WhiteHat Security "Website Security Statistics Report" (Q1'09)

WhiteHat Security • 200+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted hundreds of times by the mainstream press © 2009 WhiteHat, Inc. | Page 2

Web Security #1 Threat The vast majority of websites possess serious vulnerabilities quot;82% of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity.” (WhiteHat Security, 2008) Malicious website breaches are occurring in record numbers “70% of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.” (Websense, 2009) PCI DSS Requirement 6.6 mandates application security “Ensure that web-facing applications are protected against known attacks by applying either of the following methods. A) Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security. Federal Trade Commission Fines and Investigations Over the last three years, the FTC has settled with fourteen businesses over alleged inadequate data security practices concerning how such businesses protect consumers' personal information. © 2009 WhiteHat, Inc. | Page 3

WhiteHat Security - Website Risk Management • WhiteHat Sentinel Service • Unlimited website vulnerability assessment • SaaS-based, annual subscription model • Combination of proprietary scanning technology and expert operations team • 200+ enterprise customers • 1000’s of assessments performed annually from start-ups to Fortune 500 Sentinel PE - Configured assessment delivery including comprehensive manual testing for business logic issues. For high-risk websites with sensitive data and performs critical business functions. Sentinel SE - Configured assessment delivery with verified vulnerability reporting – designed for medium risk websites with complex functionality requiring extensive configuration. Sentinel BE - Self-service, automated assessment delivery with verified vulnerability reporting – designed for smaller, less complex, lower risk websites. © 2009 WhiteHat, Inc. | Page

WASC 24 (+2)* Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Format String Attack • Insufficient Authentication • LDAP Injection • Weak Password Recovery Validation • OS Commanding • CSRF* • SQL Injection • SSI Injection Authorization • XPath Injection • Credential/Session Prediction • Insufficient Authorization Information Disclosure • Insufficient Session Expiration • Directory Indexing • Information Leakage • Session Fixation • Path Traversal Logical Attacks • Predictable Resource Location • Abuse of Functionality Client-Side • Denial of Service • Content Spoofing • Insufficient Anti-automation • Cross-site Scripting • Insufficient Process Validation • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 5

Data Set • Collection duration: January 1, 2006 to March 31, 2009 • Total websites: 1,031 • Identified vulnerabilities (custom web applications): 17,888 • Assessment frequency: ~Weekly • Vulnerability classes: WASC Threat Classification • Severity naming convention: PCI-DSS Key Findings • Unresolved vulnerabilities: 7,157 (60% resolution rate) • Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82% • Lifetime average number of vulnerabilities per website: 17 • Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63% • Current average of unresolved vulnerabilities per website: 7 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page 6

WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Session Fixation Cross-Site Request Forgery Insufficient Authentication HTTP Response Splitting • Average number of inputs per website: 227 • Average ratio of vulnerability count / number of inputs: 2.58% © 2009 WhiteHat, Inc. | Page 7

Overall Vulnerability Population % of % of URL Extension websites vulnerabilities unknown 59% 40% asp 24% 25% aspx 23% 9% xml 10% 2% jsp 9% 8% do 7% 3% php 6% 3% html 4% 2% old 4% 1% dll 4% 1% cfm 3% 4% © 2009 WhiteHat, Inc. | Page 8

Industry Vertical Analysis Current Historical Decrease l l cia are a m ce ial ing tai Finan ices IT thc a rm e co ran c So ork Re rv eal Ph Tel Ins u Se H N etw Percentage likelihood of a website having at least one HIGH, CRITICAL, or URGENT issue by industry vertical © 2009 WhiteHat, Inc. | Page 9

Top 5 vulnerabilities by industry vertical. Percentage likelihood of a website having at least one HIGH, CRITICAL, or URGENT issue by class Retail Financial Services IT Healthcare Historical Current Historical Current Historical Current Historical Current Pharmaceutical Telecom Insurance Social Networking Historical Current Historical Current Historical Current Historical Current

Time-to-Fix (Days) - WhiteHat Top Ten Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Session Fixation Cross-Site Request Forgery Insufficient Authentication HTTP Response Splitting Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11

Resolution rate - Top 5 by Severity Class of Attack % resolved severity Cross Site Scripting 20% urgent Insufficient Authorization 19% urgent SQL Injection 30% urgent HTTP Response Splitting 75% urgent Directory Traversal 53% urgent Insufficient Authentication 38% critical Cross-Site Scripting 39% critical Abuse of Functionality 28% critical Cross-Site Request Forgery 45% critical Session Fixation 21% critical Brute Force 11% high Content Spoofing 25% high HTTP Response Splitting 30% high Information Leakage 29% high Predictable Resource Location 26% high © 2009 WhiteHat, Inc. | Page 12

The Long Tail of Website Vulnerability Testing 400 320 Vulnerable Websites 240 160 80 0 Vulnerability Checks 3,000 2,400 Verfied Vulnerabilities 1,800 1,200 600 0 Vulnerability Checks © 2009 WhiteHat, Inc. | Page 13

Threat Capabilities Threats / Attackers Fully Targeted Discover unlinked / hidden functionality Exercise business processes ‘The Analyzer’, allegedly hacked into a multiple financial institutions using SQL Injection to steal credit and debit card Customize Business Logic Flaw Exploits numbers that were then used by thieves in several countries to Leverage information leakage withdraw more than $1 million from ATMs. Interact with other customers Geeks.com, Guess, Petco, CardSystems, USC, etc. Perform multi-stage attacks Directed Opportunistic Authenticated crawling Cyber criminals use XSS vulnerabilities to create very Authenticated attacks convincing Phishing scams that appear on the real-website as Intelligent HTML form submission opposed to a fake. JavaScript malware steals victims session cookies and passwords. Test for technical vulnerabilities Y! Mail, PayPal, SunTrust, Italian Banks,etc Customize exploits SQL Injection (data extraction) Cross-Site Scripting (Phishing) Random Opportunistic With Mass SQL Injection automated worms insert malicious Unauthenticated crawling JavaScript IFRAMEs (pointing to malware servers) into back- end databases and used the capability to exploit unpatched Unauthenticated attacks Web browsers. According to Websense, “75 percent of Web Test all attack surface discovered sites with malicious code are legitimate sites that have been Destructive attacks compromised.” Automated HTML form submission SQL Injection (code insertion) Persistent Cross-Site Scripting Advanced Filter Evasion Techniques Generic exploits © 2009 WhiteHat, Inc. | Page 14

Operationalizing Website Security 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic monitoring Resources What is your organizations 5) How best to improve our survivability? tolerance for risk (per website)? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 15

Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.

WhiteHat Security "Website Security Statistics Report" (Q1'09)

by Jeremiah Grossman on May 19, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 29

Statistics

WhiteHat Security "Website Security Statistics Report" (Q1’09) — Presentation Transcript