whitehat security website security statistics report, may 2013
DESCRIPTION
Jeremiah Grossman and Gabriel Gumbs the WhiteHat Security Website Security Statistics Report, MAY 2013 The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006. The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.TRANSCRIPT
WHITEHAT SECURITY WEBSITE STATISTICS REPORT (2013)
Jeremiah Grossman
© 2013 WhiteHat Security, Inc. 2
ME
• Founder and CTO of WhiteHat Security • TED Alumni • InfoWorld Top 25 CTO • Co-founder of the WASC • Co-author: XSS Attacks • Former Yahoo! Information Security Officer • Brazilian Jiu-Jitsu Black Belt
Gabriel Gumbs • Director, Solutions Architecture • Multi-domain Information Security Professional • 13 years’ enterprise industry experience • Avid triathlete
WhiteHat Security, Inc. • Founded 2001 • Head quartered in Santa Clara, CA • Employees: 270+ • WhiteHat Sentinel: SaaS end-to-end website risk
management platform (static and dynamic analysis) • Customers: 650+ (banking, retail, healthcare, etc.)
© 2013 WhiteHat Security, Inc. 3
THE COMPANY
What we knew going in to 2012...
© 2013 WhiteHat Security, Inc. 4
HISTORY
• “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” –Verizon Data Breach Investigations Report (2012)
• “SQL injection was the means used to extract 83 percent of the total records stolen in successful hacking-related data breaches from 2005 to 2011.” –Privacyrights.org
REASONS: 1) LEGACY WEB CODE
2) BUDGET MISALLOCATION 3) “BEST-PRACTICES”
© 2013 WhiteHat Security, Inc. 5
ABOUT THE DATA
© 2013 WhiteHat Security, Inc. 6
Average annual amount of new serious* vulnerabilities introduced per website
© 2013 WhiteHat Security, Inc. 7
AT A GLANCE
* Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
© 2013 WhiteHat Security, Inc. 8
AT A GLANCE: INDUSTRY
2012
© 2013 WhiteHat Security, Inc. 9
WINDOW OF EXPOSURE
The average number of days in a year a website is exposed to at least one serious* vulnerability.
© 2013 WhiteHat Security, Inc. 10
MOST COMMON VULNS
Top 15 Vulnerability Classes (2012) Percentage likelihood that at least one serious* vulnerability will appear in a website
2011
© 2013 WhiteHat Security, Inc. 11
TOP 7: BY INDUSTRY
© 2013 WhiteHat Security, Inc. 12
OVERALL
Overall Vulnerability Population (2012) Percentage breakdown of all the serious* vulnerabilities discovered
(Sorted by vulnerability class)
WASC: Web Hacking Incident Database
© 2013 WhiteHat Security, Inc. 13
ATTACKS IN-THE-WILD
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SURVEY: APPLICATION SECURITY IN THE SDLC
(76 ORGANIZATIONS)
© 2013 WhiteHat Security, Inc. 14
© 2013 WhiteHat Security, Inc. 15
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 16
INDUSTRY CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 17
INDUSTRY CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 18
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 19
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 20
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 21
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 22
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 23
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 24
INDUSTRY CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 25
SDLC SURVEY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 26
SDLC SURVEY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SURVEY: BREACH CORRELATION
© 2013 WhiteHat Security, Inc. 27
© 2013 WhiteHat Security, Inc. 28
BREACH CORRELATION
Organizations that provided instructor-led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.
© 2013 WhiteHat Security, Inc. 29
BREACH CORRELATION
Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.
© 2013 WhiteHat Security, Inc. 30
BREACH CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 31
BREACH CORRELATION
Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.
© 2013 WhiteHat Security, Inc. 32
BREACH CORRELATION
Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.
© 2013 WhiteHat Security, Inc. 33
BREACH CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 34
BREACH CORRELATION
Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.
SURVEY: DRIVERS AND ACCOUNTABILITY
CORRELATION
© 2013 WhiteHat Security, Inc. 35
© 2013 WhiteHat Security, Inc. 36
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 37
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 38
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 39
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 40
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 41
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 42
ACCOUNTABILITY
© 2013 WhiteHat Security, Inc. 43
ACCOUNTABILITY
© 2013 WhiteHat Security, Inc. 44
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SOME LESSONS LEARNED (SO FAR)
© 2013 WhiteHat Security, Inc. 45
© 2013 WhiteHat Security, Inc. 46
LESSONS
• “Best-Practices”─there aren’t any! • Assign an individual or group that is accountable for website security • Find your websites – all of them – and prioritize • Measure your current security posture from an attacker’s perspective • Trend and track the lifecycle of vulnerabilities • Fast detection and response
47
Questions & Answers
JEREMIAH GROSSMAN Founder and CTO
Twitter: @jeremiahg Email: [email protected]
Thank you!
GABRIEL GUMBS Director, Solutions Architecture Twitter: @gabrielgumbs Email: [email protected]