WhiteHat Security "Website Security Statistics Report" (Q1'09)

© 2009 WhiteHat, Inc.

Jeremiah GrossmanFounder & Chief Technology Officer

7th Website Security Statistics Report

Webinar 05.19.2009

© 2009 WhiteHat, Inc. | Page

WhiteHat Security

2

• 200+ enterprise customers • Start-ups to Fortune 500

• Flagship offering “WhiteHat Sentinel Service”• 1000’s of assessments performed annually

• Recognized leader in website security• Quoted hundreds of times by the mainstream press


Web Security #1 Threat

3

The vast majority of websites possess serious vulnerabilities

Malicious website breaches are occurring in record numbers

"82% of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity.” (WhiteHat Security, 2008)

“70% of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.” (Websense, 2009)

PCI DSS Requirement 6.6 mandates application security“Ensure that web-facing applications are protected against known attacks by applying either of the following methods. A) Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.

Federal Trade Commission Fines and InvestigationsOver the last three years, the FTC has settled with fourteen businesses over alleged inadequate data security practices concerning how such businesses protect consumers' personal information.


WhiteHat Security - Website Risk Management• WhiteHat Sentinel Service

• Unlimited website vulnerability assessment

• SaaS-based, annual subscription model• Combination of proprietary scanning technology and expert operations team

• 200+ enterprise customers• 1000’s of assessments performed annually from start-ups to Fortune 500

Sentinel PE - Configured assessment delivery including comprehensive manual testing for business logic issues. For high-risk websites with sensitive data and performs critical business functions.

Sentinel SE - Configured assessment delivery with verified vulnerability reporting – designed for medium risk websites with complex functionality requiring extensive configuration.

Sentinel BE - Self-service, automated assessment delivery with verified vulnerability reporting – designed for smaller, less complex, lower risk websites.


WASC 24 (+2)* Classes of AttacksTechnical: Automation Can IdentifyCommand Execution

• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection

Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location

Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*

Business Logic: Humans Required

Authentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF*

Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation

Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation

5

© 2009 WhiteHat, Inc. | Page 6

Data Set• Collection duration: January 1, 2006 to March 31, 2009• Total websites: 1,031• Identified vulnerabilities (custom web applications): 17,888• Assessment frequency: ~Weekly• Vulnerability classes: WASC Threat Classification• Severity naming convention: PCI-DSS

Key Findings• Unresolved vulnerabilities: 7,157 (60% resolution rate)• Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82%• Lifetime average number of vulnerabilities per website: 17• Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63%• Current average of unresolved vulnerabilities per website: 7

Percentage likelihood of a website having a vulnerability by severity

URGENTHIGHCRITICAL


Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationSession FixationCross-Site Request ForgeryInsufficient AuthenticationHTTP Response Splitting

WhiteHat Security Top Ten

Percentage likelihood of a website having a vulnerability by class

• Average number of inputs per website: 227• Average ratio of vulnerability count / number of inputs: 2.58%


Overall Vulnerability Population

URL Extension % of websites

% of vulnerabilities

unknown 59% 40%

asp 24% 25%

aspx 23% 9%

xml 10% 2%

jsp 9% 8%

do 7% 3%

php 6% 3%

html 4% 2%

old 4% 1%

dll 4% 1%

cfm 3% 4%


Industry Vertical Analysis

9

Historical DecreaseCurrent

Retail

Financial

Service

s ITHealt

hcare

Pharma

Teleco

m

Insurance

Social

Networkin

g

Percentage likelihood of a website having at least one HIGH, CRITICAL, or URGENT issue by industry vertical

Retail

Pharmaceutical Telecom Insurance Social Networking

Financial Services IT Healthcare

Current Current Current CurrentHistorical Historical Historical Historical

Current Current Current CurrentHistorical Historical Historical Historical

Top 5 vulnerabilities by industry vertical. Percentage likelihood of a website having at least one HIGH, CRITICAL, or URGENT issue by class


Time-to-Fix (Days) - WhiteHat Top Ten

11

Best-case scenario: Not all vulnerabilities have been fixed...

Cross-Site Scripting

Information Leakage

Content Spoofing

Insufficient Authorization

SQL Injection

Predictable Resource Location

Session Fixation

Cross-Site Request Forgery

Insufficient Authentication

HTTP Response Splitting


Resolution rate - Top 5 by Severity

12

Class of Attack % resolved severityCross Site Scripting 20% urgentInsufficient Authorization 19% urgentSQL Injection 30% urgentHTTP Response Splitting 75% urgentDirectory Traversal 53% urgentInsufficient Authentication 38% criticalCross-Site Scripting 39% criticalAbuse of Functionality 28% criticalCross-Site Request Forgery 45% criticalSession Fixation 21% criticalBrute Force 11% highContent Spoofing 25% highHTTP Response Splitting 30% highInformation Leakage 29% highPredictable Resource Location 26% high


0

600

1,200

1,800

2,400

3,000

Verf

ied

Vuln

erab

ilitie

s

Vulnerability Checks

0

80

160

240

320

400

Vuln

erab

le W

ebsi

tes

Vulnerability Checks

The Long Tail of Website Vulnerability Testing


Threats / Attackers

14

‘The Analyzer’, allegedly hacked into a multiple financial institutions using SQL Injection to steal credit and debit card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.Geeks.com, Guess, Petco, CardSystems, USC, etc.

Cyber criminals use XSS vulnerabilities to create very convincing Phishing scams that appear on the real-website as opposed to a fake. JavaScript malware steals victims session cookies and passwords.Y! Mail, PayPal, SunTrust, Italian Banks,etc

With Mass SQL Injection automated worms insert malicious JavaScript IFRAMEs (pointing to malware servers) into back-end databases and used the capability to exploit unpatched Web browsers. According to Websense, “75 percent of Web sites with malicious code are legitimate sites that have been compromised.”

Threat Capabilities

Fully Targeted

Discover unlinked / hidden functionality

Exercise business processes

Customize Business Logic Flaw Exploits

Leverage information leakage

Interact with other customers

Perform multi-stage attacks

Directed Opportunistic

Authenticated crawling

Authenticated attacks

Intelligent HTML form submission

Test for technical vulnerabilities

Customize exploits

SQL Injection (data extraction)

Cross-Site Scripting (Phishing)

Random Opportunistic

Unauthenticated crawling

Unauthenticated attacks

Test all attack surface discovered

Destructive attacks

Automated HTML form submission

SQL Injection (code insertion)

Persistent Cross-Site Scripting

Advanced Filter Evasion Techniques

Generic exploits

1) Where do I start?Locate the websites you are responsible for

2) Where do I do next?Rank websites based upon business criticality

3) What should I be concerned about first?Random Opportunistic, Directed Opportunistic, Fully Targeted

4) What is our current security posture?Vulnerability assessments, pen-tests, traffic monitoring

5) How best to improve our survivability?SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc.


Operationalizing Website Security

15

Resources

Risk

What is your organizations tolerance for risk (per website)?


Website Risk Management Infrastructure

© 2009 WhiteHat, Inc.

Jeremiah GrossmanBlog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]

WhiteHat Securityhttp://www.whitehatsec.com/

Thank You!

http://www.whitehatsec.com












