More Related Content More from Jeremiah Grossman (20) Website Security Statistics Report (2010) - Industry Bechmarks (Slides)1. 10th Website Security
Statistics Report
Industry Benchmarks
2,000 +
websites Jeremiah Grossman
Founder & Chief Technology Officer
Webcast 09.22.2010
© 2010 WhiteHat Security, Inc.
2. Jeremiah Grossman
• WhiteHat Security Founder & CTO
• Technology R&D and industry evangelist
(InfoWorld's CTO Top 25 for 2007)
• Frequent international conference speaker
• Co-founder of the Web Application Security Consortium
• Co-author: Cross-Site Scripting Attacks
• Former Yahoo! information security officer
© 2010 WhiteHat Security, Inc. | Page 2
3. WhiteHat Security
• 350+ enterprise customers
•Start-ups to Fortune 500
• Flagship offering “WhiteHat Sentinel Service”
•1000’s of assessments performed annually
• Recognized leader in website security
•Quoted thousands of times by the mainstream press
© 2010 WhiteHat Security, Inc. | Page 3
4. Data Overview
• 350+ organizations (Start-ups to Fortune listed)
• 2,000+ websites
• 32,000+ verified custom web application vulnerabilities
• Majority of websites assessed multiple times per month
• Data collected from January 1, 2006 to August 25, 2010
Note:
The
websites
WhiteHat
Sen/nel
assesses
likely
represent
the
most
“important”
and
“secure”
websites
on
the
Web,
owned
by
organiza/on
that
are
very
serious
about
their
security.
© 2010 WhiteHat Security, Inc. | Page 9
4
5. WhiteHat Sentinel
Complete Website Vulnerability Management
Customer Controlled & Expert Managed
• Unique SaaS-based solution – Highly scalable delivery of
service at a fixed cost
• Production Safe – No Performance Impact
• Full Coverage – On-going testing for business logic flaws
and technical vulnerabilities – uses WASC 24 classes of
attacks as reference point
• Unlimited Assessments – Anytime websites change
• Eliminates False Positives – Security Operations Team
verifies all vulnerabilities
• Continuous Improvement & Refinement – Ongoing updates
and enhancements to underlying technology and processes
© 2010 WhiteHat Security, Inc. | Page 5
7. Attacker Targeting
Fully Targeted (APT?)
• Customize their own tools
• Focused on business logic
• Profit or goal driven ($$$)
Directed Opportunistic
• Commercial and Open Source Tools
• Authentication scans
• Multi-step processes (forms)
Random Opportunistic
• Fully automated scripts
• Unauthenticated scans
• Targets chosen indiscriminately
© 2010 WhiteHat Security, Inc. | Page 7
8. Avg. # of Serious* Vulnerabilities
(Sorted by Industry)
*
Serious
Vulnerabili2es:
Those
vulnerabili/es
with
a
HIGH,
CRITICAL,
or
URGENT
severity
as
defined
by
PCI-‐DSS
naming
conven/ons.
Exploita/on
could
lead
to
breach
or
data
loss.
© 2010 WhiteHat Security, Inc. | Page 8
9. Avg. # of Serious* Vulnerabilities
(Sorted by Size of the Organization)
!$#))&
!"#$%&
!"#$%&#'()*+#$',-'.)/0#$%+1/12#3'
!"#*)&
!"#))&
!%#*)&
!%#))& !!#'!&
!!#*)& !!#%(&
!!#))&
!)#*)&
!)#))&
+,-./&0%1*))&,23&45/-&/67+48//9:& 6/3;<6&0!*)&=&%1*))&/67+48//9:& 96,++&0<7&>4&!*)&/67+48//9:&
4$&%015%2,0'615#'
© 2010 WhiteHat Security, Inc. | Page 9
10. (Sorted by Organization Size & Industry)
D<:<68II5/16.78/?% +"(+% ?I.::%J5K%A8%#!(%<IK:8L<<?M%
!"*#% I<415I%J#!(%N%*O!((%<IK:8L<<?M%
:.=2<%J*O!((%./4%8><=%<IK:8L<<?M%
#)"&*%
;861.:%G<AH8=01/2% *#"'!%
&"'$%
#&"'(%
F<A.1:% #&"*&%
#$"&&%
##"*,%
E><=.::% ##"$#%
#'"&*%
*&"+)%
CD% #)"(!%
*+"!!%
C/?5=./6<%
)"#&%
#'"+'%
@<.:AB6.=<% #+"'*%
'")$%
&"+'%
91/./61.:%;<=>16<?% !"!,%
#("'&%
+"((%
3456.78/% *)",)%
$"&'%
&"+!%
-./01/2% &"$+%
!"#$%
("((% !"((% #("((% #!"((% *("((% *!"((% © 2010 WhiteHat Security, Inc. | Page 10
'("((% '!"((%
11. Overall Top Vulnerability Classes
Percentage likelihood of a website
having a vulnerability by class
© 2010 WhiteHat Security, Inc. | Page 11
14. Time-to-Fix
(Sorted by Industry)
#!!"
+!"
*!"
!"##"$%&'()*(+,-.()/(01(2.%3()
)!"
(!"
,-./0.1"
'!" 2345-67."
80.-.50-9":;<=05;>"
&!"
?;-9@A5-<;"
%!" B.>4<-.5;"
BC"
$!" D=;<-99"
#!"
E;@-09"
:750-9"F;@G7</0.1"
!" C;9;57HH4.05-67.>"
#" &" )" #!" #%" #(" #+" $$" $'" $*" %#" %&" %)" &!" &%" &(" &+" '$" '(" '+" ($" ('" (+" )$" )'" )+" *$" *+" +'"#!#" !&" #!" #+" $*" %%" &$" '%" ##"
# # # # # # # $
4'(0%3()5-#(6.768-9):*((;,<))
© 2010 WhiteHat Security, Inc. | Page 14
15. Time-to-Fix
(Sorted by Industry & Performance)
Leaders Above
Average Laggards
Industry
Top
25% Mid
25%
-‐
50% Lower
50%
-‐
75%
Overall 5 13 30
Banking 2 3 13
Educa5on 5 14 19
Financial
Services 6 11 28
Healthcare 3 9 22
Insurance 10 22 39
IT 5 13 29
Retail 6 18 40
Social
Networking 3 9 28
Telecommunica5ons 2 5 25
© 2010 WhiteHat Security, Inc. | Page 15
16. (Sorted by Size of the Organization)
Time-to-Fix
#!!"
+!"
!"##"$%&'()*(+,-.()/(01(2.%3()
*!"
)!"
(!"
'!"
&!"
%!"
,-./0"1$2'!!"-34"560."078,5900:;"
$!" 704<=7"1#'!">"$2'!!"078,5900:;"
#!"
:7-,,"1=8"?5"#'!"078,5900:;"
!"
#"
&"
)"
$'"
%#"
('"
)'"
+'"
#!#"
#!&"
##!"
##+"
#$*"
#%%"
#&$"
#'%"
$##"
#!"
#%"
#("
#+"
$$"
$*"
%&"
%)"
&!"
&%"
&("
&+"
'$"
'("
'+"
($"
(+"
)$"
)+"
*$"
*+"
4'(0%3()5-#(6.768-9):*((;,<))
Leaders Above
Average Laggards
Size
of
OrganizaAon
Top
25% Mid
25%
-‐
50% Lower
50%
-‐
75%
small
(up
to
150
employees) 4 12 26
medium
(150
-‐
2,500
employees) 5 10 26
large
(2,500
and
over
employees) 6 15 35
17. Remediation Rate
(Percentage of Websites within Remediation Rate
Ranges Sorted by Industry)
H=;<-99# !'# ")# ")# "$# $+#
C;9;57GG4.05-67.># !!# *# ""# *# (*#
:750-9#E;@F7</0.1# !&# "!# ")# "'# $(# )#I#!)J#
!"J#I#&)J#
D;@-09# !&# ")# +# "*# &"#
&"J#I#*)J#
BC# &"# "%# +# ""# !!# *"J#I#')J#
'"J#I#"))J#
B.>4<-.5;# &$# "%# "$# $# !$#
?;-9@A5-<;# $!# (# ")# ""# &!#
80.-.50-9#:;<=05;># !%# ""# ")# "!# $'#
2345-67.# $"# ""# "&# "&# !+#
,-./0.1# !"# '# '# !# *!#
)# ")# !)# $)# &)# ()# *)# %)# ')# +)# "))#
18. Remediation Rate
(Sorted by Size of the Organization)
)!#
!"#$%&#'(#)#*+%,-.'(%/#'
$!#
(!#
%!# %&#
!$#
!"#
!!#
"!#
'!#
&!#
*+,-.#/&0!11#+23#45.,# 6.3;<6#/=!1#>#&0!11# 96+**#/<7#?4#=!1#.67*48..9:#
.67*48..9:# .67*48..9:#
© 2010 WhiteHat Security, Inc. | Page 18
19. Remediation Rate
(Sorted by Industry and Organization Size)
)"#
@+2A;2-#
!"#$%&#'(#)#*+%,-.'(%/#'
("#
B3<C+D42#
'"# E;2+2C;+*#F.,5;C.9#
&"# G.+*?HC+,.#
""# I29<,+2C.#
%"# IJ#
$"# K5.,+**#
!"# L.?+;*#
*+,-.#/!0"11#+23#45.,# 6.3;<6#/="1#>#!0"11# 96+**#/<7#?4#="1#.67*48..9:# F4C;+*#M.?N4,A;2-#
.67*48..9:# .67*48..9:#
0$&%.+1%,-.'2+1#'
J.*.C466<2;C+D429#
© 2010 WhiteHat Security, Inc. | Page 19
20. Why do vulnerabilities go unfixed?
• No one at the organization understands or is responsible for maintaining
the code.
• Development group does not understand or respects the vulnerability.
• Feature enhancements are prioritized ahead of security fixes.
• Lack of budget to fix the issues.
• Affected code is owned by an unresponsive third-party vendor.
• Website will be decommissioned or replaced “soon.”
• Risk of exploitation is accepted.
• Solution conflicts with business use case.
• Compliance does not require fixing the issue.
© 2010 WhiteHat Security, Inc. | Page 20
21. 1) Find your websites (all of them)
Identifying an organizations complete Web presence is vital to a successful program. You
can’t secure what you don’t know you own. Find out what websites there are, what they do,
document the data they posses, who is responsible for them, and other helpful metadata.
2) Website Valuation & Prioritization
Each website provides different value to an organization. Some process highly sensitive
data, others contain only marketing brochure-ware. Some websites facilitate thousands of
credit card transactions each day, others generate advertising revenue. When resources are
limited prioritization must focus those assets offering the best risk reducing return-on-
investment consistent with business objectives.
3) Adversaries & Risk Tolerance
Not all adversaries, those attempting to compromise websites, have the same technical
capability or end-goal. Some adversaries are sentient, others are autonomous, and their
methods are different as is their target selection.
4) Measure your current security posture
Vulnerability assessments and penetration tests are designed to simulate the technical
capabilities of a given type of adversary’s (step #3) and measure the success they would
have. Finding as many vulnerabilities as possible is a byproduct of the exercise.
5) Remediation & Mitigation
From a risk management perspective it might be best to first fix a medium severity
vulnerability on a main transactional website as opposed to a high severity issue in a non-
critical system. Using the information obtain from steps 1 - 4 these decisions can be made
with the confidence gained from the supporting data.
© 2010 WhiteHat Security, Inc. | Page 21
22. Questions?
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com
© 2010 WhiteHat Security, Inc. | Page 22