whitehat security 8th website security statistics report
DESCRIPTION
Web security is a moving target and enterprises need timely information about the latest attack trends, how they can best defend their websites, and visibility into their vulnerability lifecycle. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the knowledge and solutions that organizations need to protect their brands, attain PCI compliance and avert costly breaches. The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to safely conduct business online. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, tracks vertical market trends and identifies new attack techniques, since 2006. The WhiteHat Security report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization,TRANSCRIPT
© 2009 WhiteHat, Inc.
Jeremiah GrossmanFounder & Chief Technology Officer
Webinar 11.12.2009
8th Website Security Statistics ReportFull Report Availablehttps://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209
© 2009 WhiteHat Security, Inc. | Page
Jeremiah Grossman• Technology R&D and industry evangelist• InfoWorld's CTO Top 25 for 2007• Frequent international conference speaker• Co-founder of the Web Application Security Consortium• Co-author: Cross-Site Scripting Attacks• Former Yahoo! information security officer
2
© 2009 WhiteHat, Inc. | Page
WhiteHat Security
3
• 250+ enterprise customers • Start-ups to Fortune 500
• Flagship offering “WhiteHat Sentinel Service”• 1000’s of assessments performed annually
• Recognized leader in website security• Quoted thousands of times by the mainstream press
© 2009 WhiteHat, Inc. | Page
WhiteHat Sentinel
4
• Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost
• Production Safe – No Performance Impact
• Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point
• Unlimited Assessments – Anytime websites change
• Eliminates False Positives – Security Operations Team verifies all vulnerabilities
• Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes
Complete Website Vulnerability Management Customer Controlled & Expert Managed
© 2009 WhiteHat, Inc. | Page
Know Your Enemy
5
Random Opportunistic• Fully automated scripts• Unauthenticated scans• Targets chosen indiscriminately
Directed Opportunistic• Commercial / Open Source Tools• Authentication scans• Multi-step processes (forms)
Fully Targeted• Customize their own tools• Focused on business logic• Clever and profit driven ($$$)
© 2009 WhiteHat, Inc. | Page 6
Technical: Automation Can IdentifyCommand Execution• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection
Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location
Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*
Business Logic: Humans RequiredAuthentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF*
Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation
Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation
Website Classes of Attacks
© 2009 WhiteHat, Inc. | Page 7
• 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities*• Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification• Vulnerability severity naming convention aligns with PCI-DSS• Average number of links per website: 766**• Average number of inputs (attack surface) per website: 246• Average ratio of vulnerability count / number of inputs: 2.14%• Anti-Clickjacking X-FRAME-OPTIONS: 1• HTTPOnly flag: 150
URL Extension % of websites
% of vulnerabilities
unknown 62% 39%aspx 23% 9%asp 22% 24%xml 11% 2%jsp 10% 8%do 6% 3%
php 6% 3%html 5% 2%old 3% 1%cfm 3% 4%bak 3% 1%dll 2% 1%
Technology Breakdown
Data Overview
9
* Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/webapp.cgi), three of which are vulnerable to SQL Injection, it is counted as one vulnerability (not three).
** WhiteHat Sentinel seeks to identify all of a websites externally available attack surface, which may or may not require spidering all of its available links.
© 2009 WhiteHat, Inc. | Page
All Websites• 83% of websites have had a HIGH, CRITICAL, or URGENT issue• 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining• Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website
during the vulnerability assessment lifetime: 16.7• Average number of serious unresolved vulnerabilities per website: 6.5
SSL-Only Websites• 44% of websites are using SSL• 81% of websites have had a HIGH, CRITICAL, or URGENT issue• 58% of websites currently have a HIGH, CRITICAL, or URGENT issue• 58% vulnerability resolution rate among sample with 2,484 out of 5,863
historical vulnerabilities unresolved issues remaining• Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per
website during the vulnerability assessment lifetime: 9.7• Average number of serious unresolved vulnerabilities per website: 4.1
Key Findings
Percentage likelihood of a website having a vulnerability by severity
URGENTHIGHCRITICAL
© 2009 WhiteHat, Inc. | Page 9
Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationCross-Site Request ForgerySession FixationHTTP Response SplittingAbuse of Functionality
WhiteHat Security Top TenPercentage likelihood of a website
having a vulnerability by class
Cross-Site Scripting
Content Spoofing
SQL Injection
© 2009 WhiteHat, Inc. | Page 10
Vulnerability Population
63%
8% 7% 6% 5% 4% 4% 3%
Predictable Resource Location
Information Leakage
HTTP Response Splitting
Insufficient Authorization
Other
© 2009 WhiteHat, Inc. | Page
Time-to-Fix (Days)
11
Best-case scenario: Not all vulnerabilities have been fixed...
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Pred. Res. Loc.
Session Fixation
Cross-Site Request Forgery
Abuse of Functionality
HTTP Response Splitting
9 ↑
7 ↓
16 ↑
15 ↓
24 ↑
39 ↓
2 ↑
37 ↑
-
5 ↓
* Up/down arrows indicate the increase or decrease since the last report.
© 2009 WhiteHat, Inc. | Page
Resolution Rates
12
Class of Attack % resolved Δ severityCross Site Scripting 12% 8 ↓ urgent
Insufficient Authorization 18% 1 ↓ urgent
SQL Injection 40% 10 ↑ urgent
HTTP Response Splitting 12% 15 ↓ urgent
Directory Traversal 65% 12 ↑ urgent
Insufficient Authentication 37% 1 ↓ critical
Cross-Site Scripting 44% 5 ↑ critical
Abuse of Functionality 14% 14 ↓ critical
Cross-Site Request Forgery 39% 6 ↓ critical
Session Fixation 31% 10 ↑ critical
Brute Force 31% 20 ↑ high
Content Spoofing 46% 21 ↑ high
HTTP Response Splitting 32% 2 ↑ high
Information Leakage 30% 21 ↑ high
Predictable Resource Location 34% 8 ↑ high* Up/down arrows indicate the increase or decrease since the last report.
© 2009 WhiteHat, Inc. | Page 13
Zero-Vulnerability Websites• 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue• 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue• 1,800 verified custom web application vulnerabilities• Lifetime average number of vulnerabilities per website: 3.7• Average number of inputs per website: 244• Average ratio of vulnerability count / number of inputs: 2.11%
1. Cross-Site Scripting (37.3%) 2. Information Leakage (22.2%) 3. Content Spoofing (10.7%) 4. Predictable Resource Location (7.8%) 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) 7. Insufficient Authorization (4.1%) 8. Session Fixation (4.1%) 9. Cross Site Request Forgery (3.7%) 10. HTTP Response Splitting (3.1%)
URL Extension # of websites
% of vulnerabilities
unknown 33% 33%
aspx 7% 10%
asp 14% 25%
jsp 7% 9%
do 7% 8%
html 2% 2%
old 2% 2%
cfm 2% 3%
Percentage likelihood of a website having a vulnerability by class
Technology Breakdown
Cross-Site Scripting
Content Spoofing
SQL Injection
© 2009 WhiteHat, Inc. | Page 14
Vulnerability Population
62%
6% 6%8%9% 5% 4%
Predictable Resource Location
Information Leakage
Cross-Site Request Forgery
Other
Zero-Vulnerability Websites
© 2009 WhiteHat, Inc. | Page
Time-to-Fix (Days)
15
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Pred. Res. Loc.
Session Fixation
Cross-Site Request Forgery
Abuse of Functionality
HTTP Response Splitting
Zero-Vulnerability Websites
© 2009 WhiteHat, Inc. | Page
Industry Verticals
16
Retail
Financial
Service
s ITHealt
hcare
Pharma
Teleco
mInsuran
ce Social
Networkin
g
6 ↑
1 ↑
1 ↑
Education
12 ↑3 ↓ 3 ↑
15 ↑
- -
* Up/down arrows indicate the increase or decrease since the last report.
© 2009 WhiteHat, Inc. | Page
Operationalize
17
Resources
Risk
What is your organizations tolerance for risk (per website)?
1) Where do I start?Locate the websites you are responsible for
2) Where do I do next?Rank websites based upon business criticality
3) What should I be concerned about first?Random Opportunistic, Directed Opportunistic, Fully Targeted
4) What is our current security posture?Vulnerability assessments, pen-tests, traffic monitoring
5) How best to improve our survivability?SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc.
© 2009 WhiteHat, Inc. | Page 18
Website Risk Management Infrastructure
© 2009 WhiteHat, Inc. | Page 19
© 2009 WhiteHat, Inc.
Thank You!Jeremiah GrossmanBlog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]
WhiteHat Securityhttp://www.whitehatsec.com/