management perspective it might be best to first fix a medium severity vulnerability on a main transactional website as opposed to a high severity issue in a non- critical system. Using the information obtain from steps 1 - 4 these decisions can be made with the confidence gained from the supporting data. © 2010 WhiteHat Security, Inc. | Page 21
  • Questions? Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com © 2010 WhiteHat Security, Inc. | Page 22