11th Website Security Statistics -- Presentation Slides (Q1 2011)
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

11th Website Security Statistics -- Presentation Slides (Q1 2011)

on

  • 4,001 views

Website attacks continue to prevail despite the best efforts of enterprises to fight them. Websites are an ongoing business concern and security must be assured all the time, not just at a point in ...

Website attacks continue to prevail despite the best efforts of enterprises to fight them. Websites are an ongoing business concern and security must be assured all the time, not just at a point in time. And yet, most websites were exposed to at least one serious vulnerability every day of 2010, leaving valuable corporate and customer date at risk. Why?

In this report, Jeremiah will explore a new way to measure website security, Windows of Exposure, that tracks an organization’s current and historical website security posture. Window of Exposure is a useful combination of vulnerability prevalence, how long vulnerabilities take to get fixed, and the percentage of them that are remediated. By carefully tracking these metrics, an organization can determine where resources would be best invested.

Using data from WhiteHat’s 11th Website Security Statistics Report, based on assessments of over 3,000 websites, Grossman will reveal the most secure (and insecure) vertical markets and the Windows of Exposure of each. Find out how your industry ranks, and the top ten vulnerabilities plaguing your peers. Learn how to determine which metrics are critical to increasing their remediation rates, thereby limiting their Window of Exposure. The good news is that companies that take this approach are increasing remediation rates by 5 percent per year.

Statistics

Views

Total Views
4,001
Views on SlideShare
3,960
Embed Views
41

Actions

Likes
0
Downloads
73
Comments
2

6 Embeds 41

http://paper.li 33
http://cesar1487.wikispaces.com 3
http://www.mongodb.org 2
http://twitter.com 1
http://www.mefeedia.com 1
http://a0.twimg.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • ritakoneh@hotmail.co.uk
    Hello My New friend
    My name is rita i saw your profile at(www.slideshare.net) and i love it i think we can click so please i will like you to email me back through my email address thus: so that i can told you more about me and give you my sweet picture so that you can know me will ok.
    Awaiting to see your lovely reply soonest.
    Miss rita ritakoneh@hotmail.co.uk
    Are you sure you want to
    Your message goes here
    Processing…
  • very good
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

11th Website Security Statistics -- Presentation Slides (Q1 2011) Presentation Transcript

  • 1. Top Website Vulnerabilities:Trends, Business Effects & How to Fight Them Jeremiah Grossman Founder & Chief Technology Officer Webcast 03.03.2011 © 2011 WhiteHat Security, Inc.
  • 2. Jeremiah Grossman• WhiteHat Security Founder & CTO• InfoWorlds CTO Top 25 for 2007• Co-founder of the Web Application Security Consortium• Co-author: Cross-Site Scripting Attacks• Former Yahoo! information security officer 2
  • 3. 400+ enterprise customers •Start-ups to Fortune 500Flagship offering “WhiteHat Sentinel Service” •Thousands of assessments performed annuallyRecognized leader in website security •Quoted thousands of times by the mainstream press 3
  • 4. WhiteHat Sentinel Premium Edition (PE) - Production Sites – typically assessed by Consultants - Automated + Manual Testing - Verified Results Standard Edition (SE) NEW Sentinel PL Edition - Internal Sites – typically assessed by scanning tools - Automated Testing - Verified Results NEW PreLaunch (PL) - Pre-Production / QA – typically assessed by tools - Fast / Configurable Automated Testing - Verified Results - Can Augment or replace Code Review Tools Baseline Edition (BE) - Broad Based Coverage – static content - Self-service Automated Testing - Verified Results © 2010 WhiteHat Security, Inc. | Page 4
  • 5. Vulnerability Coverage 5
  • 6. Data Set• Data collected from January 1, 2006 to February 16, 2011• ~500,000 verified Web application vulnerabilities (non-CVE)• Majority of websites assessed multiple times per month• Classified according to WASC Threat Classification"When you can measure what you are speaking about, and expressit in numbers, you know something about it, when you cannotexpress it in numbers, your knowledge is of a meager andunsatisfactory kind; it may be the beginning of knowledge, but youhave scarcely, in your thoughts advanced to the stage of science." - Lord Kelvin 6
  • 7. Lesson: 1Software will always have bugs and by extension, securityvulnerabilities. A practical goal for a secure softwaredevelopment lifecycle (SDLC) should be to reduce, notnecessarily eliminate, the number of vulnerabilities introducedand the severity of those that remain. Thank you Michael Howard (Microsoft) 7
  • 8. Lesson: 2Exploitation of just one website vulnerability is enough tosignificantly disrupt online business, cause data loss, shakecustomer confidence, and more. The earlier vulnerabilities areidentified and the faster they are remediated the shorter thewindow of opportunity for an attacker to maliciously exploitthem. 8
  • 9. The security posture of a website mustnot only be measured by the numberof vulnerabilities, but also must takeinto account remediation rates andtime-to-fix metrics. 9
  • 10. KPI: Window of ExposureNumber of days [in a year] a website is exposed to at least oneserious* reported vulnerability. Most websites were exposed to at least one serious* vulnerability every single day of 2010, or nearly so (9-12 months of the year). Only 16% of websites were vulnerable less than 30 days of the year overall.
  • 11. Vulnerability Counting• Vulnerabilities are counted by unique Web application and class of attack. If three of the five parameters of a single Web application (/foo/ webapp.cgi) are vulnerable to SQL Injection, this is counted as 3 individual vulnerabilities (e.g. attack vectors). If a single parameter can be exploited in more than one way, each of those are counted as well.*  Serious  Vulnerabili/es:  Those  vulnerabili/es  with  a  HIGH,  CRITICAL,  or  URGENT  severity  as  defined  by  PCI-­‐DSS  naming  conven/ons.  Exploita/on  could  lead  to  breach  or  data  loss. 11
  • 12. Average annual amount of new vulnerabilitiesintroduced per website by industry (2010)
  • 13. WhiteHat Security Top Ten (2010) Percentage likelihood of a website having at least one vulnerability sorted by class
  • 14. Top 7 Vulnerabilities by Industry (2010) Percentage likelihood of a website having at least one vulnerability sorted by class
  • 15. Time-to-Fix in Days by Industry (2010) On the average, 50% of organizations require 116 days or less toremediate their serious* vulnerabilities. The Banking industry being the fastest where 50% take under 13 days. The slowest is Telecommunications in that half need 205 days.
  • 16. Remediation Rates by Industry (Trend) A 5% improvement in the percentage of reported vulnerabilities that have been resolved during each of the last three years (2008, 2009, 2010), which now resides at 53%. Progress!
  • 17. 2010 at a Glance Number  of   Std.   Remedia/on   Window  of   Industry Std.  Dev Vulns Dev Rate Exposure  (Days) Overall 230 1652 53% 40% 233 Banking 30 54 71% 41% 74 Educa/on 80 144 40% 36% 164 Financial  Services 266 1935 41% 40% 184 Healthcare 33 87 48% 40% 133 Insurance 80 204 46% 37% 236 IT 111 313 50% 40% 221 Manufacturing 35 111 47% 40% 123 Retail 404 2275 66% 36% 328 Social  Networking 71 116 47% 34% 159 Telecommunica/ons 215 437 63% 40% 260
  • 18. Why do vulnerabilities go unfixed?• No one at the organization understands or is responsible for maintaining the code.• Development group does not understand or respects the vulnerability.• Feature enhancements are prioritized ahead of security fixes.• Lack of budget to fix the issues.• Affected code is owned by an unresponsive third-party vendor.• Website will be decommissioned or replaced “soon.”• Risk of exploitation is accepted.• Solution conflicts with business use case.• Compliance does not require fixing the issue. 18
  • 19. Lesson: 3Vulnerabilities do not exploit themselves. Someone orsomething, an attacker (or “threat”), uses an attack vector toexploit a vulnerability in a website, bypass a control, and causea technical or business impact. Some attackers are sentient,and others are autonomous. Different attackers have differentcapabilities and goals in mind. 19
  • 20. Lesson: 4Some organizations are targets of opportunity, others targets ofchoice.• Targets of opportunity are victimized when their security posture is weaker than the average organization and the data they possess can be converted easily into liquid currency.• Targets of opportunity possess some form of unique and valuable information that is particularly attractive to an attacker. 20
  • 21. If an organization is a target of opportunity, the goal of being ator above average with regard to website vulnerability numbersamong your peers is reasonable.If a target of choice, then the adversary is one who will spendwhatever time is necessary looking for gaps in the defenses toexploit. In this case, an organization must elevate its websitesecurity posture to a point where an attacker’s efforts aredetectable, preventable, and in case of compromise,survivable. 21
  • 22. Thank You! Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com 22