Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)

1,667 views

Published on

WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they
can most efficiently defend their websites, gain visibility into
the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights
is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well- known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.

Published in: Technology
  • Be the first to comment

Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)

  1. 1. Where Flow Charts Don’t Go: © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg An Examination of Web Application Security Process Management
  2. 2. © 2015 WhiteHat Security, Inc. Jeremiah Grossman 15 years of Application Security Brazilian Jiu-Jitsu Black Belt
  3. 3. WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded: 2001 Headquarters: Santa Clara, CA Employees: 300+ © 2015 WhiteHat Security, Inc.
  4. 4. © 2015 WhiteHat Security, Inc. Metric Definitions Average time time to fix: Average # of days to fix a vulnerability. Remediation Rate: # of closed vulnerabilities divided by # of open vulnerabilities. Days Open: Average# of days a vulnerability has been open. Vulnerability Class Likelihood: # of sites that have at least one open vulnerability in a given class over the total number of active sites. Window of Exposure: # of days a site had at least one serious vulnerability open over the analysis period. Serious Vulnerability: Vulnerability with a severity of 3 or greater as defined by WhiteHat’s Vulnerability Classification System.
  5. 5. © 2015 WhiteHat Security, Inc. Vulnerability Likelihood and Windows of Exposure
  6. 6. © 2015 WhiteHat Security, Inc. Vulnerability Likelihood
  7. 7. © 2015 WhiteHat Security, Inc. • Likelihood of Insufficient Transport Layer Protection has increased in recent years (70% likelihood in 2014) • Content Spoofing, XSS and Fingerprinting has declined in recent years – Content Spoofing (38% in 2010 to 26% in 2014) – Cross-site scripting (55% in 2010 to 47% in 2014) – Fingerprinting (23% in 2012 to 5% in 2014) Vulnerability Likelihood
  8. 8. © 2015 WhiteHat Security, Inc. • A large % of websites are always vulnerable • 60% of all Retail are always vulnerable • 52% of all Healthcare and Social Assistance sites are always vulnerable • 38% of all Information Technology websites are always vulnerable • 39% of all Finance and Insurance websites are always vulnerable Windows of Exposure Analysis 39% 52% 38% 60% 14% 10% 11% 9% 11% 12% 14% 10%18% 11% 16% 11% 17% 14% 22% 11% Finance and Insurance Health Care and Social Assistance Information Retail Trade Rarely Vulnerable 30 days or less a year Occasionally Vulnerable 31-150 days a year Regularly Vulnerable 151-270 days a year Frequently Vulnerable 271-364 days a year
  9. 9. © 2015 WhiteHat Security, Inc. Maturity Metrics Analysis
  10. 10. © 2015 WhiteHat Security, Inc. • The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models of application security programs at various organizations. • The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe. Sentinel Customer Survey Overview Active Customers: ~700 Fortune 500: 63 Commercial Banks 7 of the Top 18 Largest Banks 10 of the Top 50 Software 6 of the Top 16 Consumer Financial Services 4 of the Top 8
  11. 11. © 2015 WhiteHat Security, Inc. • 24% of the survey respondents have experienced a data or system breach • Those who have experienced a data or system breach have higher average # of open vulnerabilities than those who haven’t experienced a breach. (20 vs. 26) • Those who have experienced a breach have lower remediation rate than those who haven’t experienced a breach. (42% vs. 39%) Have organizations website(s) experienced a data or system breach resulting from an app layer vulnerability? 76% 83% 80% 50% 0% 24% 17% 20% 50% 100% 0% 50% 100% 150% All Finance and Insurance Information Retail Trade Health Care and Social Assistance No Yes
  12. 12. © 2015 WhiteHat Security, Inc. • 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 9% 29% 28% 30% 0% 5% 10% 15% 20% 25% 30% 35%
  13. 13. © 2015 WhiteHat Security, Inc. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open 386 364 341 299 0 100 200 300 400 500 Board of Directors Executive Management Software Development Security Department Average Time Open (Days) 129 119 108 114 95 100 105 110 115 120 125 130 135 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 34% 36% 38% 40% 42% 44% 46% Board of Directors Executive Management Software Development Security Department Remediation Rate
  14. 14. © 2015 WhiteHat Security, Inc. • 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities • 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities • 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities • 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities • 25% of the respondents cite other reasons for resolving website vulnerabilities Please rank your organization’s drivers for resolving website vulnerabilities. 1 lowest priority, 5 highest. 15% 6% 35% 19% 25% %ofrespondents Primary driver for resolving website vulnerabilities
  15. 15. © 2015 WhiteHat Security, Inc. Please rank your organization’s drivers for resolving website vulnerabilities. 1 the lowest priority, 5 the highest. 14 21 28 28 10 0 5 10 15 20 25 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average # of vulnerabilities 266 290 283 525 355 0 100 200 300 400 500 600 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Time Open (Days) 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 10% 20% 30% 40% 50% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Remediation Rate
  16. 16. © 2015 WhiteHat Security, Inc. • % of respondents for frequency of automatic static analysis: • Daily: 13% • With each major release: 32% • Never: 13% • # of open vulns for frequency of automatic static analysis: • Daily: 6 • With each major release: 32 • Never: 17 How frequent do you perform automated static analysis during the code review process? 0% 20% 40% 60% 80% 100% Finance and Insurance Information Retail Trade Health Care and Social Assistance All Daily Monthly Never Other (please specify) Planned 0 20 40 60 Daily Monthly Never Quarterly Weekly With each release or major update All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  17. 17. © 2015 WhiteHat Security, Inc. • Avg time open for frequency of automatic static analysis: • Daily: 369 days • Each major release: 273 days • Never: 394 days • Remediation rate for frequency of automatic static analysis: • Daily: 39% • Each major release: 38% • Never: 45% How frequent do you perform automated static analysis during the code review process? 0 200 400 600 800 Daily Monthly Never Other (please specify) Quarterly Weekly With each release or… Average Time Open at different frequencies of Automated Static Analysis All Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20% 40% 60% 80% 100% Daily Monthly Never Quarterly Weekly With each release or… All Average remediation rate at different frequencies of Automated Static Analysis All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  18. 18. © 2015 WhiteHat Security, Inc. • Time to fix for frequency of automatic static analysis: • Daily: 74 days • Each major release: 117 days • Never: 125 days How frequent do you perform automated static analysis during the code review process? 0 100 200 300 400 500 Daily Monthly Never Other (please specify) Quarterly Weekly With each release or major update Average Time to fix at different frequencies of Automated Static Analysis All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  19. 19. © 2014 WhiteHat Security, Inc. 19 • % of respondents for frequency of adversarial testing: Each major release: 32% Quarterly: 11% Never: 21% • # of open vulns for frequency of adversarial testing: Each major release: 15 Quarterly: 14 Never: 34 How frequently does the QA team go beyond functional testing to perform basic adversarial tests (probing of simple edge cases and boundary conditions) example: What happens when you enter the wrong password over and over? 0% 20% 40% 60% 80% 100% Finance and… Information Retail Trade Health Care and… All Frequency of Adversarial Testing by Industry Daily Monthly Never Other (please specify) Planned Quarterly 0 20 40 60 Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average # of vulns at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  20. 20. © 2014 WhiteHat Security, Inc. 20 • Avg time open for frequency of adversarial testing: Each major release: 322 days Quarterly: 375 days Never: 254 days • Remediation rate for frequency of adversarial testing: Each major release: 41% Quarterly: 40% Never: 25% How frequently does the QA team go beyond functional testing to perform basic adversarial tests (probing of simple edge cases and boundary conditions) example: What happens when you enter the wrong password over and over? 0 200 400 600 800 Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release… (blank) Average Time Open at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information 0% 20% 40% 60% 80% Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average remediation rate at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information
  21. 21. © 2014 WhiteHat Security, Inc. 21 • Time to fix for frequency of adversarial testing: Each major release: 124 days Quarterly: 85 days Never: 102 days How frequently does the QA team go beyond functional testing to perform basic adversarial tests (probing of simple edge cases and boundary conditions) example: What happens when you enter the wrong password over and over? 0 100 200 300 Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or… Average Time to fix at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  22. 22. © 2014 WhiteHat Security, Inc. 22 • % of respondents for frequency of pen-testing: Annually: 21% Quarterly: 26% Never: 26% • # of open vulns for frequency of pen-testing: Annually: 12 Quarterly: 40 Never: 25 How frequently do you use external penetration testers to find problems? 0% 20% 40% 60% 80%100%120% Finance and Insurance Information Retail Trade Health Care and Social Assistance All Frequency of Penetration Testing by Industry Annually Daily Monthly Never Other (please specify) Planned 0 20 40 60 Annually Daily Monthly Never Planned Quarterly Weekly With each release… Average # of vulns at different frequencies of penetration testing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  23. 23. © 2014 WhiteHat Security, Inc. 23 • Avg time open for frequency of penetration testing: Annually: 282 days Quarterly: 273 days Never: 393 days • Remediation rate for frequency of penetration testing: Annually: 49% Quarterly: 44% Never: 34% How frequently do you use external penetration testers to find problems? 0 200 400 600 800 Annually Daily Monthly Never Other (please specify) Planned Quarterly Weekly Average Time Open at different frequencies of penetration testing Grand Total Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20% 40% 60% 80% Annually Monthly Other (please specify) Quarterly With each release or… Average remediation rate at different frequencies of penetration testing Grand Total Health Care and Social Assistance Retail Trade Information
  24. 24. © 2014 WhiteHat Security, Inc. 24 • Time to fix for frequency of penetration testing: Annually: 140 days Quarterly: 102 days Never: 128 days How frequently do you use external penetration testers to find problems? 0 100 200 300 Annually Daily Monthly Never Other… Planned Quarterly Weekly With each… Average Time to fix at different frequencies of penetration testing Grand Total Health Care and Social Assistance Retail Trade Information Finance and Insurance
  25. 25. © 2014 WhiteHat Security, Inc. 25 • % of respondents for frequency of operation monitoring feedback: Daily: 17% With each major release: 17% Never: 9% • # of open vulns for frequency of operation monitoring feedback: Daily: 40 With each major release: 23 Never: 10 How often does your organization use defects identified through operations monitoring fed back to development and used to change developer behavior? 0% 50% 100% 150% Finance and… Information Retail Trade Health Care and… All Frequency of Operations Monitoring Feedback by Industry Annually Daily Monthly Never 0 20 40 60 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average # of vulns at different frequencies of Operations Monitoring Feedback All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  26. 26. © 2014 WhiteHat Security, Inc. 26 • Avg time open for frequency of operation monitoring feedback: Daily: 270 days With each major release: 353 days Never: 243 days • Remediation rate for frequency of operation monitoring feedback: Daily: 32% With each major release: 48% Never: 34% How often does your organization use defects identified through operations monitoring fed back to development and used to change developer behavior? 0 500 1000 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each… Average Time Open at different frequencies of Operations Monitoring Feedback Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20% 40% 60% 80% Annually Monthly Other (please specify) Quarterly With each release… Average remediation rate at different frequencies of Operations Monitoring Feedback Health Care and Social Assistance Retail Trade Information
  27. 27. © 2014 WhiteHat Security, Inc. 27 • Time to fix for frequency of operation monitoring feedback: Daily: 76 days With each major release: 198 days Never: 91 days How often does your organization use defects identified through operations monitoring fed back to development and used to change developer behavior? 0 100 200 300 Annually Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or major update Average Time to fix at different frequencies of Operations Monitoring Feedback Health Care and Social Assistance Retail Trade Information Finance and Insurance
  28. 28. © 2014 WhiteHat Security, Inc. 28 • % of respondents for frequency of ad hoc code reviews: Never: 21% Planned: 15% With each major release: 15% • # of open vulns for frequency of ad hoc code reviews: Never: 41 Planned: 10 With each major release: 13 How frequently does your organization perform ad hoc code reviews of highrisk applications in an opportunistic fashion? 0% 50% 100% 150% Finance and… Retail Trade All Frequency of Adhoc Code Review by Industry Annually Daily 0 20 40 60 80 Annually Monthly Other (please… Quarterly With each… Average # of vulns at different frequencies of Adhoc code review All Health Care and Social Assistance Retail Trade
  29. 29. © 2014 WhiteHat Security, Inc. 29 • Avg time open for frequency of ad hoc code reviews: Never: 309 days Planned: 264 days With each major release: 278 days • Remediation rate for frequency of ad hoc code reviews: Never: 43% Planned: 39% With each major release: 37% How frequently does your organization perform ad hoc code reviews of highrisk applications in an opportunistic fashion? 0 500 1000 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average Time Open at different frequencies of adhoc code review Health Care and Social Assistance Retail Trade Information Finance and Insurance 0 0.2 0.4 0.6 0.8 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average remediation rate at different frequencies of adhoc code review Health Care and Social Assistance Retail Trade Information Finance and Insurance
  30. 30. © 2014 WhiteHat Security, Inc. 30 • Time to fix for frequency of ad hoc code reviews: Never: 147 days Planned: 90 days With each major release: 102 days How frequently does your organization perform ad hoc code reviews of highrisk applications in an opportunistic fashion? 0 50 100 150 200 Annually Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or major update Average Time to fix at different frequencies of adhoc code review Health Care and Social Assistance Retail Trade Information Finance and Insurance
  31. 31. © 2014 WhiteHat Security, Inc. 31 • % of respondents for frequency of security review sharing: Monthly: 13% With each major release: 28% Never: 19% • # of open vulns for frequency of security review sharing: Monthly: 13 With each major release: 29 Never: 18 How frequently does your organization share results from security reviews with the QA department? 0% 50% 100% 150% Finance and… Information Retail Trade Health Care… All Frequency of Security Result Sharing by Industry Daily Monthly Never Other (please specify) 0 20 40 60 Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or… Average # of vulns at different frequencies of Security Result Sharing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  32. 32. © 2014 WhiteHat Security, Inc. 32 • Avg time open for frequency of security review sharing: Monthly: 282 days With each major release: 393 days Never: 258 days • Remediation rate for frequency of security review sharing: Monthly: 49% With each major release: 37% Never: 27% How frequently does your organization share results from security reviews with the QA department? 0 500 1000 Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… All Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20%40%60%80%100% Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release… All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  33. 33. © 2014 WhiteHat Security, Inc. 33 • Time to fix for frequency of security review sharing: Monthly: 107 days With each major release: 162 days Never: 83 days How frequently does your organization share results from security reviews with the QA department? 0 100 200 Daily Monthly Never Other (please… Planned Quarterly Weekly With each… Average Time to fix at different frequencies of Security Result Sharing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  34. 34. Questions? © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg Thank you!

×