WHITEHAT SECURITY WEBSITE STATISTICS REPORT (2013)

Jeremiah Grossman

© 2013 WhiteHat Security, Inc. 2

ME

•  Founder and CTO of WhiteHat Security •  TED Alumni •  InfoWorld Top 25 CTO •  Co-founder of the WASC •  Co-author: XSS Attacks •  Former Yahoo! Information Security Officer •  Brazilian Jiu-Jitsu Black Belt

Gabriel Gumbs •  Director, Solutions Architecture •  Multi-domain Information Security Professional •  13 years’ enterprise industry experience •  Avid triathlete

WhiteHat Security, Inc. •  Founded 2001 •  Head quartered in Santa Clara, CA •  Employees: 270+ •  WhiteHat Sentinel: SaaS end-to-end website risk

management platform (static and dynamic analysis) •  Customers: 650+ (banking, retail, healthcare, etc.)

© 2013 WhiteHat Security, Inc. 3

THE COMPANY

What we knew going in to 2012...

© 2013 WhiteHat Security, Inc. 4

HISTORY

•  “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” –Verizon Data Breach Investigations Report (2012)

•  “SQL injection was the means used to extract 83 percent of the total records stolen in successful hacking-related data breaches from 2005 to 2011.” –Privacyrights.org

REASONS: 1) LEGACY WEB CODE

2) BUDGET MISALLOCATION 3) “BEST-PRACTICES”

© 2013 WhiteHat Security, Inc. 5

ABOUT THE DATA

© 2013 WhiteHat Security, Inc. 6

Average annual amount of new serious* vulnerabilities introduced per website

© 2013 WhiteHat Security, Inc. 7

AT A GLANCE

* Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)

© 2013 WhiteHat Security, Inc. 8

AT A GLANCE: INDUSTRY

2012

© 2013 WhiteHat Security, Inc. 9

WINDOW OF EXPOSURE

The average number of days in a year a website is exposed to at least one serious* vulnerability.

© 2013 WhiteHat Security, Inc. 10

MOST COMMON VULNS

Top 15 Vulnerability Classes (2012) Percentage likelihood that at least one serious* vulnerability will appear in a website

2011

© 2013 WhiteHat Security, Inc. 11

TOP 7: BY INDUSTRY

© 2013 WhiteHat Security, Inc. 12

OVERALL

Overall Vulnerability Population (2012) Percentage breakdown of all the serious* vulnerabilities discovered

(Sorted by vulnerability class)

WASC: Web Hacking Incident Database

© 2013 WhiteHat Security, Inc. 13

ATTACKS IN-THE-WILD

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

SURVEY: APPLICATION SECURITY IN THE SDLC

(76 ORGANIZATIONS)

© 2013 WhiteHat Security, Inc. 14

© 2013 WhiteHat Security, Inc. 15

INDUSTRY CORRELATION

© 2013 WhiteHat Security, Inc. 16

INDUSTRY CORRELATION

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 17

INDUSTRY CORRELATION

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 18

INDUSTRY CORRELATION

© 2013 WhiteHat Security, Inc. 19

INDUSTRY CORRELATION

© 2013 WhiteHat Security, Inc. 20

INDUSTRY CORRELATION

© 2013 WhiteHat Security, Inc. 21

INDUSTRY CORRELATION

© 2013 WhiteHat Security, Inc. 22

INDUSTRY CORRELATION

© 2013 WhiteHat Security, Inc. 23

INDUSTRY CORRELATION

© 2013 WhiteHat Security, Inc. 24

INDUSTRY CORRELATION

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 25

SDLC SURVEY

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 26

SDLC SURVEY

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

SURVEY: BREACH CORRELATION

© 2013 WhiteHat Security, Inc. 27

© 2013 WhiteHat Security, Inc. 28

BREACH CORRELATION

Organizations that provided instructor-led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.

© 2013 WhiteHat Security, Inc. 29

BREACH CORRELATION

Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.

© 2013 WhiteHat Security, Inc. 30

BREACH CORRELATION

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 31

BREACH CORRELATION

Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.

© 2013 WhiteHat Security, Inc. 32

BREACH CORRELATION

Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.

© 2013 WhiteHat Security, Inc. 33

BREACH CORRELATION

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 34

BREACH CORRELATION

Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.

SURVEY: DRIVERS AND ACCOUNTABILITY

CORRELATION

© 2013 WhiteHat Security, Inc. 35

© 2013 WhiteHat Security, Inc. 36

ACCOUNTABILITY

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 37

ACCOUNTABILITY

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 38

ACCOUNTABILITY

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 39

ACCOUNTABILITY

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 40

ACCOUNTABILITY

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 41

ACCOUNTABILITY

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

© 2013 WhiteHat Security, Inc. 42

ACCOUNTABILITY

© 2013 WhiteHat Security, Inc. 43

ACCOUNTABILITY

© 2013 WhiteHat Security, Inc. 44

ACCOUNTABILITY

http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database

SOME LESSONS LEARNED (SO FAR)

© 2013 WhiteHat Security, Inc. 45

© 2013 WhiteHat Security, Inc. 46

LESSONS

•  “Best-Practices”─there aren’t any! •  Assign an individual or group that is accountable for website security •  Find your websites – all of them – and prioritize •  Measure your current security posture from an attacker’s perspective •  Trend and track the lifecycle of vulnerabilities •  Fast detection and response

47

Questions & Answers

JEREMIAH GROSSMAN Founder and CTO

Twitter: @jeremiahg Email: jeremiah@whitehatsec.com

Thank you!

GABRIEL GUMBS Director, Solutions Architecture Twitter: @gabrielgumbs Email: gabriel.gumbs@whitehatsec.com