SlideShare a Scribd company logo

Website Security Statistics Report (2010) - Industry Bechmarks (Slides)

Jeremiah Grossman
Jeremiah Grossman

Every organization needs to know where they stand with their application security program, especially against its adversaries. Verizon Business' 2010 Data Breach Investigations Report (DBIR), a study conducted in cooperation with the United States Secret Service, provides insight. The report analyzes over 141 confirmed data breaches from 2009 which resulted in the compromise of 143 million records. To be clear, this data set is restricted to incidents of a "data" breach, which is different than those only resulting in financial loss. Either way, the data is overwhelming. The majority of breaches and almost all of the data stolen in 2009 (95%) were perpetrated by remote organized criminal groups hacking "servers and applications." That is, hacking Web Servers and Web applications — "websites" for short. The attack vector of choice was SQL Injection, typically a vulnerability that can't readily be "patched," and used to install customized malware. Until now no metrics have been published which organizations can use as a benchmark to compare themselves against their industry peers. These benchmarks may help answer the question, "How are we doing?" or "Are we secure enough?" WhiteHat Security's 10th Website Security Statistics Report presents a statistical picture of the vulnerability assessment results from over 2,000 websites across 350 organizations under WhiteHat Sentinel management. For the first time, we've broken down the numbers by industry and size of organization. The data provides a unique perspective on the state of website security that may begin answering some of these pressing questions.

Technology
1 of 22
Download to read offline
10th Website Security Statistics Report Industry Benchmarks 2,000 + websites Jeremiah Grossman Founder & Chief Technology Officer Webcast 09.22.2010 © 2010 WhiteHat Security, Inc.
Jeremiah Grossman • WhiteHat Security Founder & CTO • Technology R&D and industry evangelist (InfoWorld's CTO Top 25 for 2007) • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2010 WhiteHat Security, Inc. | Page 2
WhiteHat Security • 350+ enterprise customers •Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” •1000’s of assessments performed annually • Recognized leader in website security •Quoted thousands of times by the mainstream press © 2010 WhiteHat Security, Inc. | Page 3
Data Overview • 350+ organizations (Start-ups to Fortune listed) • 2,000+ websites • 32,000+ verified custom web application vulnerabilities • Majority of websites assessed multiple times per month • Data collected from January 1, 2006 to August 25, 2010 Note:  The  websites  WhiteHat  Sen/nel   assesses  likely  represent  the  most   “important”  and  “secure”  websites  on   the  Web,  owned  by  organiza/on  that   are  very  serious  about  their  security. © 2010 WhiteHat Security, Inc. | Page 9 4
WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2010 WhiteHat Security, Inc. | Page 5
Website Classes of Attacks © 2010 WhiteHat Security, Inc. | Page 6
Attacker Targeting Fully Targeted (APT?) • Customize their own tools • Focused on business logic • Profit or goal driven ($$$) Directed Opportunistic • Commercial and Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2010 WhiteHat Security, Inc. | Page 7
Avg. # of Serious* Vulnerabilities (Sorted by Industry) *  Serious  Vulnerabili2es:  Those  vulnerabili/es  with  a  HIGH,  CRITICAL,  or  URGENT  severity  as   defined  by  PCI-­‐DSS  naming  conven/ons.  Exploita/on  could  lead  to  breach  or  data  loss. © 2010 WhiteHat Security, Inc. | Page 8
Avg. # of Serious* Vulnerabilities (Sorted by Size of the Organization) !$#))& !"#$%& !"#$%&#'()*+#$',-'.)/0#$%+1/12#3' !"#*)& !"#))& !%#*)& !%#))& !!#'!& !!#*)& !!#%(& !!#))& !)#*)& !)#))& +,-./&0%1*))&,23&45/-&/67+48//9:& 6/3;<6&0!*)&=&%1*))&/67+48//9:& 96,++&0<7&>4&!*)&/67+48//9:& 4$&%015%2,0'615#' © 2010 WhiteHat Security, Inc. | Page 9
(Sorted by Organization Size & Industry) D<:<68II5/16.78/?% +"(+% ?I.::%J5K%A8%#!(%<IK:8L<<?M% !"*#% I<415I%J#!(%N%*O!((%<IK:8L<<?M% :.=2<%J*O!((%./4%8><=%<IK:8L<<?M% #)"&*% ;861.:%G<AH8=01/2% *#"'!% &"'$% #&"'(% F<A.1:% #&"*&% #$"&&% ##"*,% E><=.::% ##"$#% #'"&*% *&"+)% CD% #)"(!% *+"!!% C/?5=./6<% )"#&% #'"+'% @<.:AB6.=<% #+"'*% '")$% &"+'% 91/./61.:%;<=>16<?% !"!,% #("'&% +"((% 3456.78/% *)",)% $"&'% &"+!% -./01/2% &"$+% !"#$% ("((% !"((% #("((% #!"((% *("((% *!"((% © 2010 WhiteHat Security, Inc. | Page 10 '("((% '!"((%
Overall Top Vulnerability Classes Percentage likelihood of a website having a vulnerability by class © 2010 WhiteHat Security, Inc. | Page 11
Overall Top Vulnerability Classes (Sorted by Industry & Percentage Likelihood)
Overall Top Vulnerability Classes (Sorted by Size of Organization and Percentage Likelihood)
Time-to-Fix (Sorted by Industry) #!!" +!" *!" !"##"$%&'()*(+,-.()/(01(2.%3() )!" (!" ,-./0.1" '!" 2345-67." 80.-.50-9":;<=05;>" &!" ?;-9@A5-<;" %!" B.>4<-.5;" BC" $!" D=;<-99" #!" E;@-09" :750-9"F;@G7</0.1" !" C;9;57HH4.05-67.>" #" &" )" #!" #%" #(" #+" $$" $'" $*" %#" %&" %)" &!" &%" &(" &+" '$" '(" '+" ($" ('" (+" )$" )'" )+" *$" *+" +'"#!#" !&" #!" #+" $*" %%" &$" '%" ##" # # # # # # # $ 4'(0%3()5-#(6.768-9):*((;,<)) © 2010 WhiteHat Security, Inc. | Page 14
Time-to-Fix (Sorted by Industry & Performance) Leaders Above  Average Laggards Industry Top  25% Mid  25%  -­‐  50% Lower  50%  -­‐  75% Overall 5 13 30 Banking 2 3 13 Educa5on 5 14 19 Financial  Services 6 11 28 Healthcare 3 9 22 Insurance 10 22 39 IT 5 13 29 Retail 6 18 40 Social  Networking 3 9 28 Telecommunica5ons 2 5 25 © 2010 WhiteHat Security, Inc. | Page 15
(Sorted by Size of the Organization) Time-to-Fix #!!" +!" !"##"$%&'()*(+,-.()/(01(2.%3() *!" )!" (!" '!" &!" %!" ,-./0"1$2'!!"-34"560."078,5900:;" $!" 704<=7"1#'!">"$2'!!"078,5900:;" #!" :7-,,"1=8"?5"#'!"078,5900:;" !" #" &" )" $'" %#" ('" )'" +'" #!#" #!&" ##!" ##+" #$*" #%%" #&$" #'%" $##" #!" #%" #(" #+" $$" $*" %&" %)" &!" &%" &(" &+" '$" '(" '+" ($" (+" )$" )+" *$" *+" 4'(0%3()5-#(6.768-9):*((;,<)) Leaders Above  Average Laggards Size  of  OrganizaAon Top  25% Mid  25%  -­‐  50% Lower  50%  -­‐  75% small  (up  to  150  employees) 4 12 26 medium  (150  -­‐  2,500  employees) 5 10 26 large  (2,500  and  over  employees) 6 15 35
Remediation Rate (Percentage of Websites within Remediation Rate Ranges Sorted by Industry) H=;<-99# !'# ")# ")# "$# $+# C;9;57GG4.05-67.># !!# *# ""# *# (*# :750-9#E;@F7</0.1# !&# "!# ")# "'# $(# )#I#!)J# !"J#I#&)J# D;@-09# !&# ")# +# "*# &"# &"J#I#*)J# BC# &"# "%# +# ""# !!# *"J#I#')J# '"J#I#"))J# B.>4<-.5;# &$# "%# "$# $# !$# ?;-9@A5-<;# $!# (# ")# ""# &!# 80.-.50-9#:;<=05;># !%# ""# ")# "!# $'# 2345-67.# $"# ""# "&# "&# !+# ,-./0.1# !"# '# '# !# *!# )# ")# !)# $)# &)# ()# *)# %)# ')# +)# "))#
Remediation Rate (Sorted by Size of the Organization) )!# !"#$%&#'(#)#*+%,-.'(%/#' $!# (!# %!# %&# !$# !"# !!# "!# '!# &!# *+,-.#/&0!11#+23#45.,# 6.3;<6#/=!1#>#&0!11# 96+**#/<7#?4#=!1#.67*48..9:# .67*48..9:# .67*48..9:# © 2010 WhiteHat Security, Inc. | Page 18
Remediation Rate (Sorted by Industry and Organization Size) )"# @+2A;2-# !"#$%&#'(#)#*+%,-.'(%/#' ("# B3<C+D42# '"# E;2+2C;+*#F.,5;C.9# &"# G.+*?HC+,.# ""# I29<,+2C.# %"# IJ# $"# K5.,+**# !"# L.?+;*# *+,-.#/!0"11#+23#45.,# 6.3;<6#/="1#>#!0"11# 96+**#/<7#?4#="1#.67*48..9:# F4C;+*#M.?N4,A;2-# .67*48..9:# .67*48..9:# 0$&%.+1%,-.'2+1#' J.*.C466<2;C+D429# © 2010 WhiteHat Security, Inc. | Page 19
Why do vulnerabilities go unfixed? • No one at the organization understands or is responsible for maintaining the code. • Development group does not understand or respects the vulnerability. • Feature enhancements are prioritized ahead of security fixes. • Lack of budget to fix the issues. • Affected code is owned by an unresponsive third-party vendor. • Website will be decommissioned or replaced “soon.” • Risk of exploitation is accepted. • Solution conflicts with business use case. • Compliance does not require fixing the issue. © 2010 WhiteHat Security, Inc. | Page 20
1) Find your websites (all of them) Identifying an organizations complete Web presence is vital to a successful program. You can’t secure what you don’t know you own. Find out what websites there are, what they do, document the data they posses, who is responsible for them, and other helpful metadata. 2) Website Valuation & Prioritization Each website provides different value to an organization. Some process highly sensitive data, others contain only marketing brochure-ware. Some websites facilitate thousands of credit card transactions each day, others generate advertising revenue. When resources are limited prioritization must focus those assets offering the best risk reducing return-on- investment consistent with business objectives. 3) Adversaries & Risk Tolerance Not all adversaries, those attempting to compromise websites, have the same technical capability or end-goal. Some adversaries are sentient, others are autonomous, and their methods are different as is their target selection. 4) Measure your current security posture Vulnerability assessments and penetration tests are designed to simulate the technical capabilities of a given type of adversary’s (step #3) and measure the success they would have. Finding as many vulnerabilities as possible is a byproduct of the exercise. 5) Remediation & Mitigation From a risk management perspective it might be best to first fix a medium severity vulnerability on a main transactional website as opposed to a high severity issue in a non- critical system. Using the information obtain from steps 1 - 4 these decisions can be made with the confidence gained from the supporting data. © 2010 WhiteHat Security, Inc. | Page 21
Questions? Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com © 2010 WhiteHat Security, Inc. | Page 22

Recommended

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 

Recommended

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Jeremiah Grossman
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

More Related Content

More from Jeremiah Grossman

Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Jeremiah Grossman
 

More from Jeremiah Grossman (20)

Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"Web Application Security and Release of "WhiteHat Arsenal"
Web Application Security and Release of "WhiteHat Arsenal"
 

Recently uploaded

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 

Recently uploaded (20)

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 

Website Security Statistics Report (2010) - Industry Bechmarks (Slides)

  • 1. 10th Website Security Statistics Report Industry Benchmarks 2,000 + websites Jeremiah Grossman Founder & Chief Technology Officer Webcast 09.22.2010 © 2010 WhiteHat Security, Inc.
  • 2. Jeremiah Grossman • WhiteHat Security Founder & CTO • Technology R&D and industry evangelist (InfoWorld's CTO Top 25 for 2007) • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2010 WhiteHat Security, Inc. | Page 2
  • 3. WhiteHat Security • 350+ enterprise customers •Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” •1000’s of assessments performed annually • Recognized leader in website security •Quoted thousands of times by the mainstream press © 2010 WhiteHat Security, Inc. | Page 3
  • 4. Data Overview • 350+ organizations (Start-ups to Fortune listed) • 2,000+ websites • 32,000+ verified custom web application vulnerabilities • Majority of websites assessed multiple times per month • Data collected from January 1, 2006 to August 25, 2010 Note:  The  websites  WhiteHat  Sen/nel   assesses  likely  represent  the  most   “important”  and  “secure”  websites  on   the  Web,  owned  by  organiza/on  that   are  very  serious  about  their  security. © 2010 WhiteHat Security, Inc. | Page 9 4
  • 5. WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2010 WhiteHat Security, Inc. | Page 5
  • 6. Website Classes of Attacks © 2010 WhiteHat Security, Inc. | Page 6
  • 7. Attacker Targeting Fully Targeted (APT?) • Customize their own tools • Focused on business logic • Profit or goal driven ($$$) Directed Opportunistic • Commercial and Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2010 WhiteHat Security, Inc. | Page 7
  • 8. Avg. # of Serious* Vulnerabilities (Sorted by Industry) *  Serious  Vulnerabili2es:  Those  vulnerabili/es  with  a  HIGH,  CRITICAL,  or  URGENT  severity  as   defined  by  PCI-­‐DSS  naming  conven/ons.  Exploita/on  could  lead  to  breach  or  data  loss. © 2010 WhiteHat Security, Inc. | Page 8
  • 9. Avg. # of Serious* Vulnerabilities (Sorted by Size of the Organization) !$#))& !"#$%& !"#$%&#'()*+#$',-'.)/0#$%+1/12#3' !"#*)& !"#))& !%#*)& !%#))& !!#'!& !!#*)& !!#%(& !!#))& !)#*)& !)#))& +,-./&0%1*))&,23&45/-&/67+48//9:& 6/3;<6&0!*)&=&%1*))&/67+48//9:& 96,++&0<7&>4&!*)&/67+48//9:& 4$&%015%2,0'615#' © 2010 WhiteHat Security, Inc. | Page 9
  • 10. (Sorted by Organization Size & Industry) D<:<68II5/16.78/?% +"(+% ?I.::%J5K%A8%#!(%<IK:8L<<?M% !"*#% I<415I%J#!(%N%*O!((%<IK:8L<<?M% :.=2<%J*O!((%./4%8><=%<IK:8L<<?M% #)"&*% ;861.:%G<AH8=01/2% *#"'!% &"'$% #&"'(% F<A.1:% #&"*&% #$"&&% ##"*,% E><=.::% ##"$#% #'"&*% *&"+)% CD% #)"(!% *+"!!% C/?5=./6<% )"#&% #'"+'% @<.:AB6.=<% #+"'*% '")$% &"+'% 91/./61.:%;<=>16<?% !"!,% #("'&% +"((% 3456.78/% *)",)% $"&'% &"+!% -./01/2% &"$+% !"#$% ("((% !"((% #("((% #!"((% *("((% *!"((% © 2010 WhiteHat Security, Inc. | Page 10 '("((% '!"((%
  • 11. Overall Top Vulnerability Classes Percentage likelihood of a website having a vulnerability by class © 2010 WhiteHat Security, Inc. | Page 11
  • 12. Overall Top Vulnerability Classes (Sorted by Industry & Percentage Likelihood)
  • 13. Overall Top Vulnerability Classes (Sorted by Size of Organization and Percentage Likelihood)
  • 14. Time-to-Fix (Sorted by Industry) #!!" +!" *!" !"##"$%&'()*(+,-.()/(01(2.%3() )!" (!" ,-./0.1" '!" 2345-67." 80.-.50-9":;<=05;>" &!" ?;-9@A5-<;" %!" B.>4<-.5;" BC" $!" D=;<-99" #!" E;@-09" :750-9"F;@G7</0.1" !" C;9;57HH4.05-67.>" #" &" )" #!" #%" #(" #+" $$" $'" $*" %#" %&" %)" &!" &%" &(" &+" '$" '(" '+" ($" ('" (+" )$" )'" )+" *$" *+" +'"#!#" !&" #!" #+" $*" %%" &$" '%" ##" # # # # # # # $ 4'(0%3()5-#(6.768-9):*((;,<)) © 2010 WhiteHat Security, Inc. | Page 14
  • 15. Time-to-Fix (Sorted by Industry & Performance) Leaders Above  Average Laggards Industry Top  25% Mid  25%  -­‐  50% Lower  50%  -­‐  75% Overall 5 13 30 Banking 2 3 13 Educa5on 5 14 19 Financial  Services 6 11 28 Healthcare 3 9 22 Insurance 10 22 39 IT 5 13 29 Retail 6 18 40 Social  Networking 3 9 28 Telecommunica5ons 2 5 25 © 2010 WhiteHat Security, Inc. | Page 15
  • 16. (Sorted by Size of the Organization) Time-to-Fix #!!" +!" !"##"$%&'()*(+,-.()/(01(2.%3() *!" )!" (!" '!" &!" %!" ,-./0"1$2'!!"-34"560."078,5900:;" $!" 704<=7"1#'!">"$2'!!"078,5900:;" #!" :7-,,"1=8"?5"#'!"078,5900:;" !" #" &" )" $'" %#" ('" )'" +'" #!#" #!&" ##!" ##+" #$*" #%%" #&$" #'%" $##" #!" #%" #(" #+" $$" $*" %&" %)" &!" &%" &(" &+" '$" '(" '+" ($" (+" )$" )+" *$" *+" 4'(0%3()5-#(6.768-9):*((;,<)) Leaders Above  Average Laggards Size  of  OrganizaAon Top  25% Mid  25%  -­‐  50% Lower  50%  -­‐  75% small  (up  to  150  employees) 4 12 26 medium  (150  -­‐  2,500  employees) 5 10 26 large  (2,500  and  over  employees) 6 15 35
  • 17. Remediation Rate (Percentage of Websites within Remediation Rate Ranges Sorted by Industry) H=;<-99# !'# ")# ")# "$# $+# C;9;57GG4.05-67.># !!# *# ""# *# (*# :750-9#E;@F7</0.1# !&# "!# ")# "'# $(# )#I#!)J# !"J#I#&)J# D;@-09# !&# ")# +# "*# &"# &"J#I#*)J# BC# &"# "%# +# ""# !!# *"J#I#')J# '"J#I#"))J# B.>4<-.5;# &$# "%# "$# $# !$# ?;-9@A5-<;# $!# (# ")# ""# &!# 80.-.50-9#:;<=05;># !%# ""# ")# "!# $'# 2345-67.# $"# ""# "&# "&# !+# ,-./0.1# !"# '# '# !# *!# )# ")# !)# $)# &)# ()# *)# %)# ')# +)# "))#
  • 18. Remediation Rate (Sorted by Size of the Organization) )!# !"#$%&#'(#)#*+%,-.'(%/#' $!# (!# %!# %&# !$# !"# !!# "!# '!# &!# *+,-.#/&0!11#+23#45.,# 6.3;<6#/=!1#>#&0!11# 96+**#/<7#?4#=!1#.67*48..9:# .67*48..9:# .67*48..9:# © 2010 WhiteHat Security, Inc. | Page 18
  • 19. Remediation Rate (Sorted by Industry and Organization Size) )"# @+2A;2-# !"#$%&#'(#)#*+%,-.'(%/#' ("# B3<C+D42# '"# E;2+2C;+*#F.,5;C.9# &"# G.+*?HC+,.# ""# I29<,+2C.# %"# IJ# $"# K5.,+**# !"# L.?+;*# *+,-.#/!0"11#+23#45.,# 6.3;<6#/="1#>#!0"11# 96+**#/<7#?4#="1#.67*48..9:# F4C;+*#M.?N4,A;2-# .67*48..9:# .67*48..9:# 0$&%.+1%,-.'2+1#' J.*.C466<2;C+D429# © 2010 WhiteHat Security, Inc. | Page 19
  • 20. Why do vulnerabilities go unfixed? • No one at the organization understands or is responsible for maintaining the code. • Development group does not understand or respects the vulnerability. • Feature enhancements are prioritized ahead of security fixes. • Lack of budget to fix the issues. • Affected code is owned by an unresponsive third-party vendor. • Website will be decommissioned or replaced “soon.” • Risk of exploitation is accepted. • Solution conflicts with business use case. • Compliance does not require fixing the issue. © 2010 WhiteHat Security, Inc. | Page 20
  • 21. 1) Find your websites (all of them) Identifying an organizations complete Web presence is vital to a successful program. You can’t secure what you don’t know you own. Find out what websites there are, what they do, document the data they posses, who is responsible for them, and other helpful metadata. 2) Website Valuation & Prioritization Each website provides different value to an organization. Some process highly sensitive data, others contain only marketing brochure-ware. Some websites facilitate thousands of credit card transactions each day, others generate advertising revenue. When resources are limited prioritization must focus those assets offering the best risk reducing return-on- investment consistent with business objectives. 3) Adversaries & Risk Tolerance Not all adversaries, those attempting to compromise websites, have the same technical capability or end-goal. Some adversaries are sentient, others are autonomous, and their methods are different as is their target selection. 4) Measure your current security posture Vulnerability assessments and penetration tests are designed to simulate the technical capabilities of a given type of adversary’s (step #3) and measure the success they would have. Finding as many vulnerabilities as possible is a byproduct of the exercise. 5) Remediation & Mitigation From a risk management perspective it might be best to first fix a medium severity vulnerability on a main transactional website as opposed to a high severity issue in a non- critical system. Using the information obtain from steps 1 - 4 these decisions can be made with the confidence gained from the supporting data. © 2010 WhiteHat Security, Inc. | Page 21
  • 22. Questions? Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com © 2010 WhiteHat Security, Inc. | Page 22