Website Security Statistics Report (2010) - Industry Bechmarks (Slides)

10th Website Security Statistics ReportIndustry Benchmarks

Jeremiah GrossmanFounder & Chief Technology Officer

Webcast 09.22.2010

2,000© 2010 WhiteHat Security, Inc.

websites+

© 2010 WhiteHat Security, Inc. | Page

Jeremiah Grossman• WhiteHat Security Founder & CTO

• Technology R&D and industry evangelist(InfoWorld's CTO Top 25 for 2007)

• Frequent international conference speaker

• Co-founder of the Web Application Security Consortium

• Co-author: Cross-Site Scripting Attacks

• Former Yahoo! information security officer

2

http://www.webappsec.org


© 2010 WhiteHat Security, Inc. | Page 3

• 350+ enterprise customers •Start-ups to Fortune 500

• Flagship offering “WhiteHat Sentinel Service”•1000’s of assessments performed annually

• Recognized leader in website security•Quoted thousands of times by the mainstream press

WhiteHat Security


• 350+ organizations (Start-ups to Fortune listed)• 2,000+ websites• 32,000+ verified custom web application vulnerabilities• Majority of websites assessed multiple times per month• Data collected from January 1, 2006 to August 25, 2010

Data Overview

9

Note: The websites WhiteHat Sen/nel assesses likely represent the most “important” and “secure” websites on the Web, owned by organiza/on that are very serious about their security.


WhiteHat Sentinel

5

• Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost

• Production Safe – No Performance Impact

• Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point

• Unlimited Assessments – Anytime websites change

• Eliminates False Positives – Security Operations Team verifies all vulnerabilities

• Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes

Complete Website Vulnerability Management Customer Controlled & Expert Managed


Website Classes of Attacks


Attacker Targeting

7

Random Opportunistic• Fully automated scripts•Unauthenticated scans• Targets chosen indiscriminately

Directed Opportunistic•Commercial and Open Source Tools• Authentication scans•Multi-step processes (forms)

Fully Targeted (APT?)•Customize their own tools• Focused on business logic• Profit or goal driven ($$$)


Avg. # of Serious* Vulnerabilities

8

* Serious Vulnerabili2es: Those vulnerabili/es with a HIGH, CRITICAL, or URGENT severity as defined by PCI-‐DSS naming conven/ons. Exploita/on could lead to breach or data loss.

(Sorted by Industry)


Avg. # of Serious* Vulnerabilities

9

!"#$%&

!!#'!&

!!#%(&

!)#))&

!)#*)&

!!#))&

!!#*)&

!%#))&

!%#*)&

!"#))&

!"#*)&

!$#))&

+,-./&0%1*))&,23&45/-&/67+48//9:& 6/3;<6&0!*)&=&%1*))&/67+48//9:& 96,++&0<7&>4&!*)&/67+48//9:&

!"#$%&#'()*

+#$',-'.)/0#

$%+1/12

#3'

4$&%015%2,0'615#'

(Sorted by Size of the Organization)


!"#$%

$"&'%

#("'&%

'")$%

)"#&%

*+"!!%

#'"&*%

#$"&&%

&"'$%

!"*#%

&"$+%

*)",)%

!"!,%

#+"'*%

#)"(!%

##"$#%

#&"*&%

*#"'!%

+"(+%

&"+!%

+"((%

&"+'%

#'"+'%

*&"+)%

##"*,%

#&"'(%

#)"&*%

("((% !"((% #("((% #!"((% *("((% *!"((% '("((% '!"((%

-./01/2%

3456.78/%

91/./61.:%;<=>16<?%

@<.:AB6.=<%

C/?5=./6<%

CD%

E><=.::%

F<A.1:%

;861.:%G<AH8=01/2%

D<:<68II5/16.78/?% ?I.::%J5K%A8%#!(%<IK:8L<<?M%

I<415I%J#!(%N%*O!((%<IK:8L<<?M%

:.=2<%J*O!((%./4%8><=%<IK:8L<<?M%

(Sorted by Organization Size & Industry)


Overall Top Vulnerability Classes

11

Percentage likelihood of a website having a vulnerability by class


(Sorted by Industry & Percentage Likelihood)


(Sorted by Size of Organization and Percentage Likelihood)


Time-to-Fix

14

!"

#!"

$!"

%!"

&!"

'!"

(!"

)!"

*!"

+!"

#!!"

#" &" )" #!" #%" #(" #+" $$" $'" $*" %#" %&" %)" &!" &%" &(" &+" '$" '(" '+" ($" ('" (+" )$" )'" )+" *$" *+" +'"#!#"#!&"##!"##+"#$*"#%%"#&$"#'%"$##"

!"##"$%&

'()*

(+,-.()/(01(2.%3()

4'(0%3()5-#(6.768-9):*((;,<))

,-./0.1"2345-67."80.-.50-9":;<=05;>"?;-9@A5-<;"B.>4<-.5;"BC"D=;<-99"E;@-09":750-9"F;@G7</0.1"C;9;57HH4.05-67.>"

(Sorted by Industry)


IndustryLeadersTop 25%

Above AverageMid 25% -‐ 50%

LaggardsLower 50% -‐ 75%

Overall 5 13 30

Banking 2 3 13

Educa5on 5 14 19

Financial Services 6 11 28

Healthcare 3 9 22

Insurance 10 22 39

IT 5 13 29

Retail 6 18 40

Social Networking 3 9 28

Telecommunica5ons 2 5 25

Time-to-Fix(Sorted by Industry & Performance)

!"

#!"

$!"

%!"

&!"

'!"

(!"

)!"

*!"

+!"

#!!"#" &" )" #!"

#%"

#("

#+"

$$"

$'"

$*"

%#"

%&"

%)"

&!"

&%"

&("

&+"

'$"

'("

'+"

($"

('"

(+"

)$"

)'"

)+"

*$"

*+"

+'"

#!#"

#!&"

##!"

##+"

#$*"

#%%"

#&$"

#'%"

$##"

!"##"$%&

'()*

(+,-.()/(01(2.%3()

4'(0%3()5-#(6.768-9):*((;,<))

,-./0"1$2'!!"-34"560."078,5900:;"704<=7"1#'!">"$2'!!"078,5900:;":7-,,"1=8"?5"#'!"078,5900:;"

Size of OrganizaAonLeadersTop 25%

Above AverageMid 25% -‐ 50%

LaggardsLower 50% -‐ 75%

small (up to 150 employees) 4 12 26

medium (150 -‐ 2,500 employees) 5 10 26

large (2,500 and over employees) 6 15 35


Time-to-Fix

!"#

$"#

!%#

$!#

&$#

&"#

!&#

!&#

!!#

!'#

'#

""#

""#

(#

"%#

"%#

")#

"!#

*#

")#

'#

"&#

")#

")#

"$#

+#

+#

")#

""#

")#

!#

"&#

"!#

""#

$#

""#

"*#

"'#

*#

"$#

*!#

!+#

$'#

&!#

!$#

!!#

&"#

$(#

(*#

$+#

)# ")# !)# $)# &)# ()# *)# %)# ')# +)# "))#

,-./0.1#

2345-67.#

80.-.50-9#:;<=05;>#

?;-9@A5-<;#

B.>4<-.5;#

BC#

D;@-09#

:750-9#E;@F7</0.1#

C;9;57GG4.05-67.>#

H=;<-99#

)#I#!)J#

!"J#I#&)J#

&"J#I#*)J#

*"J#I#')J#

'"J#I#"))J#

(Percentage of Websites within Remediation Rate Ranges Sorted by Industry)

Remediation Rate


Remediation Rate

18

!"#!$#

%&#

&!#

'!#

"!#

!!#

%!#

(!#

$!#

)!#

*+,-.#/&0!11#+23#45.,#.67*48..9:#

6.3;<6#/=!1#>#&0!11#.67*48..9:#

96+**#/<7#?4#=!1#.67*48..9:#

!"#$%&#'(#)

#*+%,-.

'(%/#'



Remediation Rate

19

!"#

$"#

%"#

""#

&"#

'"#

("#

)"#

*+,-.#/!0"11#+23#45.,#.67*48..9:#

6.3;<6#/="1#>#!0"11#.67*48..9:#

96+**#/<7#?4#="1#.67*48..9:#

!"#$%&#'(#)

#*+%,-.

'(%/#'

0$&%.+1%,-.'2+1#'

@+2A;2-#

B3<C+D42#

E;2+2C;+*#F.,5;C.9#

G.+*?HC+,.#

I29<,+2C.#

IJ#

K5.,+**#

L.?+;*#

F4C;+*#M.?N4,A;2-#

J.*.C466<2;C+D429#

(Sorted by Industry and Organization Size)


• No one at the organization understands or is responsible for maintaining the code.

• Development group does not understand or respects the vulnerability.

• Feature enhancements are prioritized ahead of security fixes.

• Lack of budget to fix the issues.

• Affected code is owned by an unresponsive third-party vendor.

• Website will be decommissioned or replaced “soon.”

• Risk of exploitation is accepted.

• Solution conflicts with business use case.

• Compliance does not require fixing the issue.

Why do vulnerabilities go unfixed?




1) Find your websites (all of them)Identifying an organizations complete Web presence is vital to a successful program. You can’t secure what you don’t know you own. Find out what websites there are, what they do, document the data they posses, who is responsible for them, and other helpful metadata.

2) Website Valuation & PrioritizationEach website provides different value to an organization. Some process highly sensitive data, others contain only marketing brochure-ware. Some websites facilitate thousands of credit card transactions each day, others generate advertising revenue. When resources are limited prioritization must focus those assets offering the best risk reducing return-on-investment consistent with business objectives.

3) Adversaries & Risk ToleranceNot all adversaries, those attempting to compromise websites, have the same technical capability or end-goal. Some adversaries are sentient, others are autonomous, and their methods are different as is their target selection.

4) Measure your current security postureVulnerability assessments and penetration tests are designed to simulate the technical capabilities of a given type of adversary’s (step #3) and measure the success they would have. Finding as many vulnerabilities as possible is a byproduct of the exercise.

5) Remediation & MitigationFrom a risk management perspective it might be best to first fix a medium severity vulnerability on a main transactional website as opposed to a high severity issue in a non-critical system. Using the information obtain from steps 1 - 4 these decisions can be made with the confidence gained from the supporting data.


Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]

Questions?

http://jeremiahgrossman.blogspot.com

http://jeremiahgrossman.blogspot.com

http://twitter.com/jeremiahg

http://twitter.com/jeremiahg

mailto:[email protected]

mailto:[email protected]