WhiteHat Security Website Statistics Report [SLIDES] (2013)


Published on

WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.

Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.

To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.

Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Not Technology
  • The connections from various software security controls and SDLC behaviors to vulnerability outcomes and breaches is far more complicated than we ever imagined.
  • Assign an individual or group that is accountable for website security: These individuals or groups may include the board of directors, executive management, security teams, and software developers. They should be commissioned and authorized to establish a culturally consistent incentives program that will help move the organization in a positive direction with respect to security. Find your websites – all of them – and prioritize: Prioritization can be based on business criticality, data sensitivity, revenue generation, traffic volume, number of users, or other criteria the organization deems important. Knowing what systems need to be defended and what value they have to the organization provides a barometer for an appropriate level of security investment. Measure your current security posture from an attacker’s perspective: This step is not just about identifying vulnerabilities; while that is a byproduct of the exercise, it’s about understanding what classes of adversaries you need to defend against and what your current exposure to them is. Just finding vulnerabilities is not enough. Measure your security posture the same way a bad guy would before they exploit the system – fixing those vulnerabilities first is what’s important. Trend and track the lifecycle of vulnerabilities: At a minimum, measure how many vulnerabilities are introduced per production code release, what vulnerability classes are most prevalent, the average number of days it takes to remediate them, and the overall remediation rate. The result provides a way to track the organization’s progress over time and serves as a guide for which of the SDLC-related activities are likely to make the most impact. Anything measured tends to improve. Fast detection and response: It has been prudent to operate under the assumption that [all] networks are compromised. This is the case especially since everyone is only one zero-day away from a break-in. Borrowing from that frame of reference, application security professionals are well advised to take a similar approach and focus on the impact of that assumption – start by asking the question “If my application is already vulnerable what action(s) should I begin taking?” If an organization is to become breached, the real damage happens when the adversary is in the system for days, weeks, or months. If they can be successfully identified and kicked off the system within hours, the business impact of a breach can be minimized.
  • WhiteHat Security Website Statistics Report [SLIDES] (2013)

    2. 2. WhiteHat Security, Inc.• Founded 2001• Head quartered in Santa Clara, CA• Employees: 270+• WhiteHat Sentinel: SaaS end-to-end website riskmanagement platform (static and dynamic analysis)• Customers: 650+ (banking, retail, healthcare, etc.)© 2013 WhiteHat Security, Inc. 2THE COMPANY
    3. 3. POLLING QUESTION(Please vote now)How would you characterize yourself?© 2013 WhiteHat Security, Inc. 3THE COMPANY
    4. 4. What we knew going in to 2012...© 2013 WhiteHat Security, Inc. 4HISTORY• “Web applications abound in many larger companies, andremain a popular (54% of breaches) and successful (39% ofrecords) attack vector.” –Verizon Data Breach Investigations Report (2012)• “SQL injection was the means used to extract 83 percent of thetotal records stolen in successful hacking-related databreaches from 2005 to 2011.” –Privacyrights.org
    6. 6. ABOUT THE DATA© 2013 WhiteHat Security, Inc. 6
    7. 7. Average annual amount of new serious*vulnerabilities introduced per website© 2013 WhiteHat Security, Inc. 7AT A GLANCE* Serious Vulnerability: A security weakness that if exploited may lead to breach or dataloss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
    8. 8. © 2013 WhiteHat Security, Inc. 8AT A GLANCE: INDUSTRY2012
    9. 9. © 2013 WhiteHat Security, Inc. 9WINDOW OF EXPOSUREThe average number of days in a year a website is exposed toat least one serious* vulnerability.
    10. 10. © 2013 WhiteHat Security, Inc. 10MOST COMMON VULNSTop 15 Vulnerability Classes (2012)Percentage likelihood that at least one serious* vulnerability will appear in a website2011
    11. 11. © 2013 WhiteHat Security, Inc. 11TOP 7: BY INDUSTRY
    12. 12. © 2013 WhiteHat Security, Inc. 12OVERALLOverall Vulnerability Population (2012)Percentage breakdown of all the serious* vulnerabilities discovered(Sorted by vulnerability class)
    13. 13. WASC: Web Hacking Incident Database© 2013 WhiteHat Security, Inc. 13ATTACKS IN-THE-WILDhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    14. 14. SURVEY: APPLICATIONSECURITY IN THE SDLC(76 ORGANIZATIONS)© 2013 WhiteHat Security, Inc. 14
    15. 15. © 2013 WhiteHat Security, Inc. 15INDUSTRY CORRELATION
    16. 16. © 2013 WhiteHat Security, Inc. 16INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    17. 17. © 2013 WhiteHat Security, Inc. 17INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    18. 18. © 2013 WhiteHat Security, Inc. 18INDUSTRY CORRELATION
    19. 19. © 2013 WhiteHat Security, Inc. 19INDUSTRY CORRELATION
    20. 20. © 2013 WhiteHat Security, Inc. 20INDUSTRY CORRELATION
    21. 21. POLLING QUESTION(Please vote now)What is your #1 driver for resolving vulnerabilities?© 2013 WhiteHat Security, Inc. 21THE COMPANY
    22. 22. © 2013 WhiteHat Security, Inc. 22INDUSTRY CORRELATION
    23. 23. POLLING QUESTION(Please vote now)When your organization’s website vulnerabilities gounresolved, whats the #1 reason why?© 2013 WhiteHat Security, Inc. 23THE COMPANY
    24. 24. © 2013 WhiteHat Security, Inc. 24INDUSTRY CORRELATION
    25. 25. © 2013 WhiteHat Security, Inc. 25INDUSTRY CORRELATION
    26. 26. © 2013 WhiteHat Security, Inc. 26INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    27. 27. © 2013 WhiteHat Security, Inc. 27SDLC SURVEYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    28. 28. © 2013 WhiteHat Security, Inc. 28SDLC SURVEYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    29. 29. SURVEY: BREACHCORRELATION© 2013 WhiteHat Security, Inc. 29
    30. 30. © 2013 WhiteHat Security, Inc. 30BREACH CORRELATIONOrganizations that provided instructor-led or computer-based softwaresecurity training for their programmers had 40% fewer vulnerabilities,resolved them 59% faster, but exhibited a 12% lower remediation rate.
    31. 31. © 2013 WhiteHat Security, Inc. 31BREACH CORRELATIONOrganizations with software projects containing an applicationlibrary or framework that centralizes and enforces security controlshad 64% more vulnerabilities, resolved them 27% slower, butdemonstrated a 9% higher remediation rate.
    32. 32. © 2013 WhiteHat Security, Inc. 32BREACH CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    33. 33. © 2013 WhiteHat Security, Inc. 33BREACH CORRELATIONOrganizations that performed Static Code Analysis on theirwebsite(s) underlying applications had 15% more vulnerabilities,resolved them 26% slower, and had a 4% lower remediation rate.
    34. 34. © 2013 WhiteHat Security, Inc. 34BREACH CORRELATIONOrganizations with a Web Application Firewall deployment had 11%more vulnerabilities, resolved them 8% slower, and had a 7% lowerremediation rate.
    35. 35. © 2013 WhiteHat Security, Inc. 35BREACH CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    36. 36. © 2013 WhiteHat Security, Inc. 36BREACH CORRELATIONOrganizations whose website(s) experienced a data or system breach asa result of an application layer vulnerability had 51% fewer vulnerabilities,resolved them 18% faster, and had a 4% higher remediation rate.
    38. 38. © 2013 WhiteHat Security, Inc. 38ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    39. 39. © 2013 WhiteHat Security, Inc. 39ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    40. 40. © 2013 WhiteHat Security, Inc. 40ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    41. 41. © 2013 WhiteHat Security, Inc. 41ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    42. 42. © 2013 WhiteHat Security, Inc. 42ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    43. 43. © 2013 WhiteHat Security, Inc. 43ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    44. 44. © 2013 WhiteHat Security, Inc. 44ACCOUNTABILITY
    45. 45. © 2013 WhiteHat Security, Inc. 45ACCOUNTABILITY
    46. 46. © 2013 WhiteHat Security, Inc. 46ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
    47. 47. SOME LESSONS LEARNED(SO FAR)© 2013 WhiteHat Security, Inc. 47
    48. 48. © 2013 WhiteHat Security, Inc. 48LESSONS• “Best-Practices”─there aren’t any!• Assign an individual or group that is accountable for website security• Find your websites – all of them – and prioritize• Measure your current security posture from an attacker’s perspective• Trend and track the lifecycle of vulnerabilities• Fast detection and response
    49. 49. JEREMIAH GROSSMANFounder and CTOTwitter: @jeremiahgEmail: jeremiah@whitehatsec.comThank you!GABRIEL GUMBSSr. Solutions ArchitectTwitter: @GabrielGumbsEmail:gabriel.gumbs@whitehatsec.com