Date post: | 08-Jun-2015 |
Category: |
Technology |
Upload: | duncant75 |
View: | 1,107 times |
Download: | 3 times |
WHITEHAT SECURITY WEBSITE STATISTICS REPORT (2013)
Jeremiah Grossman
© 2013 WhiteHat Security, Inc. 2
ME
• Founder and CTO of WhiteHat Security • TED Alumni • InfoWorld Top 25 CTO • Co-founder of the WASC • Co-author: XSS Attacks • Former Yahoo! Information Security Officer • Brazilian Jiu-Jitsu Black Belt
Gabriel Gumbs • Director, Solutions Architecture • Multi-domain Information Security Professional • 13 years’ enterprise industry experience • Avid triathlete
WhiteHat Security, Inc. • Founded 2001 • Head quartered in Santa Clara, CA • Employees: 270+ • WhiteHat Sentinel: SaaS end-to-end website risk
management platform (static and dynamic analysis) • Customers: 650+ (banking, retail, healthcare, etc.)
© 2013 WhiteHat Security, Inc. 3
THE COMPANY
What we knew going in to 2012...
© 2013 WhiteHat Security, Inc. 4
HISTORY
• “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” –Verizon Data Breach Investigations Report (2012)
• “SQL injection was the means used to extract 83 percent of the total records stolen in successful hacking-related data breaches from 2005 to 2011.” –Privacyrights.org
REASONS: 1) LEGACY WEB CODE
2) BUDGET MISALLOCATION 3) “BEST-PRACTICES”
© 2013 WhiteHat Security, Inc. 5
ABOUT THE DATA
© 2013 WhiteHat Security, Inc. 6
Average annual amount of new serious* vulnerabilities introduced per website
© 2013 WhiteHat Security, Inc. 7
AT A GLANCE
* Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
© 2013 WhiteHat Security, Inc. 8
AT A GLANCE: INDUSTRY
2012
© 2013 WhiteHat Security, Inc. 9
WINDOW OF EXPOSURE
The average number of days in a year a website is exposed to at least one serious* vulnerability.
© 2013 WhiteHat Security, Inc. 10
MOST COMMON VULNS
Top 15 Vulnerability Classes (2012) Percentage likelihood that at least one serious* vulnerability will appear in a website
2011
© 2013 WhiteHat Security, Inc. 11
TOP 7: BY INDUSTRY
© 2013 WhiteHat Security, Inc. 12
OVERALL
Overall Vulnerability Population (2012) Percentage breakdown of all the serious* vulnerabilities discovered
(Sorted by vulnerability class)
WASC: Web Hacking Incident Database
© 2013 WhiteHat Security, Inc. 13
ATTACKS IN-THE-WILD
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SURVEY: APPLICATION SECURITY IN THE SDLC
(76 ORGANIZATIONS)
© 2013 WhiteHat Security, Inc. 14
© 2013 WhiteHat Security, Inc. 15
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 16
INDUSTRY CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 17
INDUSTRY CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 18
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 19
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 20
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 21
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 22
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 23
INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 24
INDUSTRY CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 25
SDLC SURVEY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 26
SDLC SURVEY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SURVEY: BREACH CORRELATION
© 2013 WhiteHat Security, Inc. 27
© 2013 WhiteHat Security, Inc. 28
BREACH CORRELATION
Organizations that provided instructor-led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.
© 2013 WhiteHat Security, Inc. 29
BREACH CORRELATION
Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.
© 2013 WhiteHat Security, Inc. 30
BREACH CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 31
BREACH CORRELATION
Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.
© 2013 WhiteHat Security, Inc. 32
BREACH CORRELATION
Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.
© 2013 WhiteHat Security, Inc. 33
BREACH CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 34
BREACH CORRELATION
Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.
SURVEY: DRIVERS AND ACCOUNTABILITY
CORRELATION
© 2013 WhiteHat Security, Inc. 35
© 2013 WhiteHat Security, Inc. 36
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 37
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 38
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 39
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 40
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 41
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 42
ACCOUNTABILITY
© 2013 WhiteHat Security, Inc. 43
ACCOUNTABILITY
© 2013 WhiteHat Security, Inc. 44
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SOME LESSONS LEARNED (SO FAR)
© 2013 WhiteHat Security, Inc. 45
© 2013 WhiteHat Security, Inc. 46
LESSONS
• “Best-Practices”─there aren’t any! • Assign an individual or group that is accountable for website security • Find your websites – all of them – and prioritize • Measure your current security posture from an attacker’s perspective • Trend and track the lifecycle of vulnerabilities • Fast detection and response
47
Questions & Answers
JEREMIAH GROSSMAN Founder and CTO
Twitter: @jeremiahg Email: [email protected]
Thank you!
GABRIEL GUMBS Director, Solutions Architecture Twitter: @gabrielgumbs Email: [email protected]