© 2009 WhiteHat, Inc.

Jeremiah GrossmanFounder & Chief Technology Officer

Webinar 11.12.2009

8th Website Security Statistics ReportFull Report Availablehttps://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209

© 2009 WhiteHat Security, Inc. | Page

Jeremiah Grossman• Technology R&D and industry evangelist• InfoWorld's CTO Top 25 for 2007• Frequent international conference speaker• Co-founder of the Web Application Security Consortium• Co-author: Cross-Site Scripting Attacks• Former Yahoo! information security officer

2

© 2009 WhiteHat, Inc. | Page

WhiteHat Security

3

• 250+ enterprise customers • Start-ups to Fortune 500

• Flagship offering “WhiteHat Sentinel Service”• 1000’s of assessments performed annually

• Recognized leader in website security• Quoted thousands of times by the mainstream press

© 2009 WhiteHat, Inc. | Page

WhiteHat Sentinel

4

• Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost

• Production Safe – No Performance Impact

• Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point

• Unlimited Assessments – Anytime websites change

• Eliminates False Positives – Security Operations Team verifies all vulnerabilities

• Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes

Complete Website Vulnerability Management Customer Controlled & Expert Managed

© 2009 WhiteHat, Inc. | Page

Know Your Enemy

5

Random Opportunistic• Fully automated scripts• Unauthenticated scans• Targets chosen indiscriminately

Directed Opportunistic• Commercial / Open Source Tools• Authentication scans• Multi-step processes (forms)

Fully Targeted• Customize their own tools• Focused on business logic• Clever and profit driven ($$$)

© 2009 WhiteHat, Inc. | Page 6

Technical: Automation Can IdentifyCommand Execution• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection

Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location

Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*

Business Logic: Humans RequiredAuthentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF*

Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation

Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation

Website Classes of Attacks

© 2009 WhiteHat, Inc. | Page 7

• 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities*• Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification• Vulnerability severity naming convention aligns with PCI-DSS• Average number of links per website: 766**• Average number of inputs (attack surface) per website: 246• Average ratio of vulnerability count / number of inputs: 2.14%• Anti-Clickjacking X-FRAME-OPTIONS: 1• HTTPOnly flag: 150

URL Extension % of websites

% of vulnerabilities

unknown 62% 39%aspx 23% 9%asp 22% 24%xml 11% 2%jsp 10% 8%do 6% 3%

php 6% 3%html 5% 2%old 3% 1%cfm 3% 4%bak 3% 1%dll 2% 1%

Technology Breakdown

Data Overview

9

* Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/webapp.cgi), three of which are vulnerable to SQL Injection, it is counted as one vulnerability (not three).

** WhiteHat Sentinel seeks to identify all of a websites externally available attack surface, which may or may not require spidering all of its available links.

© 2009 WhiteHat, Inc. | Page

All Websites• 83% of websites have had a HIGH, CRITICAL, or URGENT issue• 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining• Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website

during the vulnerability assessment lifetime: 16.7• Average number of serious unresolved vulnerabilities per website: 6.5

SSL-Only Websites• 44% of websites are using SSL• 81% of websites have had a HIGH, CRITICAL, or URGENT issue• 58% of websites currently have a HIGH, CRITICAL, or URGENT issue• 58% vulnerability resolution rate among sample with 2,484 out of 5,863

historical vulnerabilities unresolved issues remaining• Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per

website during the vulnerability assessment lifetime: 9.7• Average number of serious unresolved vulnerabilities per website: 4.1

Key Findings

Percentage likelihood of a website having a vulnerability by severity

URGENTHIGHCRITICAL

© 2009 WhiteHat, Inc. | Page 9

Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationCross-Site Request ForgerySession FixationHTTP Response SplittingAbuse of Functionality

WhiteHat Security Top TenPercentage likelihood of a website

having a vulnerability by class

Cross-Site Scripting

Content Spoofing

SQL Injection

© 2009 WhiteHat, Inc. | Page 10

Vulnerability Population

63%

8% 7% 6% 5% 4% 4% 3%

Predictable Resource Location

Information Leakage

HTTP Response Splitting

Insufficient Authorization

Other

© 2009 WhiteHat, Inc. | Page

Time-to-Fix (Days)

11

Best-case scenario: Not all vulnerabilities have been fixed...

Cross-Site Scripting

Information Leakage

Content Spoofing

Insufficient Authorization

SQL Injection

Pred. Res. Loc.

Session Fixation

Cross-Site Request Forgery

Abuse of Functionality

HTTP Response Splitting

9 ↑

7 ↓

16 ↑

15 ↓

24 ↑

39 ↓

2 ↑

37 ↑

-

5 ↓

* Up/down arrows indicate the increase or decrease since the last report.

© 2009 WhiteHat, Inc. | Page

Resolution Rates

12

Class of Attack % resolved Δ severityCross Site Scripting 12% 8 ↓ urgent

Insufficient Authorization 18% 1 ↓ urgent

SQL Injection 40% 10 ↑ urgent

HTTP Response Splitting 12% 15 ↓ urgent

Directory Traversal 65% 12 ↑ urgent

Insufficient Authentication 37% 1 ↓ critical

Cross-Site Scripting 44% 5 ↑ critical

Abuse of Functionality 14% 14 ↓ critical

Cross-Site Request Forgery 39% 6 ↓ critical

Session Fixation 31% 10 ↑ critical

Brute Force 31% 20 ↑ high

Content Spoofing 46% 21 ↑ high

HTTP Response Splitting 32% 2 ↑ high

Information Leakage 30% 21 ↑ high

Predictable Resource Location 34% 8 ↑ high* Up/down arrows indicate the increase or decrease since the last report.

© 2009 WhiteHat, Inc. | Page 13

Zero-Vulnerability Websites• 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue• 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue• 1,800 verified custom web application vulnerabilities• Lifetime average number of vulnerabilities per website: 3.7• Average number of inputs per website: 244• Average ratio of vulnerability count / number of inputs: 2.11%

1. Cross-Site Scripting (37.3%) 2. Information Leakage (22.2%) 3. Content Spoofing (10.7%) 4. Predictable Resource Location (7.8%) 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) 7. Insufficient Authorization (4.1%) 8. Session Fixation (4.1%) 9. Cross Site Request Forgery (3.7%) 10. HTTP Response Splitting (3.1%)

URL Extension # of websites

% of vulnerabilities

unknown 33% 33%

aspx 7% 10%

asp 14% 25%

jsp 7% 9%

do 7% 8%

html 2% 2%

old 2% 2%

cfm 2% 3%

Percentage likelihood of a website having a vulnerability by class

Technology Breakdown

Cross-Site Scripting

Content Spoofing

SQL Injection

© 2009 WhiteHat, Inc. | Page 14

Vulnerability Population

62%

6% 6%8%9% 5% 4%

Predictable Resource Location

Information Leakage

Cross-Site Request Forgery

Other

Zero-Vulnerability Websites

© 2009 WhiteHat, Inc. | Page

Time-to-Fix (Days)

15

Cross-Site Scripting

Information Leakage

Content Spoofing

Insufficient Authorization

SQL Injection

Pred. Res. Loc.

Session Fixation

Cross-Site Request Forgery

Abuse of Functionality

HTTP Response Splitting

Zero-Vulnerability Websites

© 2009 WhiteHat, Inc. | Page

Industry Verticals

16

Retail

Financial

Service

s ITHealt

hcare

Pharma

Teleco

mInsuran

ce Social

Networkin

g

6 ↑

1 ↑

1 ↑

Education

12 ↑3 ↓ 3 ↑

15 ↑

- -

* Up/down arrows indicate the increase or decrease since the last report.

© 2009 WhiteHat, Inc. | Page

Operationalize

17

Resources

Risk

What is your organizations tolerance for risk (per website)?

1) Where do I start?Locate the websites you are responsible for

2) Where do I do next?Rank websites based upon business criticality

3) What should I be concerned about first?Random Opportunistic, Directed Opportunistic, Fully Targeted

4) What is our current security posture?Vulnerability assessments, pen-tests, traffic monitoring

5) How best to improve our survivability?SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc.

© 2009 WhiteHat, Inc. | Page 18

Website Risk Management Infrastructure

© 2009 WhiteHat, Inc. | Page 19

© 2009 WhiteHat, Inc.

Thank You!Jeremiah GrossmanBlog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: jeremiah@whitehatsec.com

WhiteHat Securityhttp://www.whitehatsec.com/