8th Website Security
Statistics Report
Full Report Available
https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111...
Jeremiah Grossman
•   Technology R&D and industry evangelist
•   InfoWorld's CTO Top 25 for 2007
•   Frequent internationa...
WhiteHat Security
• 250+ enterprise customers
 • Start-ups to Fortune 500
• Flagship offering “WhiteHat Sentinel Service”
...
WhiteHat Sentinel
Complete Website Vulnerability Management
Customer Controlled & Expert Managed

• Unique SaaS-based solu...
Know Your Enemy
Fully Targeted
• Customize their own tools
• Focused on business logic
• Clever and profit driven ($$$)
Dir...
Website Classes of Attacks
Business Logic: Humans Required        Technical: Automation Can Identify
Authentication       ...
Data Overview
•   1,364 32% ↑ total websites
•   22,776 4,888 ↑ verified custom web application vulnerabilities*
•   Data ...
Key Findings
All Websites
• 83% of websites have had a HIGH, CRITICAL, or URGENT issue
• 64% of websites currently have a ...
WhiteHat Security Top Ten
                  Percentage likelihood of a website
                    having a vulnerability ...
Vulnerability Population


 63%
               8%         7%           6%         5%         4%            4%             ...
Time-to-Fix (Days)
Cross-Site Scripting                                        9↑
Information Leakage                     ...
Resolution Rates
              Class of Attack                    % resolved            Δ       severity
Cross Site Script...
Zero-Vulnerability Websites
•   485 total websites
•   17% of websites have never had a HIGH, CRITICAL, or URGENT issue
• ...
Vulnerability Population                                       Zero-Vulnerability
                                        ...
Time-to-Fix (Days)           Zero-Vulnerability
                                 Websites


Cross-Site Scripting

Informat...
Industry Verticals
                                                                                     3↓           3↑
  ...
Operationalize
1) Where do I start?
Locate the websites you are responsible for

2) Where do I do next?
Rank websites base...
Website Risk Management Infrastructure




                                    © 2009 WhiteHat, Inc. | Page   18
© 2009 WhiteHat, Inc. | Page   19
Thank You!
Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jere...
Upcoming SlideShare
Loading in …5
×

WhiteHat Security 8th Website Security Statistics Report

3,590 views

Published on

Web security is a moving target and enterprises need timely information about the latest attack trends, how they can best defend their websites, and visibility into their vulnerability lifecycle. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the knowledge and solutions that organizations need to protect their brands, attain PCI compliance and avert costly breaches.

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to safely conduct business online. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, tracks vertical market trends and identifies new attack techniques, since 2006.

The WhiteHat Security report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization,

Published in: Technology
1 Comment
1 Like
Statistics
Notes
  • Free classified site

    www.publicdial.com is a free classified site in 30 countries(in United States, Canada, United Kingdom, Mexico, Netherlands, Germany, Poland, Austria, Japan, Morocco, Italy, United Arab Emirates, Saudi Arabia, Kuwait, India, Pakistan, Bangladesh, Sri Lanka, New Zealand, Hong Kong, Philippines, Indonesia, Singapore, Malaysia, Thailand, South Africa, Nigeria, Brazil, China and Egypt).
    post free ads and grow your business vertical.

    keyword: Free classified site in United States, Canada, United Kingdom, Mexico
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
3,590
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
83
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

WhiteHat Security 8th Website Security Statistics Report

  1. 1. 8th Website Security Statistics Report Full Report Available https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209 Jeremiah Grossman Founder & Chief Technology Officer Webinar 11.12.2009 © 2009 WhiteHat, Inc.
  2. 2. Jeremiah Grossman • Technology R&D and industry evangelist • InfoWorld's CTO Top 25 for 2007 • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat Security, Inc. | Page 2
  3. 3. WhiteHat Security • 250+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted thousands of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3
  4. 4. WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2009 WhiteHat, Inc. | Page 4
  5. 5. Know Your Enemy Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) Directed Opportunistic • Commercial / Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2009 WhiteHat, Inc. | Page 5
  6. 6. Website Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 6
  7. 7. Data Overview • 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities* • Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification • Vulnerability severity naming convention aligns with PCI-DSS • Average number of links per website: 766** • Average number of inputs (attack surface) per website: 246 • Average ratio of vulnerability count / number of inputs: 2.14% • Anti-Clickjacking X-FRAME-OPTIONS: 1 Technology Breakdown • HTTPOnly flag: 150 % of % of URL Extension websites vulnerabilities * Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/ unknown 62% 39% webapp.cgi), three of which are vulnerable to SQL Injection, it is aspx 23% 9% counted as one vulnerability (not three). asp 22% 24% ** WhiteHat Sentinel seeks to identify all of a websites externally xml 11% 2% available attack surface, which may or may not require spidering all jsp 10% 8% of its available links. do 6% 3% php 6% 3% html 5% 2% old 3% 1% cfm 3% 4% bak 3% 1% dll 2% 1% © 2009 WhiteHat, Inc. | Page 9 7
  8. 8. Key Findings All Websites • 83% of websites have had a HIGH, CRITICAL, or URGENT issue • 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7 • Average number of serious unresolved vulnerabilities per website: 6.5 SSL-Only Websites • 44% of websites are using SSL • 81% of websites have had a HIGH, CRITICAL, or URGENT issue • 58% of websites currently have a HIGH, CRITICAL, or URGENT issue • 58% vulnerability resolution rate among sample with 2,484 out of 5,863 historical vulnerabilities unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 9.7 • Average number of serious unresolved vulnerabilities per website: 4.1 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page
  9. 9. WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 9
  10. 10. Vulnerability Population 63% 8% 7% 6% 5% 4% 4% 3% Cross-Site Content SQL Information Other Predictable HTTP Insufficient Scripting Spoofing Injection Leakage Resource Response Authorization Location Splitting © 2009 WhiteHat, Inc. | Page 10
  11. 11. Time-to-Fix (Days) Cross-Site Scripting 9↑ Information Leakage 7↓ Content Spoofing 16 ↑ Insufficient Authorization 15 ↓ SQL Injection 24 ↑ Pred. Res. Loc. 39 ↓ Cross-Site Request Forgery 37 ↑ Session Fixation 2↑ HTTP Response Splitting 5↓ Abuse of Functionality - * Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11
  12. 12. Resolution Rates Class of Attack % resolved Δ severity Cross Site Scripting 12% 8↓ urgent Insufficient Authorization 18% 1↓ urgent SQL Injection 40% 10 ↑ urgent HTTP Response Splitting 12% 15 ↓ urgent Directory Traversal 65% 12 ↑ urgent Insufficient Authentication 37% 1↓ critical Cross-Site Scripting 44% 5↑ critical Abuse of Functionality 14% 14 ↓ critical Cross-Site Request Forgery 39% 6↓ critical Session Fixation 31% 10 ↑ critical Brute Force 31% 20 ↑ high Content Spoofing 46% 21 ↑ high HTTP Response Splitting 32% 2↑ high Information Leakage 30% 21 ↑ high Predictable Resource Location 34% 8↑ high * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 12
  13. 13. Zero-Vulnerability Websites • 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue • 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue • 1,800 verified custom web application vulnerabilities • Lifetime average number of vulnerabilities per website: 3.7 • Average number of inputs per website: 244 • Average ratio of vulnerability count / number of inputs: 2.11% Percentage likelihood of a website Technology Breakdown having a vulnerability by class # of % of URL Extension 1. Cross-Site Scripting (37.3%) websites vulnerabilities 2. Information Leakage (22.2%) unknown 33% 33% 3. Content Spoofing (10.7%) aspx 7% 10% 4. Predictable Resource Location (7.8%) asp 14% 25% 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) jsp 7% 9% 7. Insufficient Authorization (4.1%) do 7% 8% 8. Session Fixation (4.1%) html 2% 2% 9. Cross Site Request Forgery (3.7%) old 2% 2% 10. HTTP Response Splitting (3.1%) cfm 2% 3% © 2009 WhiteHat, Inc. | Page 13
  14. 14. Vulnerability Population Zero-Vulnerability Websites 62% 9% 8% 6% 6% 5% 4% Cross-Site Information Content SQL Predictable Cross-Site Other Scripting Leakage Spoofing Injection Resource Request Location Forgery © 2009 WhiteHat, Inc. | Page 14
  15. 15. Time-to-Fix (Days) Zero-Vulnerability Websites Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Pred. Res. Loc. Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 15
  16. 16. Industry Verticals 3↓ 3↑ 15 ↑ 1↑ 12 ↑ 6↑ - - 1↑ l l cia e ma cia ing tail an s IT car ar m nce So ork tio n Re Fin rvice th Ph eco sur a ca eal el In tw du Se H T Ne E * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 16
  17. 17. Operationalize 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic Resources monitoring What is your organizations tolerance for risk (per website)? 5) How best to improve our survivability? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 17
  18. 18. Website Risk Management Infrastructure © 2009 WhiteHat, Inc. | Page 18
  19. 19. © 2009 WhiteHat, Inc. | Page 19
  20. 20. Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.

×