SlideShare a Scribd company logo

WhiteHat Security 8th Website Security Statistics Report

Jeremiah Grossman
Jeremiah Grossman

Web security is a moving target and enterprises need timely information about the latest attack trends, how they can best defend their websites, and visibility into their vulnerability lifecycle. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the knowledge and solutions that organizations need to protect their brands, attain PCI compliance and avert costly breaches. The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to safely conduct business online. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, tracks vertical market trends and identifies new attack techniques, since 2006. The WhiteHat Security report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization,

Technology
1 of 20
Download to read offline
8th Website Security Statistics Report Full Report Available https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209 Jeremiah Grossman Founder & Chief Technology Officer Webinar 11.12.2009 © 2009 WhiteHat, Inc.
Jeremiah Grossman • Technology R&D and industry evangelist • InfoWorld's CTO Top 25 for 2007 • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat Security, Inc. | Page 2
WhiteHat Security • 250+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted thousands of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3
WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2009 WhiteHat, Inc. | Page 4
Know Your Enemy Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) Directed Opportunistic • Commercial / Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2009 WhiteHat, Inc. | Page 5
Website Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 6
Data Overview • 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities* • Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification • Vulnerability severity naming convention aligns with PCI-DSS • Average number of links per website: 766** • Average number of inputs (attack surface) per website: 246 • Average ratio of vulnerability count / number of inputs: 2.14% • Anti-Clickjacking X-FRAME-OPTIONS: 1 Technology Breakdown • HTTPOnly flag: 150 % of % of URL Extension websites vulnerabilities * Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/ unknown 62% 39% webapp.cgi), three of which are vulnerable to SQL Injection, it is aspx 23% 9% counted as one vulnerability (not three). asp 22% 24% ** WhiteHat Sentinel seeks to identify all of a websites externally xml 11% 2% available attack surface, which may or may not require spidering all jsp 10% 8% of its available links. do 6% 3% php 6% 3% html 5% 2% old 3% 1% cfm 3% 4% bak 3% 1% dll 2% 1% © 2009 WhiteHat, Inc. | Page 9 7
Key Findings All Websites • 83% of websites have had a HIGH, CRITICAL, or URGENT issue • 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7 • Average number of serious unresolved vulnerabilities per website: 6.5 SSL-Only Websites • 44% of websites are using SSL • 81% of websites have had a HIGH, CRITICAL, or URGENT issue • 58% of websites currently have a HIGH, CRITICAL, or URGENT issue • 58% vulnerability resolution rate among sample with 2,484 out of 5,863 historical vulnerabilities unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 9.7 • Average number of serious unresolved vulnerabilities per website: 4.1 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page
WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 9
Vulnerability Population 63% 8% 7% 6% 5% 4% 4% 3% Cross-Site Content SQL Information Other Predictable HTTP Insufficient Scripting Spoofing Injection Leakage Resource Response Authorization Location Splitting © 2009 WhiteHat, Inc. | Page 10
Time-to-Fix (Days) Cross-Site Scripting 9↑ Information Leakage 7↓ Content Spoofing 16 ↑ Insufficient Authorization 15 ↓ SQL Injection 24 ↑ Pred. Res. Loc. 39 ↓ Cross-Site Request Forgery 37 ↑ Session Fixation 2↑ HTTP Response Splitting 5↓ Abuse of Functionality - * Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11
Resolution Rates Class of Attack % resolved Δ severity Cross Site Scripting 12% 8↓ urgent Insufficient Authorization 18% 1↓ urgent SQL Injection 40% 10 ↑ urgent HTTP Response Splitting 12% 15 ↓ urgent Directory Traversal 65% 12 ↑ urgent Insufficient Authentication 37% 1↓ critical Cross-Site Scripting 44% 5↑ critical Abuse of Functionality 14% 14 ↓ critical Cross-Site Request Forgery 39% 6↓ critical Session Fixation 31% 10 ↑ critical Brute Force 31% 20 ↑ high Content Spoofing 46% 21 ↑ high HTTP Response Splitting 32% 2↑ high Information Leakage 30% 21 ↑ high Predictable Resource Location 34% 8↑ high * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 12
Zero-Vulnerability Websites • 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue • 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue • 1,800 verified custom web application vulnerabilities • Lifetime average number of vulnerabilities per website: 3.7 • Average number of inputs per website: 244 • Average ratio of vulnerability count / number of inputs: 2.11% Percentage likelihood of a website Technology Breakdown having a vulnerability by class # of % of URL Extension 1. Cross-Site Scripting (37.3%) websites vulnerabilities 2. Information Leakage (22.2%) unknown 33% 33% 3. Content Spoofing (10.7%) aspx 7% 10% 4. Predictable Resource Location (7.8%) asp 14% 25% 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) jsp 7% 9% 7. Insufficient Authorization (4.1%) do 7% 8% 8. Session Fixation (4.1%) html 2% 2% 9. Cross Site Request Forgery (3.7%) old 2% 2% 10. HTTP Response Splitting (3.1%) cfm 2% 3% © 2009 WhiteHat, Inc. | Page 13
Vulnerability Population Zero-Vulnerability Websites 62% 9% 8% 6% 6% 5% 4% Cross-Site Information Content SQL Predictable Cross-Site Other Scripting Leakage Spoofing Injection Resource Request Location Forgery © 2009 WhiteHat, Inc. | Page 14
Time-to-Fix (Days) Zero-Vulnerability Websites Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Pred. Res. Loc. Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 15
Industry Verticals 3↓ 3↑ 15 ↑ 1↑ 12 ↑ 6↑ - - 1↑ l l cia e ma cia ing tail an s IT car ar m nce So ork tio n Re Fin rvice th Ph eco sur a ca eal el In tw du Se H T Ne E * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 16
Operationalize 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic Resources monitoring What is your organizations tolerance for risk (per website)? 5) How best to improve our survivability? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 17
Website Risk Management Infrastructure © 2009 WhiteHat, Inc. | Page 18
© 2009 WhiteHat, Inc. | Page 19
Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.

Recommended

Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Michal Špaček
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 

Recommended

Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Michal Špaček
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 

More Related Content

More from Jeremiah Grossman

Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 

More from Jeremiah Grossman (20)

Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 

Recently uploaded

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 

Recently uploaded (20)

Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 

WhiteHat Security 8th Website Security Statistics Report

  • 1. 8th Website Security Statistics Report Full Report Available https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209 Jeremiah Grossman Founder & Chief Technology Officer Webinar 11.12.2009 © 2009 WhiteHat, Inc.
  • 2. Jeremiah Grossman • Technology R&D and industry evangelist • InfoWorld's CTO Top 25 for 2007 • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat Security, Inc. | Page 2
  • 3. WhiteHat Security • 250+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted thousands of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3
  • 4. WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2009 WhiteHat, Inc. | Page 4
  • 5. Know Your Enemy Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) Directed Opportunistic • Commercial / Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2009 WhiteHat, Inc. | Page 5
  • 6. Website Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 6
  • 7. Data Overview • 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities* • Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification • Vulnerability severity naming convention aligns with PCI-DSS • Average number of links per website: 766** • Average number of inputs (attack surface) per website: 246 • Average ratio of vulnerability count / number of inputs: 2.14% • Anti-Clickjacking X-FRAME-OPTIONS: 1 Technology Breakdown • HTTPOnly flag: 150 % of % of URL Extension websites vulnerabilities * Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/ unknown 62% 39% webapp.cgi), three of which are vulnerable to SQL Injection, it is aspx 23% 9% counted as one vulnerability (not three). asp 22% 24% ** WhiteHat Sentinel seeks to identify all of a websites externally xml 11% 2% available attack surface, which may or may not require spidering all jsp 10% 8% of its available links. do 6% 3% php 6% 3% html 5% 2% old 3% 1% cfm 3% 4% bak 3% 1% dll 2% 1% © 2009 WhiteHat, Inc. | Page 9 7
  • 8. Key Findings All Websites • 83% of websites have had a HIGH, CRITICAL, or URGENT issue • 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7 • Average number of serious unresolved vulnerabilities per website: 6.5 SSL-Only Websites • 44% of websites are using SSL • 81% of websites have had a HIGH, CRITICAL, or URGENT issue • 58% of websites currently have a HIGH, CRITICAL, or URGENT issue • 58% vulnerability resolution rate among sample with 2,484 out of 5,863 historical vulnerabilities unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 9.7 • Average number of serious unresolved vulnerabilities per website: 4.1 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page
  • 9. WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 9
  • 10. Vulnerability Population 63% 8% 7% 6% 5% 4% 4% 3% Cross-Site Content SQL Information Other Predictable HTTP Insufficient Scripting Spoofing Injection Leakage Resource Response Authorization Location Splitting © 2009 WhiteHat, Inc. | Page 10
  • 11. Time-to-Fix (Days) Cross-Site Scripting 9↑ Information Leakage 7↓ Content Spoofing 16 ↑ Insufficient Authorization 15 ↓ SQL Injection 24 ↑ Pred. Res. Loc. 39 ↓ Cross-Site Request Forgery 37 ↑ Session Fixation 2↑ HTTP Response Splitting 5↓ Abuse of Functionality - * Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11
  • 12. Resolution Rates Class of Attack % resolved Δ severity Cross Site Scripting 12% 8↓ urgent Insufficient Authorization 18% 1↓ urgent SQL Injection 40% 10 ↑ urgent HTTP Response Splitting 12% 15 ↓ urgent Directory Traversal 65% 12 ↑ urgent Insufficient Authentication 37% 1↓ critical Cross-Site Scripting 44% 5↑ critical Abuse of Functionality 14% 14 ↓ critical Cross-Site Request Forgery 39% 6↓ critical Session Fixation 31% 10 ↑ critical Brute Force 31% 20 ↑ high Content Spoofing 46% 21 ↑ high HTTP Response Splitting 32% 2↑ high Information Leakage 30% 21 ↑ high Predictable Resource Location 34% 8↑ high * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 12
  • 13. Zero-Vulnerability Websites • 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue • 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue • 1,800 verified custom web application vulnerabilities • Lifetime average number of vulnerabilities per website: 3.7 • Average number of inputs per website: 244 • Average ratio of vulnerability count / number of inputs: 2.11% Percentage likelihood of a website Technology Breakdown having a vulnerability by class # of % of URL Extension 1. Cross-Site Scripting (37.3%) websites vulnerabilities 2. Information Leakage (22.2%) unknown 33% 33% 3. Content Spoofing (10.7%) aspx 7% 10% 4. Predictable Resource Location (7.8%) asp 14% 25% 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) jsp 7% 9% 7. Insufficient Authorization (4.1%) do 7% 8% 8. Session Fixation (4.1%) html 2% 2% 9. Cross Site Request Forgery (3.7%) old 2% 2% 10. HTTP Response Splitting (3.1%) cfm 2% 3% © 2009 WhiteHat, Inc. | Page 13
  • 14. Vulnerability Population Zero-Vulnerability Websites 62% 9% 8% 6% 6% 5% 4% Cross-Site Information Content SQL Predictable Cross-Site Other Scripting Leakage Spoofing Injection Resource Request Location Forgery © 2009 WhiteHat, Inc. | Page 14
  • 15. Time-to-Fix (Days) Zero-Vulnerability Websites Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Pred. Res. Loc. Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 15
  • 16. Industry Verticals 3↓ 3↑ 15 ↑ 1↑ 12 ↑ 6↑ - - 1↑ l l cia e ma cia ing tail an s IT car ar m nce So ork tio n Re Fin rvice th Ph eco sur a ca eal el In tw du Se H T Ne E * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 16
  • 17. Operationalize 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic Resources monitoring What is your organizations tolerance for risk (per website)? 5) How best to improve our survivability? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 17
  • 18. Website Risk Management Infrastructure © 2009 WhiteHat, Inc. | Page 18
  • 19. © 2009 WhiteHat, Inc. | Page 19
  • 20. Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.