Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
7th Website Security
Statistics Report


Jeremiah Grossman                      Webinar
Founder & Chief Technology Officer...
WhiteHat Security
• 200+ enterprise customers
 • Start-ups to Fortune 500

• Flagship offering “WhiteHat Sentinel Service”...
Web Security #1 Threat
The vast majority of websites possess serious vulnerabilities
quot;82% of websites have had at leas...
WhiteHat Security - Website Risk Management
• WhiteHat Sentinel Service
  • Unlimited website vulnerability assessment
• S...
WASC 24 (+2)* Classes of Attacks
Business Logic: Humans Required       Technical: Automation Can Identify
Authentication  ...
Data Set
• Collection duration: January 1, 2006 to March 31, 2009
• Total websites: 1,031
• Identified vulnerabilities (cu...
WhiteHat Security Top Ten

                             Percentage likelihood of a website having
                        ...
Overall Vulnerability Population

                                            % of            % of
                       ...
Industry Vertical Analysis                                             Current
                                           ...
Top 5 vulnerabilities by industry vertical. Percentage likelihood of a website having at
                     least one HI...
Time-to-Fix (Days) - WhiteHat Top Ten

Cross-Site Scripting

Information Leakage

Content Spoofing

Insufficient Authoriza...
Resolution rate - Top 5 by Severity
           Class of Attack       % resolved   severity
 Cross Site Scripting          ...
The Long Tail of Website Vulnerability Testing
                      400


                      320
Vulnerable Websites

...
Threat Capabilities

Threats / Attackers                                                                     Fully Targete...
Operationalizing Website Security
1) Where do I start?
Locate the websites you are responsible for

2) Where do I do next?...
Website Risk Management Infrastructure




                                   © 2009 WhiteHat, Inc. | Page   16
Thank You!
Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jere...
Upcoming SlideShare
Loading in …5
×

WhiteHat Security "Website Security Statistics Report" (Q1'09)

7,992 views

Published on

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.

The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

Published in: Technology
  • Be the first to comment

WhiteHat Security "Website Security Statistics Report" (Q1'09)

  1. 1. 7th Website Security Statistics Report Jeremiah Grossman Webinar Founder & Chief Technology Officer 05.19.2009 © 2009 WhiteHat, Inc.
  2. 2. WhiteHat Security • 200+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted hundreds of times by the mainstream press © 2009 WhiteHat, Inc. | Page 2
  3. 3. Web Security #1 Threat The vast majority of websites possess serious vulnerabilities quot;82% of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity.” (WhiteHat Security, 2008) Malicious website breaches are occurring in record numbers “70% of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.” (Websense, 2009) PCI DSS Requirement 6.6 mandates application security “Ensure that web-facing applications are protected against known attacks by applying either of the following methods. A) Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security. Federal Trade Commission Fines and Investigations Over the last three years, the FTC has settled with fourteen businesses over alleged inadequate data security practices concerning how such businesses protect consumers' personal information. © 2009 WhiteHat, Inc. | Page 3
  4. 4. WhiteHat Security - Website Risk Management • WhiteHat Sentinel Service • Unlimited website vulnerability assessment • SaaS-based, annual subscription model • Combination of proprietary scanning technology and expert operations team • 200+ enterprise customers • 1000’s of assessments performed annually from start-ups to Fortune 500 Sentinel PE - Configured assessment delivery including comprehensive manual testing for business logic issues. For high-risk websites with sensitive data and performs critical business functions. Sentinel SE - Configured assessment delivery with verified vulnerability reporting – designed for medium risk websites with complex functionality requiring extensive configuration. Sentinel BE - Self-service, automated assessment delivery with verified vulnerability reporting – designed for smaller, less complex, lower risk websites. © 2009 WhiteHat, Inc. | Page
  5. 5. WASC 24 (+2)* Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Format String Attack • Insufficient Authentication • LDAP Injection • Weak Password Recovery Validation • OS Commanding • CSRF* • SQL Injection • SSI Injection Authorization • XPath Injection • Credential/Session Prediction • Insufficient Authorization Information Disclosure • Insufficient Session Expiration • Directory Indexing • Information Leakage • Session Fixation • Path Traversal Logical Attacks • Predictable Resource Location • Abuse of Functionality Client-Side • Denial of Service • Content Spoofing • Insufficient Anti-automation • Cross-site Scripting • Insufficient Process Validation • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 5
  6. 6. Data Set • Collection duration: January 1, 2006 to March 31, 2009 • Total websites: 1,031 • Identified vulnerabilities (custom web applications): 17,888 • Assessment frequency: ~Weekly • Vulnerability classes: WASC Threat Classification • Severity naming convention: PCI-DSS Key Findings • Unresolved vulnerabilities: 7,157 (60% resolution rate) • Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82% • Lifetime average number of vulnerabilities per website: 17 • Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63% • Current average of unresolved vulnerabilities per website: 7 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page 6
  7. 7. WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Session Fixation Cross-Site Request Forgery Insufficient Authentication HTTP Response Splitting • Average number of inputs per website: 227 • Average ratio of vulnerability count / number of inputs: 2.58% © 2009 WhiteHat, Inc. | Page 7
  8. 8. Overall Vulnerability Population % of % of URL Extension websites vulnerabilities unknown 59% 40% asp 24% 25% aspx 23% 9% xml 10% 2% jsp 9% 8% do 7% 3% php 6% 3% html 4% 2% old 4% 1% dll 4% 1% cfm 3% 4% © 2009 WhiteHat, Inc. | Page 8
  9. 9. Industry Vertical Analysis Current Historical Decrease l l cia are a m ce ial ing tai Finan ices IT thc a rm e co ran c So ork Re rv eal Ph Tel Ins u Se H N etw Percentage likelihood of a website having at least one HIGH, CRITICAL, or URGENT issue by industry vertical © 2009 WhiteHat, Inc. | Page 9
  10. 10. Top 5 vulnerabilities by industry vertical. Percentage likelihood of a website having at least one HIGH, CRITICAL, or URGENT issue by class Retail Financial Services IT Healthcare Historical Current Historical Current Historical Current Historical Current Pharmaceutical Telecom Insurance Social Networking Historical Current Historical Current Historical Current Historical Current
  11. 11. Time-to-Fix (Days) - WhiteHat Top Ten Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Session Fixation Cross-Site Request Forgery Insufficient Authentication HTTP Response Splitting Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11
  12. 12. Resolution rate - Top 5 by Severity Class of Attack % resolved severity Cross Site Scripting 20% urgent Insufficient Authorization 19% urgent SQL Injection 30% urgent HTTP Response Splitting 75% urgent Directory Traversal 53% urgent Insufficient Authentication 38% critical Cross-Site Scripting 39% critical Abuse of Functionality 28% critical Cross-Site Request Forgery 45% critical Session Fixation 21% critical Brute Force 11% high Content Spoofing 25% high HTTP Response Splitting 30% high Information Leakage 29% high Predictable Resource Location 26% high © 2009 WhiteHat, Inc. | Page 12
  13. 13. The Long Tail of Website Vulnerability Testing 400 320 Vulnerable Websites 240 160 80 0 Vulnerability Checks 3,000 2,400 Verfied Vulnerabilities 1,800 1,200 600 0 Vulnerability Checks © 2009 WhiteHat, Inc. | Page 13
  14. 14. Threat Capabilities Threats / Attackers Fully Targeted Discover unlinked / hidden functionality Exercise business processes ‘The Analyzer’, allegedly hacked into a multiple financial institutions using SQL Injection to steal credit and debit card Customize Business Logic Flaw Exploits numbers that were then used by thieves in several countries to Leverage information leakage withdraw more than $1 million from ATMs. Interact with other customers Geeks.com, Guess, Petco, CardSystems, USC, etc. Perform multi-stage attacks Directed Opportunistic Authenticated crawling Cyber criminals use XSS vulnerabilities to create very Authenticated attacks convincing Phishing scams that appear on the real-website as Intelligent HTML form submission opposed to a fake. JavaScript malware steals victims session cookies and passwords. Test for technical vulnerabilities Y! Mail, PayPal, SunTrust, Italian Banks,etc Customize exploits SQL Injection (data extraction) Cross-Site Scripting (Phishing) Random Opportunistic With Mass SQL Injection automated worms insert malicious Unauthenticated crawling JavaScript IFRAMEs (pointing to malware servers) into back- end databases and used the capability to exploit unpatched Unauthenticated attacks Web browsers. According to Websense, “75 percent of Web Test all attack surface discovered sites with malicious code are legitimate sites that have been Destructive attacks compromised.” Automated HTML form submission SQL Injection (code insertion) Persistent Cross-Site Scripting Advanced Filter Evasion Techniques Generic exploits © 2009 WhiteHat, Inc. | Page 14
  15. 15. Operationalizing Website Security 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic monitoring Resources What is your organizations 5) How best to improve our survivability? tolerance for risk (per website)? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 15
  16. 16. Website Risk Management Infrastructure © 2009 WhiteHat, Inc. | Page 16
  17. 17. Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.

×