8th Website Security
Statistics Report
Full Report Available
https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209
Jeremiah Grossman
Founder & Chief Technology Officer
Webinar
11.12.2009
© 2009 WhiteHat, Inc.

Jeremiah Grossman
• Technology R&D and industry evangelist
• InfoWorld's CTO Top 25 for 2007
• Frequent international conference speaker
• Co-founder of the Web Application Security Consortium
• Co-author: Cross-Site Scripting Attacks
• Former Yahoo! information security officer
© 2009 WhiteHat Security, Inc. | Page 2

WhiteHat Security
• 250+ enterprise customers
• Start-ups to Fortune 500
• Flagship offering “WhiteHat Sentinel Service”
• 1000’s of assessments performed annually
• Recognized leader in website security
• Quoted thousands of times by the mainstream press
© 2009 WhiteHat, Inc. | Page 3

WhiteHat Sentinel
Complete Website Vulnerability Management
Customer Controlled & Expert Managed
• Unique SaaS-based solution – Highly scalable delivery of service at
a fixed cost
• Production Safe – No Performance Impact
• Full Coverage – On-going testing for business logic flaws and
technical vulnerabilities – uses WASC 24 classes of attacks as
reference point
• Unlimited Assessments – Anytime websites change
• Eliminates False Positives – Security Operations Team verifies all
vulnerabilities
• Continuous Improvement & Refinement – Ongoing updates and
enhancements to underlying technology and processes
© 2009 WhiteHat, Inc. | Page 4

Know Your Enemy
Fully Targeted
• Customize their own tools
• Focused on business logic
• Clever and profit driven ($$$)
Directed Opportunistic
• Commercial / Open Source Tools
• Authentication scans
• Multi-step processes (forms)
Random Opportunistic
• Fully automated scripts
• Unauthenticated scans
• Targets chosen indiscriminately
© 2009 WhiteHat, Inc. | Page 5

Website Classes of Attacks
Business Logic: Humans Required Technical: Automation Can Identify
Authentication Command Execution
• Brute Force • Buffer Overflow
• Insufficient Authentication • Format String Attack
• Weak Password Recovery Validation • LDAP Injection
• CSRF* • OS Commanding
• SQL Injection
Authorization • SSI Injection
• Credential/Session Prediction • XPath Injection
• Insufficient Authorization
• Insufficient Session Expiration Information Disclosure
• Session Fixation • Directory Indexing
• Information Leakage
Logical Attacks • Path Traversal
• Abuse of Functionality • Predictable Resource Location
• Denial of Service
• Insufficient Anti-automation Client-Side
• Insufficient Process Validation • Content Spoofing
• Cross-site Scripting
• HTTP Response Splitting*
© 2009 WhiteHat, Inc. | Page 6

Data Overview
• 1,364 32% ↑ total websites
• 22,776 4,888 ↑ verified custom web application vulnerabilities*
• Data collected from January 1, 2006 to October 1, 2009
• Vast majority of websites assessed for vulnerabilities weekly
• Vulnerabilities classified according to WASC Threat Classification
• Vulnerability severity naming convention aligns with PCI-DSS
• Average number of links per website: 766**
• Average number of inputs (attack surface) per website: 246
• Average ratio of vulnerability count / number of inputs: 2.14%
• Anti-Clickjacking X-FRAME-OPTIONS: 1 Technology Breakdown
• HTTPOnly flag: 150 % of % of
URL Extension
websites vulnerabilities
* Vulnerabilities are counted by unique Web application and class of
attack. If there are five parameters in a single Web application (/foo/ unknown 62% 39%
webapp.cgi), three of which are vulnerable to SQL Injection, it is aspx 23% 9%
counted as one vulnerability (not three). asp 22% 24%
** WhiteHat Sentinel seeks to identify all of a websites externally xml 11% 2%
available attack surface, which may or may not require spidering all jsp 10% 8%
of its available links. do 6% 3%
php 6% 3%
html 5% 2%
old 3% 1%
cfm 3% 4%
bak 3% 1%
dll 2% 1%
© 2009 WhiteHat, Inc. | Page 9
7

Key Findings
All Websites
• 83% of websites have had a HIGH, CRITICAL, or URGENT issue
• 64% of websites currently have a HIGH, CRITICAL, or URGENT issue
• 61% vulnerability resolution rate with 8,902 unresolved issues remaining
• Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website
during the vulnerability assessment lifetime: 16.7
• Average number of serious unresolved vulnerabilities per website: 6.5
SSL-Only Websites
• 44% of websites are using SSL
• 81% of websites have had a HIGH, CRITICAL, or URGENT issue
• 58% of websites currently have a HIGH, CRITICAL, or URGENT issue
• 58% vulnerability resolution rate among sample with 2,484 out of 5,863
historical vulnerabilities unresolved issues remaining
• Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per
website during the vulnerability assessment lifetime: 9.7
• Average number of serious unresolved vulnerabilities per website: 4.1
Percentage likelihood of a website
having a vulnerability by severity
CRITICAL
HIGH
URGENT
© 2009 WhiteHat, Inc. | Page

WhiteHat Security Top Ten
Percentage likelihood of a website
having a vulnerability by class
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Predictable Resource Location
Cross-Site Request Forgery
Session Fixation
HTTP Response Splitting
Abuse of Functionality
© 2009 WhiteHat, Inc. | Page 9

Vulnerability Population
63%
8% 7% 6% 5% 4% 4% 3%
Cross-Site Content SQL Information Other Predictable HTTP Insufficient
Scripting Spoofing Injection Leakage Resource Response Authorization
Location Splitting
© 2009 WhiteHat, Inc. | Page 10

Time-to-Fix (Days)
Cross-Site Scripting 9↑
Information Leakage 7↓
Content Spoofing 16 ↑
Insufficient Authorization 15 ↓
SQL Injection 24 ↑
Pred. Res. Loc. 39 ↓
Cross-Site Request Forgery 37 ↑
Session Fixation 2↑
HTTP Response Splitting 5↓
Abuse of Functionality -
* Up/down arrows indicate the increase or decrease since the last report.
Best-case scenario: Not all vulnerabilities have been fixed...
© 2009 WhiteHat, Inc. | Page 11

Resolution Rates
Class of Attack % resolved Δ severity
Cross Site Scripting 12% 8↓ urgent
Insufficient Authorization 18% 1↓ urgent
SQL Injection 40% 10 ↑ urgent
HTTP Response Splitting 12% 15 ↓ urgent
Directory Traversal 65% 12 ↑ urgent
Insufficient Authentication 37% 1↓ critical
Cross-Site Scripting 44% 5↑ critical
Abuse of Functionality 14% 14 ↓ critical
Cross-Site Request Forgery 39% 6↓ critical
Session Fixation 31% 10 ↑ critical
Brute Force 31% 20 ↑ high
Content Spoofing 46% 21 ↑ high
HTTP Response Splitting 32% 2↑ high
Information Leakage 30% 21 ↑ high
Predictable Resource Location 34% 8↑ high
* Up/down arrows indicate the increase or decrease since the last report.
© 2009 WhiteHat, Inc. | Page 12

Zero-Vulnerability Websites
• 485 total websites
• 17% of websites have never had a HIGH, CRITICAL, or URGENT issue
• 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue
• 1,800 verified custom web application vulnerabilities
• Lifetime average number of vulnerabilities per website: 3.7
• Average number of inputs per website: 244
• Average ratio of vulnerability count / number of inputs: 2.11%
Percentage likelihood of a website Technology Breakdown
having a vulnerability by class
# of % of
URL Extension
1. Cross-Site Scripting (37.3%) websites vulnerabilities
2. Information Leakage (22.2%) unknown 33% 33%
3. Content Spoofing (10.7%) aspx 7% 10%
4. Predictable Resource Location (7.8%)
asp 14% 25%
5. SQL Injection (7.4%)
6. Abuse of Functionality (4.3%) jsp 7% 9%
7. Insufficient Authorization (4.1%) do 7% 8%
8. Session Fixation (4.1%) html 2% 2%
9. Cross Site Request Forgery (3.7%)
old 2% 2%
10. HTTP Response Splitting (3.1%)
cfm 2% 3%
© 2009 WhiteHat, Inc. | Page 13

Vulnerability Population Zero-Vulnerability
Websites
62%
9% 8% 6% 6% 5% 4%
Cross-Site Information Content SQL Predictable Cross-Site
Other
Scripting Leakage Spoofing Injection Resource Request
Location Forgery
© 2009 WhiteHat, Inc. | Page 14

Time-to-Fix (Days) Zero-Vulnerability
Websites
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Pred. Res. Loc.
Cross-Site Request Forgery
Session Fixation
HTTP Response Splitting
Abuse of Functionality
© 2009 WhiteHat, Inc. | Page 15

Industry Verticals
3↓ 3↑
15 ↑
1↑ 12 ↑
6↑
- -
1↑
l l
cia e ma cia ing
tail an s IT car ar m nce So ork tio
n
Re Fin rvice th Ph eco sur
a ca
eal el In tw du
Se H T Ne E
* Up/down arrows indicate the increase or decrease since the last report.
© 2009 WhiteHat, Inc. | Page 16

Operationalize
1) Where do I start?
Locate the websites you are responsible for
2) Where do I do next?
Rank websites based upon business criticality
Risk
3) What should I be concerned about first?
Random Opportunistic, Directed Opportunistic,
Fully Targeted
4) What is our current security posture?
Vulnerability assessments, pen-tests, traffic Resources
monitoring
What is your organizations tolerance
for risk (per website)?
5) How best to improve our survivability?
SDL, virtual patch, configuration change,
decommission, outsource, version roll-back, etc.
© 2009 WhiteHat, Inc. | Page 17

Website Risk Management Infrastructure
© 2009 WhiteHat, Inc. | Page 18

© 2009 WhiteHat, Inc. | Page 19

Thank You!
Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com
WhiteHat Security
http://www.whitehatsec.com/
© 2009 WhiteHat, Inc.