WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.
49. JEREMIAH GROSSMAN
Founder and CTO
Twitter: @jeremiahg
Email: jeremiah@whitehatsec.com
Thank you!
GABRIEL GUMBS
Sr. Solutions Architect
Twitter: @GabrielGumbs
Email:gabriel.gumbs@whitehatsec.com
Editor's Notes
Not Technology
The connections from various software security controls and SDLC behaviors to vulnerability outcomes and breaches is far more complicated than we ever imagined.
Assign an individual or group that is accountable for website security: These individuals or groups may include the board of directors, executive management, security teams, and software developers. They should be commissioned and authorized to establish a culturally consistent incentives program that will help move the organization in a positive direction with respect to security. Find your websites – all of them – and prioritize: Prioritization can be based on business criticality, data sensitivity, revenue generation, traffic volume, number of users, or other criteria the organization deems important. Knowing what systems need to be defended and what value they have to the organization provides a barometer for an appropriate level of security investment. Measure your current security posture from an attacker’s perspective: This step is not just about identifying vulnerabilities; while that is a byproduct of the exercise, it’s about understanding what classes of adversaries you need to defend against and what your current exposure to them is. Just finding vulnerabilities is not enough. Measure your security posture the same way a bad guy would before they exploit the system – fixing those vulnerabilities first is what’s important. Trend and track the lifecycle of vulnerabilities: At a minimum, measure how many vulnerabilities are introduced per production code release, what vulnerability classes are most prevalent, the average number of days it takes to remediate them, and the overall remediation rate. The result provides a way to track the organization’s progress over time and serves as a guide for which of the SDLC-related activities are likely to make the most impact. Anything measured tends to improve. Fast detection and response: It has been prudent to operate under the assumption that [all] networks are compromised. This is the case especially since everyone is only one zero-day away from a break-in. Borrowing from that frame of reference, application security professionals are well advised to take a similar approach and focus on the impact of that assumption – start by asking the question “If my application is already vulnerable what action(s) should I begin taking?” If an organization is to become breached, the real damage happens when the adversary is in the system for days, weeks, or months. If they can be successfully identified and kicked off the system within hours, the business impact of a breach can be minimized.