SlideShare a Scribd company logo

WhiteHat Security 8th Website Security Statistics Report

Jeremiah Grossman
Jeremiah Grossman

Web security is a moving target and enterprises need timely information about the latest attack trends, how they can best defend their websites, and visibility into their vulnerability lifecycle. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the knowledge and solutions that organizations need to protect their brands, attain PCI compliance and avert costly breaches. The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to safely conduct business online. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, tracks vertical market trends and identifies new attack techniques, since 2006. The WhiteHat Security report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization,

1 of 20
8th Website Security Statistics Report Full Report Available https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209 Jeremiah Grossman Founder & Chief Technology Officer Webinar 11.12.2009 © 2009 WhiteHat, Inc.
Jeremiah Grossman • Technology R&D and industry evangelist • InfoWorld's CTO Top 25 for 2007 • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat Security, Inc. | Page 2
WhiteHat Security • 250+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted thousands of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3
WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2009 WhiteHat, Inc. | Page 4
Know Your Enemy Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) Directed Opportunistic • Commercial / Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2009 WhiteHat, Inc. | Page 5
Website Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 6
Data Overview • 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities* • Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification • Vulnerability severity naming convention aligns with PCI-DSS • Average number of links per website: 766** • Average number of inputs (attack surface) per website: 246 • Average ratio of vulnerability count / number of inputs: 2.14% • Anti-Clickjacking X-FRAME-OPTIONS: 1 Technology Breakdown • HTTPOnly flag: 150 % of % of URL Extension websites vulnerabilities * Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/ unknown 62% 39% webapp.cgi), three of which are vulnerable to SQL Injection, it is aspx 23% 9% counted as one vulnerability (not three). asp 22% 24% ** WhiteHat Sentinel seeks to identify all of a websites externally xml 11% 2% available attack surface, which may or may not require spidering all jsp 10% 8% of its available links. do 6% 3% php 6% 3% html 5% 2% old 3% 1% cfm 3% 4% bak 3% 1% dll 2% 1% © 2009 WhiteHat, Inc. | Page 9 7
Key Findings All Websites • 83% of websites have had a HIGH, CRITICAL, or URGENT issue • 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7 • Average number of serious unresolved vulnerabilities per website: 6.5 SSL-Only Websites • 44% of websites are using SSL • 81% of websites have had a HIGH, CRITICAL, or URGENT issue • 58% of websites currently have a HIGH, CRITICAL, or URGENT issue • 58% vulnerability resolution rate among sample with 2,484 out of 5,863 historical vulnerabilities unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 9.7 • Average number of serious unresolved vulnerabilities per website: 4.1 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page
WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 9
Vulnerability Population 63% 8% 7% 6% 5% 4% 4% 3% Cross-Site Content SQL Information Other Predictable HTTP Insufficient Scripting Spoofing Injection Leakage Resource Response Authorization Location Splitting © 2009 WhiteHat, Inc. | Page 10
Time-to-Fix (Days) Cross-Site Scripting 9↑ Information Leakage 7↓ Content Spoofing 16 ↑ Insufficient Authorization 15 ↓ SQL Injection 24 ↑ Pred. Res. Loc. 39 ↓ Cross-Site Request Forgery 37 ↑ Session Fixation 2↑ HTTP Response Splitting 5↓ Abuse of Functionality - * Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11
Resolution Rates Class of Attack % resolved Δ severity Cross Site Scripting 12% 8↓ urgent Insufficient Authorization 18% 1↓ urgent SQL Injection 40% 10 ↑ urgent HTTP Response Splitting 12% 15 ↓ urgent Directory Traversal 65% 12 ↑ urgent Insufficient Authentication 37% 1↓ critical Cross-Site Scripting 44% 5↑ critical Abuse of Functionality 14% 14 ↓ critical Cross-Site Request Forgery 39% 6↓ critical Session Fixation 31% 10 ↑ critical Brute Force 31% 20 ↑ high Content Spoofing 46% 21 ↑ high HTTP Response Splitting 32% 2↑ high Information Leakage 30% 21 ↑ high Predictable Resource Location 34% 8↑ high * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 12
Zero-Vulnerability Websites • 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue • 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue • 1,800 verified custom web application vulnerabilities • Lifetime average number of vulnerabilities per website: 3.7 • Average number of inputs per website: 244 • Average ratio of vulnerability count / number of inputs: 2.11% Percentage likelihood of a website Technology Breakdown having a vulnerability by class # of % of URL Extension 1. Cross-Site Scripting (37.3%) websites vulnerabilities 2. Information Leakage (22.2%) unknown 33% 33% 3. Content Spoofing (10.7%) aspx 7% 10% 4. Predictable Resource Location (7.8%) asp 14% 25% 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) jsp 7% 9% 7. Insufficient Authorization (4.1%) do 7% 8% 8. Session Fixation (4.1%) html 2% 2% 9. Cross Site Request Forgery (3.7%) old 2% 2% 10. HTTP Response Splitting (3.1%) cfm 2% 3% © 2009 WhiteHat, Inc. | Page 13
Vulnerability Population Zero-Vulnerability Websites 62% 9% 8% 6% 6% 5% 4% Cross-Site Information Content SQL Predictable Cross-Site Other Scripting Leakage Spoofing Injection Resource Request Location Forgery © 2009 WhiteHat, Inc. | Page 14
Time-to-Fix (Days) Zero-Vulnerability Websites Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Pred. Res. Loc. Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 15
Industry Verticals 3↓ 3↑ 15 ↑ 1↑ 12 ↑ 6↑ - - 1↑ l l cia e ma cia ing tail an s IT car ar m nce So ork tio n Re Fin rvice th Ph eco sur a ca eal el In tw du Se H T Ne E * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 16
Operationalize 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic Resources monitoring What is your organizations tolerance for risk (per website)? 5) How best to improve our survivability? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 17
Website Risk Management Infrastructure © 2009 WhiteHat, Inc. | Page 18
© 2009 WhiteHat, Inc. | Page 19
Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.

More Related Content

WhiteHat Security 8th Website Security Statistics Report

  • 1. 8th Website Security Statistics Report Full Report Available https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209 Jeremiah Grossman Founder & Chief Technology Officer Webinar 11.12.2009 © 2009 WhiteHat, Inc.
  • 2. Jeremiah Grossman • Technology R&D and industry evangelist • InfoWorld's CTO Top 25 for 2007 • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat Security, Inc. | Page 2
  • 3. WhiteHat Security • 250+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted thousands of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3
  • 4. WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2009 WhiteHat, Inc. | Page 4
  • 5. Know Your Enemy Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) Directed Opportunistic • Commercial / Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2009 WhiteHat, Inc. | Page 5
  • 6. Website Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 6
  • 7. Data Overview • 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities* • Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification • Vulnerability severity naming convention aligns with PCI-DSS • Average number of links per website: 766** • Average number of inputs (attack surface) per website: 246 • Average ratio of vulnerability count / number of inputs: 2.14% • Anti-Clickjacking X-FRAME-OPTIONS: 1 Technology Breakdown • HTTPOnly flag: 150 % of % of URL Extension websites vulnerabilities * Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/ unknown 62% 39% webapp.cgi), three of which are vulnerable to SQL Injection, it is aspx 23% 9% counted as one vulnerability (not three). asp 22% 24% ** WhiteHat Sentinel seeks to identify all of a websites externally xml 11% 2% available attack surface, which may or may not require spidering all jsp 10% 8% of its available links. do 6% 3% php 6% 3% html 5% 2% old 3% 1% cfm 3% 4% bak 3% 1% dll 2% 1% © 2009 WhiteHat, Inc. | Page 9 7
  • 8. Key Findings All Websites • 83% of websites have had a HIGH, CRITICAL, or URGENT issue • 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7 • Average number of serious unresolved vulnerabilities per website: 6.5 SSL-Only Websites • 44% of websites are using SSL • 81% of websites have had a HIGH, CRITICAL, or URGENT issue • 58% of websites currently have a HIGH, CRITICAL, or URGENT issue • 58% vulnerability resolution rate among sample with 2,484 out of 5,863 historical vulnerabilities unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 9.7 • Average number of serious unresolved vulnerabilities per website: 4.1 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page
  • 9. WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 9
  • 10. Vulnerability Population 63% 8% 7% 6% 5% 4% 4% 3% Cross-Site Content SQL Information Other Predictable HTTP Insufficient Scripting Spoofing Injection Leakage Resource Response Authorization Location Splitting © 2009 WhiteHat, Inc. | Page 10
  • 11. Time-to-Fix (Days) Cross-Site Scripting 9↑ Information Leakage 7↓ Content Spoofing 16 ↑ Insufficient Authorization 15 ↓ SQL Injection 24 ↑ Pred. Res. Loc. 39 ↓ Cross-Site Request Forgery 37 ↑ Session Fixation 2↑ HTTP Response Splitting 5↓ Abuse of Functionality - * Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11
  • 12. Resolution Rates Class of Attack % resolved Δ severity Cross Site Scripting 12% 8↓ urgent Insufficient Authorization 18% 1↓ urgent SQL Injection 40% 10 ↑ urgent HTTP Response Splitting 12% 15 ↓ urgent Directory Traversal 65% 12 ↑ urgent Insufficient Authentication 37% 1↓ critical Cross-Site Scripting 44% 5↑ critical Abuse of Functionality 14% 14 ↓ critical Cross-Site Request Forgery 39% 6↓ critical Session Fixation 31% 10 ↑ critical Brute Force 31% 20 ↑ high Content Spoofing 46% 21 ↑ high HTTP Response Splitting 32% 2↑ high Information Leakage 30% 21 ↑ high Predictable Resource Location 34% 8↑ high * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 12
  • 13. Zero-Vulnerability Websites • 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue • 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue • 1,800 verified custom web application vulnerabilities • Lifetime average number of vulnerabilities per website: 3.7 • Average number of inputs per website: 244 • Average ratio of vulnerability count / number of inputs: 2.11% Percentage likelihood of a website Technology Breakdown having a vulnerability by class # of % of URL Extension 1. Cross-Site Scripting (37.3%) websites vulnerabilities 2. Information Leakage (22.2%) unknown 33% 33% 3. Content Spoofing (10.7%) aspx 7% 10% 4. Predictable Resource Location (7.8%) asp 14% 25% 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) jsp 7% 9% 7. Insufficient Authorization (4.1%) do 7% 8% 8. Session Fixation (4.1%) html 2% 2% 9. Cross Site Request Forgery (3.7%) old 2% 2% 10. HTTP Response Splitting (3.1%) cfm 2% 3% © 2009 WhiteHat, Inc. | Page 13
  • 14. Vulnerability Population Zero-Vulnerability Websites 62% 9% 8% 6% 6% 5% 4% Cross-Site Information Content SQL Predictable Cross-Site Other Scripting Leakage Spoofing Injection Resource Request Location Forgery © 2009 WhiteHat, Inc. | Page 14
  • 15. Time-to-Fix (Days) Zero-Vulnerability Websites Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Pred. Res. Loc. Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 15
  • 16. Industry Verticals 3↓ 3↑ 15 ↑ 1↑ 12 ↑ 6↑ - - 1↑ l l cia e ma cia ing tail an s IT car ar m nce So ork tio n Re Fin rvice th Ph eco sur a ca eal el In tw du Se H T Ne E * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 16
  • 17. Operationalize 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic Resources monitoring What is your organizations tolerance for risk (per website)? 5) How best to improve our survivability? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 17
  • 18. Website Risk Management Infrastructure © 2009 WhiteHat, Inc. | Page 18
  • 19. © 2009 WhiteHat, Inc. | Page 19
  • 20. Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.