SlideShare a Scribd company logo

WhiteHat Security Website Statistics Report [SLIDES] (2013)

Download as PPTX, PDF
Jeremiah Grossman
Jeremiah Grossman

WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely. Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security. To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.

Technology
1 of 49
WHITEHAT SECURITY WEBSITE STATISTICS REPORT (2013)
WhiteHat Security, Inc. • Founded 2001 • Head quartered in Santa Clara, CA • Employees: 270+ • WhiteHat Sentinel: SaaS end-to-end website risk management platform (static and dynamic analysis) • Customers: 650+ (banking, retail, healthcare, etc.) © 2013 WhiteHat Security, Inc. 2 THE COMPANY
POLLING QUESTION (Please vote now) How would you characterize yourself? © 2013 WhiteHat Security, Inc. 3 THE COMPANY
What we knew going in to 2012... © 2013 WhiteHat Security, Inc. 4 HISTORY • “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” –Verizon Data Breach Investigations Report (2012) • “SQL injection was the means used to extract 83 percent of the total records stolen in successful hacking-related data breaches from 2005 to 2011.” –Privacyrights.org
REASONS: 1) LEGACY WEB CODE 2) BUDGET MISALLOCATION 3) “BEST-PRACTICES” © 2013 WhiteHat Security, Inc. 5
ABOUT THE DATA © 2013 WhiteHat Security, Inc. 6
Average annual amount of new serious* vulnerabilities introduced per website © 2013 WhiteHat Security, Inc. 7 AT A GLANCE * Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
© 2013 WhiteHat Security, Inc. 8 AT A GLANCE: INDUSTRY 2012
© 2013 WhiteHat Security, Inc. 9 WINDOW OF EXPOSURE The average number of days in a year a website is exposed to at least one serious* vulnerability.
© 2013 WhiteHat Security, Inc. 10 MOST COMMON VULNS Top 15 Vulnerability Classes (2012) Percentage likelihood that at least one serious* vulnerability will appear in a website 2011
© 2013 WhiteHat Security, Inc. 11 TOP 7: BY INDUSTRY
© 2013 WhiteHat Security, Inc. 12 OVERALL Overall Vulnerability Population (2012) Percentage breakdown of all the serious* vulnerabilities discovered (Sorted by vulnerability class)
WASC: Web Hacking Incident Database © 2013 WhiteHat Security, Inc. 13 ATTACKS IN-THE-WILD http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SURVEY: APPLICATION SECURITY IN THE SDLC (76 ORGANIZATIONS) © 2013 WhiteHat Security, Inc. 14
© 2013 WhiteHat Security, Inc. 15 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 16 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 17 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 18 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 19 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 20 INDUSTRY CORRELATION
POLLING QUESTION (Please vote now) What is your #1 driver for resolving vulnerabilities? © 2013 WhiteHat Security, Inc. 21 THE COMPANY
© 2013 WhiteHat Security, Inc. 22 INDUSTRY CORRELATION
POLLING QUESTION (Please vote now) When your organization’s website vulnerabilities go unresolved, what's the #1 reason why? © 2013 WhiteHat Security, Inc. 23 THE COMPANY
© 2013 WhiteHat Security, Inc. 24 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 25 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 26 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 27 SDLC SURVEY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 28 SDLC SURVEY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SURVEY: BREACH CORRELATION © 2013 WhiteHat Security, Inc. 29
© 2013 WhiteHat Security, Inc. 30 BREACH CORRELATION Organizations that provided instructor-led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.
© 2013 WhiteHat Security, Inc. 31 BREACH CORRELATION Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.
© 2013 WhiteHat Security, Inc. 32 BREACH CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 33 BREACH CORRELATION Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.
© 2013 WhiteHat Security, Inc. 34 BREACH CORRELATION Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.
© 2013 WhiteHat Security, Inc. 35 BREACH CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 36 BREACH CORRELATION Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.
SURVEY: DRIVERS AND ACCOUNTABILITY CORRELATION © 2013 WhiteHat Security, Inc. 37
© 2013 WhiteHat Security, Inc. 38 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 39 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 40 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 41 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 42 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 43 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 44 ACCOUNTABILITY
© 2013 WhiteHat Security, Inc. 45 ACCOUNTABILITY
© 2013 WhiteHat Security, Inc. 46 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SOME LESSONS LEARNED (SO FAR) © 2013 WhiteHat Security, Inc. 47
© 2013 WhiteHat Security, Inc. 48 LESSONS • “Best-Practices”─there aren’t any! • Assign an individual or group that is accountable for website security • Find your websites – all of them – and prioritize • Measure your current security posture from an attacker’s perspective • Trend and track the lifecycle of vulnerabilities • Fast detection and response
JEREMIAH GROSSMAN Founder and CTO Twitter: @jeremiahg Email: jeremiah@whitehatsec.com Thank you! GABRIEL GUMBS Sr. Solutions Architect Twitter: @GabrielGumbs Email:gabriel.gumbs@whitehatsec.com

Recommended

Google Analytics Web Report
Google Analytics Web Report Google Analytics Web Report
Google Analytics Web Report Mélanie Calabrese
 
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools inside
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools insideIntroduction to Digital Marketing | #IntroToDigital +22 Free Tools inside
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools insideNicolas J. Chevalier
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 

Recommended

Google Analytics Web Report
Google Analytics Web Report Google Analytics Web Report
Google Analytics Web Report Mélanie Calabrese
 
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools inside
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools insideIntroduction to Digital Marketing | #IntroToDigital +22 Free Tools inside
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools insideNicolas J. Chevalier
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

More Related Content

More from Jeremiah Grossman

Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 

More from Jeremiah Grossman (20)

Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 

Recently uploaded

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

WhiteHat Security Website Statistics Report [SLIDES] (2013)

  • 2. WhiteHat Security, Inc. • Founded 2001 • Head quartered in Santa Clara, CA • Employees: 270+ • WhiteHat Sentinel: SaaS end-to-end website risk management platform (static and dynamic analysis) • Customers: 650+ (banking, retail, healthcare, etc.) © 2013 WhiteHat Security, Inc. 2 THE COMPANY
  • 3. POLLING QUESTION (Please vote now) How would you characterize yourself? © 2013 WhiteHat Security, Inc. 3 THE COMPANY
  • 4. What we knew going in to 2012... © 2013 WhiteHat Security, Inc. 4 HISTORY • “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” –Verizon Data Breach Investigations Report (2012) • “SQL injection was the means used to extract 83 percent of the total records stolen in successful hacking-related data breaches from 2005 to 2011.” –Privacyrights.org
  • 5. REASONS: 1) LEGACY WEB CODE 2) BUDGET MISALLOCATION 3) “BEST-PRACTICES” © 2013 WhiteHat Security, Inc. 5
  • 6. ABOUT THE DATA © 2013 WhiteHat Security, Inc. 6
  • 7. Average annual amount of new serious* vulnerabilities introduced per website © 2013 WhiteHat Security, Inc. 7 AT A GLANCE * Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
  • 8. © 2013 WhiteHat Security, Inc. 8 AT A GLANCE: INDUSTRY 2012
  • 9. © 2013 WhiteHat Security, Inc. 9 WINDOW OF EXPOSURE The average number of days in a year a website is exposed to at least one serious* vulnerability.
  • 10. © 2013 WhiteHat Security, Inc. 10 MOST COMMON VULNS Top 15 Vulnerability Classes (2012) Percentage likelihood that at least one serious* vulnerability will appear in a website 2011
  • 11. © 2013 WhiteHat Security, Inc. 11 TOP 7: BY INDUSTRY
  • 12. © 2013 WhiteHat Security, Inc. 12 OVERALL Overall Vulnerability Population (2012) Percentage breakdown of all the serious* vulnerabilities discovered (Sorted by vulnerability class)
  • 13. WASC: Web Hacking Incident Database © 2013 WhiteHat Security, Inc. 13 ATTACKS IN-THE-WILD http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 14. SURVEY: APPLICATION SECURITY IN THE SDLC (76 ORGANIZATIONS) © 2013 WhiteHat Security, Inc. 14
  • 15. © 2013 WhiteHat Security, Inc. 15 INDUSTRY CORRELATION
  • 16. © 2013 WhiteHat Security, Inc. 16 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 17. © 2013 WhiteHat Security, Inc. 17 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 18. © 2013 WhiteHat Security, Inc. 18 INDUSTRY CORRELATION
  • 19. © 2013 WhiteHat Security, Inc. 19 INDUSTRY CORRELATION
  • 20. © 2013 WhiteHat Security, Inc. 20 INDUSTRY CORRELATION
  • 21. POLLING QUESTION (Please vote now) What is your #1 driver for resolving vulnerabilities? © 2013 WhiteHat Security, Inc. 21 THE COMPANY
  • 22. © 2013 WhiteHat Security, Inc. 22 INDUSTRY CORRELATION
  • 23. POLLING QUESTION (Please vote now) When your organization’s website vulnerabilities go unresolved, what's the #1 reason why? © 2013 WhiteHat Security, Inc. 23 THE COMPANY
  • 24. © 2013 WhiteHat Security, Inc. 24 INDUSTRY CORRELATION
  • 25. © 2013 WhiteHat Security, Inc. 25 INDUSTRY CORRELATION
  • 26. © 2013 WhiteHat Security, Inc. 26 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 27. © 2013 WhiteHat Security, Inc. 27 SDLC SURVEY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 28. © 2013 WhiteHat Security, Inc. 28 SDLC SURVEY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 29. SURVEY: BREACH CORRELATION © 2013 WhiteHat Security, Inc. 29
  • 30. © 2013 WhiteHat Security, Inc. 30 BREACH CORRELATION Organizations that provided instructor-led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.
  • 31. © 2013 WhiteHat Security, Inc. 31 BREACH CORRELATION Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.
  • 32. © 2013 WhiteHat Security, Inc. 32 BREACH CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 33. © 2013 WhiteHat Security, Inc. 33 BREACH CORRELATION Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.
  • 34. © 2013 WhiteHat Security, Inc. 34 BREACH CORRELATION Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.
  • 35. © 2013 WhiteHat Security, Inc. 35 BREACH CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 36. © 2013 WhiteHat Security, Inc. 36 BREACH CORRELATION Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.
  • 37. SURVEY: DRIVERS AND ACCOUNTABILITY CORRELATION © 2013 WhiteHat Security, Inc. 37
  • 38. © 2013 WhiteHat Security, Inc. 38 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 39. © 2013 WhiteHat Security, Inc. 39 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 40. © 2013 WhiteHat Security, Inc. 40 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 41. © 2013 WhiteHat Security, Inc. 41 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 42. © 2013 WhiteHat Security, Inc. 42 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 43. © 2013 WhiteHat Security, Inc. 43 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 44. © 2013 WhiteHat Security, Inc. 44 ACCOUNTABILITY
  • 45. © 2013 WhiteHat Security, Inc. 45 ACCOUNTABILITY
  • 46. © 2013 WhiteHat Security, Inc. 46 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 47. SOME LESSONS LEARNED (SO FAR) © 2013 WhiteHat Security, Inc. 47
  • 48. © 2013 WhiteHat Security, Inc. 48 LESSONS • “Best-Practices”─there aren’t any! • Assign an individual or group that is accountable for website security • Find your websites – all of them – and prioritize • Measure your current security posture from an attacker’s perspective • Trend and track the lifecycle of vulnerabilities • Fast detection and response
  • 49. JEREMIAH GROSSMAN Founder and CTO Twitter: @jeremiahg Email: jeremiah@whitehatsec.com Thank you! GABRIEL GUMBS Sr. Solutions Architect Twitter: @GabrielGumbs Email:gabriel.gumbs@whitehatsec.com

Editor's Notes

  1. Not Technology
  2. The connections from various software security controls and SDLC behaviors to vulnerability outcomes and breaches is far more complicated than we ever imagined.
  3. Assign an individual or group that is accountable for website security: These individuals or groups may include the board of directors, executive management, security teams, and software developers. They should be commissioned and authorized to establish a culturally consistent incentives program that will help move the organization in a positive direction with respect to security. Find your websites – all of them – and prioritize: Prioritization can be based on business criticality, data sensitivity, revenue generation, traffic volume, number of users, or other criteria the organization deems important. Knowing what systems need to be defended and what value they have to the organization provides a barometer for an appropriate level of security investment. Measure your current security posture from an attacker’s perspective: This step is not just about identifying vulnerabilities; while that is a byproduct of the exercise, it’s about understanding what classes of adversaries you need to defend against and what your current exposure to them is. Just finding vulnerabilities is not enough. Measure your security posture the same way a bad guy would before they exploit the system – fixing those vulnerabilities first is what’s important. Trend and track the lifecycle of vulnerabilities: At a minimum, measure how many vulnerabilities are introduced per production code release, what vulnerability classes are most prevalent, the average number of days it takes to remediate them, and the overall remediation rate. The result provides a way to track the organization’s progress over time and serves as a guide for which of the SDLC-related activities are likely to make the most impact. Anything measured tends to improve. Fast detection and response: It has been prudent to operate under the assumption that [all] networks are compromised. This is the case especially since everyone is only one zero-day away from a break-in. Borrowing from that frame of reference, application security professionals are well advised to take a similar approach and focus on the impact of that assumption – start by asking the question “If my application is already vulnerable what action(s) should I begin taking?” If an organization is to become breached, the real damage happens when the adversary is in the system for days, weeks, or months. If they can be successfully identified and kicked off the system within hours, the business impact of a breach can be minimized.