WhiteHat Security 8th Website Security Statistics Report

8th Website Security Statistics Report Full Report Available https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209 Jeremiah Grossman Founder & Chief Technology Officer Webinar 11.12.2009 © 2009 WhiteHat, Inc.

Jeremiah Grossman • Technology R&D and industry evangelist • InfoWorld's CTO Top 25 for 2007 • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat Security, Inc. | Page 2

WhiteHat Security • 250+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted thousands of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3

WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2009 WhiteHat, Inc. | Page 4

Know Your Enemy Fully Targeted • Customize their own tools • Focused on business logic • Clever and proﬁt driven ($$$) Directed Opportunistic • Commercial / Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2009 WhiteHat, Inc. | Page 5

Website Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 6

Data Overview • 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities* • Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification • Vulnerability severity naming convention aligns with PCI-DSS • Average number of links per website: 766** • Average number of inputs (attack surface) per website: 246 • Average ratio of vulnerability count / number of inputs: 2.14% • Anti-Clickjacking X-FRAME-OPTIONS: 1 Technology Breakdown • HTTPOnly flag: 150 % of % of URL Extension websites vulnerabilities * Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/ unknown 62% 39% webapp.cgi), three of which are vulnerable to SQL Injection, it is aspx 23% 9% counted as one vulnerability (not three). asp 22% 24% ** WhiteHat Sentinel seeks to identify all of a websites externally xml 11% 2% available attack surface, which may or may not require spidering all jsp 10% 8% of its available links. do 6% 3% php 6% 3% html 5% 2% old 3% 1% cfm 3% 4% bak 3% 1% dll 2% 1% © 2009 WhiteHat, Inc. | Page 9 7

Key Findings All Websites • 83% of websites have had a HIGH, CRITICAL, or URGENT issue • 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7 • Average number of serious unresolved vulnerabilities per website: 6.5 SSL-Only Websites • 44% of websites are using SSL • 81% of websites have had a HIGH, CRITICAL, or URGENT issue • 58% of websites currently have a HIGH, CRITICAL, or URGENT issue • 58% vulnerability resolution rate among sample with 2,484 out of 5,863 historical vulnerabilities unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 9.7 • Average number of serious unresolved vulnerabilities per website: 4.1 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page

WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 9

Vulnerability Population 63% 8% 7% 6% 5% 4% 4% 3% Cross-Site Content SQL Information Other Predictable HTTP Insufficient Scripting Spoofing Injection Leakage Resource Response Authorization Location Splitting © 2009 WhiteHat, Inc. | Page 10

Time-to-Fix (Days) Cross-Site Scripting 9↑ Information Leakage 7↓ Content Spoofing 16 ↑ Insufficient Authorization 15 ↓ SQL Injection 24 ↑ Pred. Res. Loc. 39 ↓ Cross-Site Request Forgery 37 ↑ Session Fixation 2↑ HTTP Response Splitting 5↓ Abuse of Functionality - * Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11

Resolution Rates Class of Attack % resolved Δ severity Cross Site Scripting 12% 8↓ urgent Insufficient Authorization 18% 1↓ urgent SQL Injection 40% 10 ↑ urgent HTTP Response Splitting 12% 15 ↓ urgent Directory Traversal 65% 12 ↑ urgent Insufficient Authentication 37% 1↓ critical Cross-Site Scripting 44% 5↑ critical Abuse of Functionality 14% 14 ↓ critical Cross-Site Request Forgery 39% 6↓ critical Session Fixation 31% 10 ↑ critical Brute Force 31% 20 ↑ high Content Spoofing 46% 21 ↑ high HTTP Response Splitting 32% 2↑ high Information Leakage 30% 21 ↑ high Predictable Resource Location 34% 8↑ high * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 12

Zero-Vulnerability Websites • 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue • 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue • 1,800 verified custom web application vulnerabilities • Lifetime average number of vulnerabilities per website: 3.7 • Average number of inputs per website: 244 • Average ratio of vulnerability count / number of inputs: 2.11% Percentage likelihood of a website Technology Breakdown having a vulnerability by class # of % of URL Extension 1. Cross-Site Scripting (37.3%) websites vulnerabilities 2. Information Leakage (22.2%) unknown 33% 33% 3. Content Spoofing (10.7%) aspx 7% 10% 4. Predictable Resource Location (7.8%) asp 14% 25% 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) jsp 7% 9% 7. Insufficient Authorization (4.1%) do 7% 8% 8. Session Fixation (4.1%) html 2% 2% 9. Cross Site Request Forgery (3.7%) old 2% 2% 10. HTTP Response Splitting (3.1%) cfm 2% 3% © 2009 WhiteHat, Inc. | Page 13

Vulnerability Population Zero-Vulnerability Websites 62% 9% 8% 6% 6% 5% 4% Cross-Site Information Content SQL Predictable Cross-Site Other Scripting Leakage Spoofing Injection Resource Request Location Forgery © 2009 WhiteHat, Inc. | Page 14

Time-to-Fix (Days) Zero-Vulnerability Websites Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Pred. Res. Loc. Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 15

Industry Verticals 3↓ 3↑ 15 ↑ 1↑ 12 ↑ 6↑ - - 1↑ l l cia e ma cia ing tail an s IT car ar m nce So ork tio n Re Fin rvice th Ph eco sur a ca eal el In tw du Se H T Ne E * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 16

Operationalize 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic Resources monitoring What is your organizations tolerance for risk (per website)? 5) How best to improve our survivability? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 17

Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.

WhiteHat Security 8th Website Security Statistics Report

by Jeremiah Grossman on Nov 12, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 7

Statistics

WhiteHat Security 8th Website Security Statistics Report — Presentation Transcript