WhiteHat Security 2014 Statistics Report Explained

1,234 views

Published on

In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?

By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.

Published in: Technology

WhiteHat Security 2014 Statistics Report Explained

  1. 1. WhiteHat Security 2014 Stats Report Explained Presented by: Jeremiah Grossman Twitter: @jeremiahg #2014WebStats
  2. 2. Founded in 2001 • 125+ web security experts: world’s largest security experts • 30,000s of assessments: currently running at this moment • Security leader: Gartner Magic Quadrant
  3. 3. Title: iCEO Info: 15 years in Info Security Fun fact: Brazillian Jiu-Jitsu Black Belt Jeremiah Grossman
  4. 4. What I’ll discuss today… • Overall key findings • Average vulnerabilities: security posture • Median days open by vulnerability class • Vulnerability class by language • Industry analysis • Recommendations/takeaways – How to use this report based on job role
  5. 5. Déjà Vu • Numerous report conclusions all point to the need for more secure software – Verizon Data Breach Report – FireHost “Superfecta” Attack Report • Cyber insurance claims reaching as high as $20 million, with an average payout of just above $900,000
  6. 6. Big Questions • Are some programming languages more secure than others? • What are the prevalent threats per programming language? • What are the prevalent threats per industry?
  7. 7. • 30,000 websites in all different verticals • Purely from WHS assessing w/ Sentinel • Because we focused on programming language About the Data
  8. 8. Overall Key Findings
  9. 9. Percent of URLs by Language .NET JAVA ASP PHP ColdFusion Perl 5% 10% 15% 20% 25% 30% 40% 50%
  10. 10. Mean Number Of Vulnerabilities in Each Language 11 11 11 10 7 6 .Net Java ASP PHP ColdFusion Perl
  11. 11. • Risk exposure does not vary widely between languages, as language choice does not affect number of vulnerabilities. • We will take a look at risk exposure and remediation rates further into the discussion. Risk exposure
  12. 12. Average vulnerabilities
  13. 13. Vulnerabilities Found per Language What does this mean? .NET JAVA ASP PHP ColdFusion Perl 5% 10% 15% 20% 25% 30% 40% 50% (*Larger consequently more vulnerable)
  14. 14. Median Days Open by Vulnerability Class
  15. 15. Median Days Open - XSS • XSS vulnerabilities appear to take a relative amount of effort to fix regardless of the language. • Median days open by language – Perl open for median 184 days – ASP 135 – .Net 126 – PHP 49
  16. 16. Median Days Open - SQLi • PHP stood out from the pack with the lowest median days 6.8 • Median days open by language – ColdFusion open for median 107.4 days – ASP 97.5 – Java 64.8 – .Net 51.4 – Perl 19.4
  17. 17. • ASP vulnerabilities remain open the longest at 139 days • ColdFusion has the largest days open for SQLi at 107 • Languages with the most security controls are taking the longest to remediate. Why? Rounding Out the Top 5
  18. 18. Vulnerability Classes
  19. 19. Vulnerabilities Percent Class by Language
  20. 20. Remediation Rates
  21. 21. Remediation Rates by Vulnerability Class
  22. 22. Industrial Analysis
  23. 23. Industry Analysis - Banking ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 57% XSS 44% Info. Leakage 49% XSS
  24. 24. Industry Analysis – IT ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 57% XSS 44% Info. Leakage 49% XSS
  25. 25. Industry Analysis – retail ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 44% Info. Leakage 57% XSS 49% XSS
  26. 26. Industry analysis – Financial service ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 49% XSS 44% Info. Leakage 57% XSS
  27. 27. Industry Analysis – Health Care ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 49% XSS 44% Info. Leakage 57% XSS
  28. 28. Recommendations
  29. 29. Language Choice • Does not matter – Test – Test – Test – All through SDLC • Developer training is also extremely important
  30. 30. Governance • Security program – Know all assets & Inventory of Assets – Policy Enforcement
  31. 31. • What is it? • Why is it important? • How do you measure risk? Risk Based Approach
  32. 32. How to Use This Report • If you are a – Developer – Security Staff – Security and/or Development Manager
  33. 33. • Are some programming languages more secure than others? • What are the prevalent threats per programming language? • What are the prevalent threats per industry? Big Questions…Answered
  34. 34. Questions Twitter: @whitehatsec Email: outreach@whitehatsec.com Follow the conversation: #2014WebStats Phone: 1-408-703-2750

×