WhiteHat Security 2014 Statistics Report Explained
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites? By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to WhiteHat Security 2014 Statistics Report Explained
Similar to WhiteHat Security 2014 Statistics Report Explained (20)
More from Jeremiah Grossman
More from Jeremiah Grossman (20)
Recently uploaded
Recently uploaded (20)
WhiteHat Security 2014 Statistics Report Explained
- 1. WhiteHat Security 2014 Stats Report Explained Presented by: Jeremiah Grossman Twitter: @jeremiahg #2014WebStats
- 2. Founded in 2001 • 125+ web security experts: world’s largest security experts • 30,000s of assessments: currently running at this moment • Security leader: Gartner Magic Quadrant
- 3. Title: iCEO Info: 15 years in Info Security Fun fact: Brazillian Jiu-Jitsu Black Belt Jeremiah Grossman
- 4. What I’ll discuss today… • Overall key findings • Average vulnerabilities: security posture • Median days open by vulnerability class • Vulnerability class by language • Industry analysis • Recommendations/takeaways – How to use this report based on job role
- 5. Déjà Vu • Numerous report conclusions all point to the need for more secure software – Verizon Data Breach Report – FireHost “Superfecta” Attack Report • Cyber insurance claims reaching as high as $20 million, with an average payout of just above $900,000
- 6. Big Questions • Are some programming languages more secure than others? • What are the prevalent threats per programming language? • What are the prevalent threats per industry?
- 7. • 30,000 websites in all different verticals • Purely from WHS assessing w/ Sentinel • Because we focused on programming language About the Data
- 9. Percent of URLs by Language .NET JAVA ASP PHP ColdFusion Perl 5% 10% 15% 20% 25% 30% 40% 50%
- 10. Mean Number Of Vulnerabilities in Each Language 11 11 11 10 7 6 .Net Java ASP PHP ColdFusion Perl
- 11. • Risk exposure does not vary widely between languages, as language choice does not affect number of vulnerabilities. • We will take a look at risk exposure and remediation rates further into the discussion. Risk exposure
- 13. Vulnerabilities Found per Language What does this mean? .NET JAVA ASP PHP ColdFusion Perl 5% 10% 15% 20% 25% 30% 40% 50% (*Larger consequently more vulnerable)
- 14. Median Days Open by Vulnerability Class
- 15. Median Days Open - XSS • XSS vulnerabilities appear to take a relative amount of effort to fix regardless of the language. • Median days open by language – Perl open for median 184 days – ASP 135 – .Net 126 – PHP 49
- 16. Median Days Open - SQLi • PHP stood out from the pack with the lowest median days 6.8 • Median days open by language – ColdFusion open for median 107.4 days – ASP 97.5 – Java 64.8 – .Net 51.4 – Perl 19.4
- 17. • ASP vulnerabilities remain open the longest at 139 days • ColdFusion has the largest days open for SQLi at 107 • Languages with the most security controls are taking the longest to remediate. Why? Rounding Out the Top 5
- 19. Vulnerabilities Percent Class by Language
- 21. Remediation Rates by Vulnerability Class
- 23. Industry Analysis - Banking ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 57% XSS 44% Info. Leakage 49% XSS
- 24. Industry Analysis – IT ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 57% XSS 44% Info. Leakage 49% XSS
- 25. Industry Analysis – retail ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 44% Info. Leakage 57% XSS 49% XSS
- 26. Industry analysis – Financial service ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 49% XSS 44% Info. Leakage 57% XSS
- 27. Industry Analysis – Health Care ASP ColdFusion .NET Java Perl PHP 5% 10% 20% 30% 40% 50% 60% 70% 49% XSS 44% Info. Leakage 57% XSS
- 28. Recommendations
- 29. Language Choice • Does not matter – Test – Test – Test – All through SDLC • Developer training is also extremely important
- 30. Governance • Security program – Know all assets & Inventory of Assets – Policy Enforcement
- 31. • What is it? • Why is it important? • How do you measure risk? Risk Based Approach
- 32. How to Use This Report • If you are a – Developer – Security Staff – Security and/or Development Manager
- 33. • Are some programming languages more secure than others? • What are the prevalent threats per programming language? • What are the prevalent threats per industry? Big Questions…Answered
- 34. Questions Twitter: @whitehatsec Email: outreach@whitehatsec.com Follow the conversation: #2014WebStats Phone: 1-408-703-2750
Editor's Notes
- <Your info here>