WhiteHat Security Website Statistics Report [SLIDES] (2013)


Published on

WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.

Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.

To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.

Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.

Published in: Technology
  • Be the first to comment

WhiteHat Security Website Statistics Report [SLIDES] (2013)

  2. 2. WhiteHat Security, Inc.• Founded 2001• Head quartered in Santa Clara, CA• Employees: 270+• WhiteHat Sentinel: SaaS end-to-end website riskmanagement platform (static and dynamic analysis)• Customers: 650+ (banking, retail, healthcare, etc.)© 2013 WhiteHat Security, Inc. 2THE COMPANY
  3. 3. POLLING QUESTION(Please vote now)How would you characterize yourself?© 2013 WhiteHat Security, Inc. 3THE COMPANY
  4. 4. What we knew going in to 2012...© 2013 WhiteHat Security, Inc. 4HISTORY• “Web applications abound in many larger companies, andremain a popular (54% of breaches) and successful (39% ofrecords) attack vector.” –Verizon Data Breach Investigations Report (2012)• “SQL injection was the means used to extract 83 percent of thetotal records stolen in successful hacking-related databreaches from 2005 to 2011.” –Privacyrights.org
  6. 6. ABOUT THE DATA© 2013 WhiteHat Security, Inc. 6
  7. 7. Average annual amount of new serious*vulnerabilities introduced per website© 2013 WhiteHat Security, Inc. 7AT A GLANCE* Serious Vulnerability: A security weakness that if exploited may lead to breach or dataloss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
  8. 8. © 2013 WhiteHat Security, Inc. 8AT A GLANCE: INDUSTRY2012
  9. 9. © 2013 WhiteHat Security, Inc. 9WINDOW OF EXPOSUREThe average number of days in a year a website is exposed toat least one serious* vulnerability.
  10. 10. © 2013 WhiteHat Security, Inc. 10MOST COMMON VULNSTop 15 Vulnerability Classes (2012)Percentage likelihood that at least one serious* vulnerability will appear in a website2011
  11. 11. © 2013 WhiteHat Security, Inc. 11TOP 7: BY INDUSTRY
  12. 12. © 2013 WhiteHat Security, Inc. 12OVERALLOverall Vulnerability Population (2012)Percentage breakdown of all the serious* vulnerabilities discovered(Sorted by vulnerability class)
  13. 13. WASC: Web Hacking Incident Database© 2013 WhiteHat Security, Inc. 13ATTACKS IN-THE-WILDhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  15. 15. © 2013 WhiteHat Security, Inc. 15INDUSTRY CORRELATION
  16. 16. © 2013 WhiteHat Security, Inc. 16INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  17. 17. © 2013 WhiteHat Security, Inc. 17INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  18. 18. © 2013 WhiteHat Security, Inc. 18INDUSTRY CORRELATION
  19. 19. © 2013 WhiteHat Security, Inc. 19INDUSTRY CORRELATION
  20. 20. © 2013 WhiteHat Security, Inc. 20INDUSTRY CORRELATION
  21. 21. POLLING QUESTION(Please vote now)What is your #1 driver for resolving vulnerabilities?© 2013 WhiteHat Security, Inc. 21THE COMPANY
  22. 22. © 2013 WhiteHat Security, Inc. 22INDUSTRY CORRELATION
  23. 23. POLLING QUESTION(Please vote now)When your organization’s website vulnerabilities gounresolved, whats the #1 reason why?© 2013 WhiteHat Security, Inc. 23THE COMPANY
  24. 24. © 2013 WhiteHat Security, Inc. 24INDUSTRY CORRELATION
  25. 25. © 2013 WhiteHat Security, Inc. 25INDUSTRY CORRELATION
  26. 26. © 2013 WhiteHat Security, Inc. 26INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  27. 27. © 2013 WhiteHat Security, Inc. 27SDLC SURVEYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  28. 28. © 2013 WhiteHat Security, Inc. 28SDLC SURVEYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  29. 29. SURVEY: BREACHCORRELATION© 2013 WhiteHat Security, Inc. 29
  30. 30. © 2013 WhiteHat Security, Inc. 30BREACH CORRELATIONOrganizations that provided instructor-led or computer-based softwaresecurity training for their programmers had 40% fewer vulnerabilities,resolved them 59% faster, but exhibited a 12% lower remediation rate.
  31. 31. © 2013 WhiteHat Security, Inc. 31BREACH CORRELATIONOrganizations with software projects containing an applicationlibrary or framework that centralizes and enforces security controlshad 64% more vulnerabilities, resolved them 27% slower, butdemonstrated a 9% higher remediation rate.
  32. 32. © 2013 WhiteHat Security, Inc. 32BREACH CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  33. 33. © 2013 WhiteHat Security, Inc. 33BREACH CORRELATIONOrganizations that performed Static Code Analysis on theirwebsite(s) underlying applications had 15% more vulnerabilities,resolved them 26% slower, and had a 4% lower remediation rate.
  34. 34. © 2013 WhiteHat Security, Inc. 34BREACH CORRELATIONOrganizations with a Web Application Firewall deployment had 11%more vulnerabilities, resolved them 8% slower, and had a 7% lowerremediation rate.
  35. 35. © 2013 WhiteHat Security, Inc. 35BREACH CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  36. 36. © 2013 WhiteHat Security, Inc. 36BREACH CORRELATIONOrganizations whose website(s) experienced a data or system breach asa result of an application layer vulnerability had 51% fewer vulnerabilities,resolved them 18% faster, and had a 4% higher remediation rate.
  38. 38. © 2013 WhiteHat Security, Inc. 38ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  39. 39. © 2013 WhiteHat Security, Inc. 39ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  40. 40. © 2013 WhiteHat Security, Inc. 40ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  41. 41. © 2013 WhiteHat Security, Inc. 41ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  42. 42. © 2013 WhiteHat Security, Inc. 42ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  43. 43. © 2013 WhiteHat Security, Inc. 43ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  44. 44. © 2013 WhiteHat Security, Inc. 44ACCOUNTABILITY
  45. 45. © 2013 WhiteHat Security, Inc. 45ACCOUNTABILITY
  46. 46. © 2013 WhiteHat Security, Inc. 46ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  47. 47. SOME LESSONS LEARNED(SO FAR)© 2013 WhiteHat Security, Inc. 47
  48. 48. © 2013 WhiteHat Security, Inc. 48LESSONS• “Best-Practices”─there aren’t any!• Assign an individual or group that is accountable for website security• Find your websites – all of them – and prioritize• Measure your current security posture from an attacker’s perspective• Trend and track the lifecycle of vulnerabilities• Fast detection and response
  49. 49. JEREMIAH GROSSMANFounder and CTOTwitter: @jeremiahgEmail: jeremiah@whitehatsec.comThank you!GABRIEL GUMBSSr. Solutions ArchitectTwitter: @GabrielGumbsEmail:gabriel.gumbs@whitehatsec.com