1. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 1WEBSITE SECURITYSTATISTICS REPORTMAY 2013

2. WEBSITE SECURITY STATISTICS REPORT | MAY 20132INTRODUCTIONWhiteHat Securitys Website Security Statistics Report provides a one-of-a-kind perspective on the state ofwebsite security and the issues that organizations must address in order to conduct business online safely.Website security is an ever-moving target. New website launches are common, new code is releasedconstantly, new Web technologies are created and adopted every day; as a result, new attack techniques arefrequently disclosed that can put every online business at risk. In order to stay protected, enterprises mustreceive timely information about how they can most efficiently defend their websites, gain visibility into theperformance of their security programs, and learn how they compare with their industry peers. Obtainingthese insights is crucial in order to stay ahead and truly improve enterprise website security.To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This reportis the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code thatis unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytesin size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of themost well-known organizations, and collectively represents the largest and most accurate picture of websitesecurity available. Inside this report is information about the most prevalent vulnerabilities, how many getfixed, how long the fixes can take on average, and how every application security program may measurablyimprove. The report is organized by industry, and is accompanied by WhiteHat Securitys expert analysis andrecommendations.Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positionedto deliver the depth of knowledge that organizations require to protect their brands, attain compliance, andavert costly breaches.ABOUT WHITEHAT SECURITYFounded in 2001 and headquartered in Santa Clara, California, WhiteHat Security provides end-to-endsolutions for Web security. The companys cloud website vulnerability management platform and leadingsecurity engineers turn verified security intelligence into actionable insights for customers. Through acombination of core products and strategic partnerships, WhiteHat Security provides complete Web securityat a scale and accuracy unmatched in the industry. WhiteHat Sentinel, the companys flagship product line,currently manages more than 15,000 websites including sites in the most regulated industries, such as tope-commerce, financial services and healthcare companies. 3. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 3NEXECUTIVE SUMMARY 4. WEBSITE SECURITY STATISTICS REPORT | MAY 20134 5. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 5 6. WEBSITE SECURITY STATISTICS REPORT | MAY 20136 7. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 7KEY FINDINGS 8. WEBSITE SECURITY STATISTICS REPORT | MAY 20138 9. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 9200710008004006002002008 2009 2009 2010 2011AT A GLANCE:THE CURRENT STATE OF WEBSITE SECURITY 10. WEBSITE SECURITY STATISTICS REPORT | MAY 201310 11. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 11 12. WEBSITE SECURITY STATISTICS REPORT | MAY 201312 13. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 13 14. WEBSITE SECURITY STATISTICS REPORT | MAY 201314 15. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 15MOST COMMON VULNERABILITIES 16. WEBSITE SECURITY STATISTICS REPORT | MAY 201316 17. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 17 18. WEBSITE SECURITY STATISTICS REPORT | MAY 201318 19. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 19Cross-Site ScriptingInformation LeakageContent SpoofingCross-Site Request ForgeryBrute ForceInsufficient Transport Layer ProtectionInsufficient AuthorizationSQLOther43%11%7%12%13%injection 20. WEBSITE SECURITY STATISTICS REPORT | MAY 201320C-level executives, managers, and software developers often ask their security teams, How arewe doing? Are we safe, are we secure? The real thing they may be asking for is a sense of howthe organizations current security posture compares to their peers or competitors. They wantto know if the organization is leading, falling way behind, or is somewhere in between withrespect to their security posture. The answers to that question are extremely helpful for progresstracking and goal setting.What many do not first consider is that some organizations (or particular websites) are targetsof opportunity, while others are targets of choice. Targets of opportunity are breached whentheir security posture is weaker than the average organization (in their industry) and they getunlucky in the total pool of potential victims. Targets of choice possess some type of uniqueand valuable information, or perhaps a reputation or brand that is particularly attractive to amotivated attacker. The attackers know precisely whom or what they want to penetrate.Heres the thing: since 100% security is an unrealistic goal mostly because it is flatlyimpossible, and the attempt is prohibitively expensive and for many completely unnecessary it is imperative for every organization to determine if they most likely represent a target ofopportunity or choice. In doing so an organization may establish and measure against a secureenough bar.If an organization is a target of opportunity, a goal of being just above average with respect towebsite security among peers is reasonable. The bad guy will generally prefer to attack weaker,and therefore easier to breach, targets. On the other hand, if an organization is a target ofchoice, that organization must elevate its website security posture to a point where an attackersefforts are detectable, preventable, and in case of a compromise, survivable. This is due to thefact that an adversary will spend whatever time is necessary looking for gaps in the defenses toexploit.Whether an organization is a target of choice or a target of opportunity, the following IndustryScorecards have been prepared to help organizations to visualize how its security posturecompares to its peers (provided they know their own internal metrics, of course).INDUSTRY SCORECARDS 21. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 21MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR81%54%107DAYS11Cross-SiteScripting*InformationLeakage*ContentSpoofing*Cross-SiteRequest Forgery*Brute Force* Fingerprinting* InsufficientAuthorization*30%20%10% 26% 21% 9% 9% 8% 8% 5%Banking Industry ScorecardApril 201324% 33% 9% 11% 24%THE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are dened as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 57% 29%57%29% 71%24% Always Vulnerable33% Frequently Vulnerable 271-364 days a year9% Regularly Vulnerable 151-270 days a year11% Occasionally Vulnerable 31-150 days a yearRarely Vulnerable 30 days or less a year 22. WEBSITE SECURITY STATISTICS REPORT | MAY 201322MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR81%67%226DAYS50Cross-SiteScripting*InformationLeakage*ContentSpoofing*SQL injection*Cross-Siterequest Forgery*Brute Force* DirectoryIndexing*30%20%10% 31% 25% 12% 9% 8% 7% 7%Financial ServicesIndustry ScorecardTHE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are dened as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 64% 70%50%50% 40%28% Always Vulnerable38% Frequently Vulnerable 271-364 days a year10% Regularly Vulnerable 151-270 days a year10% Occasionally Vulnerable 31-150 days a year23% Rarely Vulnerable 30 days or less a year28% 28% 10% 10% 23% 23. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 23MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR90%53%276DAYS22Cross SiteScripting*InformationLeakage*ContentSpoofing*Brute Force*InsufficentTransportLayer Protection*Cross SiteRequestForgery*SessionFixation*30%20%10% 40% 29% 22% 13% 12% 10% 9%Healthcare Industry ScorecardApril 2013THE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are dened as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 67% 67%83%50% 34%48% Always Vulnerable22% Frequently Vulnerable 271-364 days a year12% Regularly Vulnerable 151-270 days a year7% Occasionally Vulnerable 31-150 days a year10% Rarely Vulnerable 30 days or less a year49% 22% 12% 7% 10% 24. WEBSITE SECURITY STATISTICS REPORT | MAY 201324MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR91 %54%224DAYS106Cross SiteScripting*InformationLeakage*ContentSpoofing*Brute Force* SQL Injection*Cross SiteRequestForgery*DirectoryIndexing*30%20%10% 31% 25% 12% 9% 8% 7% 7%Retail Industry ScorecardApril 2013THE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are dened as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 73% 60%90%70% 70%54% Always Vulnerable21% Frequently Vulnerable 271-364 days a year6% Regularly Vulnerable 151-270 days a year5% Occasionally Vulnerable 31-150 days a year13% Rarely Vulnerable 30 days or less a year54% 21% 6% 5% 13% 25. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 25MOST COMMONVULNERABILITIESAT A GLANCEEXPOSURE AND CURRENT DEFENSEPERCENT OF SERIOUS*VULNERABILITIESTHAT HAVE BEEN FIXEDAVERAGE TIMETO FIXPERCENT OF ANALYZEDSITES WITH A SERIOUS*VULNERABILITYAVERAGE NUMBER OFSERIOUS* VULNERABILITIESPER SITE PER YEAR85%61 %71DAYS18Cross-SiteScripting*InformationLeakage*ContentSpoofing*Cross-SiteRequest Forgery*Brute Force*Fingerprinting* URL RedirectorAbuse*30%20%10% 41% 35% 19% 18% 14% 12% 12%TechnologyIndustry ScorecardApril 20135% 64% 10% 9% 11%THE CURRENTSTATE OFWEBSITE SECURITYTOP SEVENVULNERABILITYCLASSESCURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS*The percent of sites that had at least one example of...*Serious vulnerabilities are dened as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements.DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIESProgrammers receive instructor led or computer-based software security trainingApplications contain a library or framework that centralizes and enforces security controlsPerform Static Code Analysis on their website(s) underlying applicationsWeb Application Firewall DeployedTransactional / Anti-Fraud Monitoring System Deployed80%100%60%40%20% 48% 52%96%72% 32%5% Always Vulnerable64% Frequently Vulnerable 271-364 days a year10% Regularly Vulnerable 151-270 days a year9% Occasionally Vulnerable 31-150 days a year11% Rarely Vulnerable 30 days or less a year 26. WEBSITE SECURITY STATISTICS REPORT | MAY 201326SURVEY 27. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 27 28. WEBSITE SECURITY STATISTICS REPORT | MAY 201328(Figure 7) (Figure 8) 29. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 29(Figure 9) 30. WEBSITE SECURITY STATISTICS REPORT | MAY 201330(Figure 11).(Figure 10) 31. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 31 32. WEBSITE SECURITY STATISTICS REPORT | MAY 201332(Figure 14) (Figure 15) 33. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 33(Figure 16) (Figure 17)(Figure 18) 34. WEBSITE SECURITY STATISTICS REPORT | MAY 201334(Figure 20) 35. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 35(Figure 24)(Figure 21) (Figure 22)(Figure 23) 36. WEBSITE SECURITY STATISTICS REPORT | MAY 201336Figure 25). 37. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 37 38. WEBSITE SECURITY STATISTICS REPORT | MAY 201338 39. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 39Answer:SOFTWAREDEVELOPMENTAnswer:SECURITYDEPARTMENTAnswer:BOARD OF DIRECTORSAnswer:EXECUTIVEMANAGEMENTQuestion:If an organization experiences a website(s) dataor system breach, which part of the organization is heldaccountable and and what is its performance?3rd1St2nd4th4th3rd3rd1st3rd2nd1st2ndAverage Vulnerabilitiesper Site RankingAverage Time to Fix aVulnerability RankingAverage Number ofVulnerabilities Fixed Ranking 40. WEBSITE SECURITY STATISTICS REPORT | MAY 201340 41. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 41 42. WEBSITE SECURITY STATISTICS REPORT | MAY 201342 43. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 43 44. WEBSITE SECURITY STATISTICS REPORT | MAY 201344 45. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 45 46. WEBSITE SECURITY STATISTICS REPORT | MAY 201346(Figure 37). (Figure 38).(Figure 39). (Figure 40). 47. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 47RECOMMENDATIONS 48. WEBSITE SECURITY STATISTICS REPORT | MAY 201348 49. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 49 50. WEBSITE SECURITY STATISTICS REPORT | MAY 201350 51. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 51 52. WEBSITE SECURITY STATISTICS REPORT | MAY 201352 53. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 53Top 10 Vulnerability Classes (2011)(Sorted by vulnerability class)Overall Vulnerability Population (2011)Percentage breakdown of all the serious* vulnerabilities discovered(Sorted by vulnerability class)