SlideShare una empresa de Scribd logo

WhiteHat Security Website Statistics Report [SLIDES] (2013)

Descargar como PPTX, PDF
Jeremiah Grossman
Jeremiah Grossman

WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely. Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security. To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.

Tecnología
1 de 49
WHITEHAT SECURITY WEBSITE STATISTICS REPORT (2013)
WhiteHat Security, Inc. • Founded 2001 • Head quartered in Santa Clara, CA • Employees: 270+ • WhiteHat Sentinel: SaaS end-to-end website risk management platform (static and dynamic analysis) • Customers: 650+ (banking, retail, healthcare, etc.) © 2013 WhiteHat Security, Inc. 2 THE COMPANY
POLLING QUESTION (Please vote now) How would you characterize yourself? © 2013 WhiteHat Security, Inc. 3 THE COMPANY
What we knew going in to 2012... © 2013 WhiteHat Security, Inc. 4 HISTORY • “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” –Verizon Data Breach Investigations Report (2012) • “SQL injection was the means used to extract 83 percent of the total records stolen in successful hacking-related data breaches from 2005 to 2011.” –Privacyrights.org
REASONS: 1) LEGACY WEB CODE 2) BUDGET MISALLOCATION 3) “BEST-PRACTICES” © 2013 WhiteHat Security, Inc. 5
ABOUT THE DATA © 2013 WhiteHat Security, Inc. 6
Average annual amount of new serious* vulnerabilities introduced per website © 2013 WhiteHat Security, Inc. 7 AT A GLANCE * Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
© 2013 WhiteHat Security, Inc. 8 AT A GLANCE: INDUSTRY 2012
© 2013 WhiteHat Security, Inc. 9 WINDOW OF EXPOSURE The average number of days in a year a website is exposed to at least one serious* vulnerability.
© 2013 WhiteHat Security, Inc. 10 MOST COMMON VULNS Top 15 Vulnerability Classes (2012) Percentage likelihood that at least one serious* vulnerability will appear in a website 2011
© 2013 WhiteHat Security, Inc. 11 TOP 7: BY INDUSTRY
© 2013 WhiteHat Security, Inc. 12 OVERALL Overall Vulnerability Population (2012) Percentage breakdown of all the serious* vulnerabilities discovered (Sorted by vulnerability class)
WASC: Web Hacking Incident Database © 2013 WhiteHat Security, Inc. 13 ATTACKS IN-THE-WILD http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SURVEY: APPLICATION SECURITY IN THE SDLC (76 ORGANIZATIONS) © 2013 WhiteHat Security, Inc. 14
© 2013 WhiteHat Security, Inc. 15 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 16 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 17 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 18 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 19 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 20 INDUSTRY CORRELATION
POLLING QUESTION (Please vote now) What is your #1 driver for resolving vulnerabilities? © 2013 WhiteHat Security, Inc. 21 THE COMPANY
© 2013 WhiteHat Security, Inc. 22 INDUSTRY CORRELATION
POLLING QUESTION (Please vote now) When your organization’s website vulnerabilities go unresolved, what's the #1 reason why? © 2013 WhiteHat Security, Inc. 23 THE COMPANY
© 2013 WhiteHat Security, Inc. 24 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 25 INDUSTRY CORRELATION
© 2013 WhiteHat Security, Inc. 26 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 27 SDLC SURVEY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 28 SDLC SURVEY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SURVEY: BREACH CORRELATION © 2013 WhiteHat Security, Inc. 29
© 2013 WhiteHat Security, Inc. 30 BREACH CORRELATION Organizations that provided instructor-led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.
© 2013 WhiteHat Security, Inc. 31 BREACH CORRELATION Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.
© 2013 WhiteHat Security, Inc. 32 BREACH CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 33 BREACH CORRELATION Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.
© 2013 WhiteHat Security, Inc. 34 BREACH CORRELATION Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.
© 2013 WhiteHat Security, Inc. 35 BREACH CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 36 BREACH CORRELATION Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.
SURVEY: DRIVERS AND ACCOUNTABILITY CORRELATION © 2013 WhiteHat Security, Inc. 37
© 2013 WhiteHat Security, Inc. 38 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 39 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 40 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 41 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 42 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 43 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
© 2013 WhiteHat Security, Inc. 44 ACCOUNTABILITY
© 2013 WhiteHat Security, Inc. 45 ACCOUNTABILITY
© 2013 WhiteHat Security, Inc. 46 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
SOME LESSONS LEARNED (SO FAR) © 2013 WhiteHat Security, Inc. 47
© 2013 WhiteHat Security, Inc. 48 LESSONS • “Best-Practices”─there aren’t any! • Assign an individual or group that is accountable for website security • Find your websites – all of them – and prioritize • Measure your current security posture from an attacker’s perspective • Trend and track the lifecycle of vulnerabilities • Fast detection and response
JEREMIAH GROSSMAN Founder and CTO Twitter: @jeremiahg Email: jeremiah@whitehatsec.com Thank you! GABRIEL GUMBS Sr. Solutions Architect Twitter: @GabrielGumbs Email:gabriel.gumbs@whitehatsec.com

Recomendados

Google Analytics Web Report
Google Analytics Web Report Google Analytics Web Report
Google Analytics Web Report Mélanie Calabrese
 
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools inside
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools insideIntroduction to Digital Marketing | #IntroToDigital +22 Free Tools inside
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools insideNicolas J. Chevalier
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 

Recomendados

Google Analytics Web Report
Google Analytics Web Report Google Analytics Web Report
Google Analytics Web Report Mélanie Calabrese
 
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools inside
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools insideIntroduction to Digital Marketing | #IntroToDigital +22 Free Tools inside
Introduction to Digital Marketing | #IntroToDigital +22 Free Tools insideNicolas J. Chevalier
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Más contenido relacionado

Más de Jeremiah Grossman

Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 

Más de Jeremiah Grossman (20)

Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 

Último

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

WhiteHat Security Website Statistics Report [SLIDES] (2013)

  • 2. WhiteHat Security, Inc. • Founded 2001 • Head quartered in Santa Clara, CA • Employees: 270+ • WhiteHat Sentinel: SaaS end-to-end website risk management platform (static and dynamic analysis) • Customers: 650+ (banking, retail, healthcare, etc.) © 2013 WhiteHat Security, Inc. 2 THE COMPANY
  • 3. POLLING QUESTION (Please vote now) How would you characterize yourself? © 2013 WhiteHat Security, Inc. 3 THE COMPANY
  • 4. What we knew going in to 2012... © 2013 WhiteHat Security, Inc. 4 HISTORY • “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” –Verizon Data Breach Investigations Report (2012) • “SQL injection was the means used to extract 83 percent of the total records stolen in successful hacking-related data breaches from 2005 to 2011.” –Privacyrights.org
  • 5. REASONS: 1) LEGACY WEB CODE 2) BUDGET MISALLOCATION 3) “BEST-PRACTICES” © 2013 WhiteHat Security, Inc. 5
  • 6. ABOUT THE DATA © 2013 WhiteHat Security, Inc. 6
  • 7. Average annual amount of new serious* vulnerabilities introduced per website © 2013 WhiteHat Security, Inc. 7 AT A GLANCE * Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
  • 8. © 2013 WhiteHat Security, Inc. 8 AT A GLANCE: INDUSTRY 2012
  • 9. © 2013 WhiteHat Security, Inc. 9 WINDOW OF EXPOSURE The average number of days in a year a website is exposed to at least one serious* vulnerability.
  • 10. © 2013 WhiteHat Security, Inc. 10 MOST COMMON VULNS Top 15 Vulnerability Classes (2012) Percentage likelihood that at least one serious* vulnerability will appear in a website 2011
  • 11. © 2013 WhiteHat Security, Inc. 11 TOP 7: BY INDUSTRY
  • 12. © 2013 WhiteHat Security, Inc. 12 OVERALL Overall Vulnerability Population (2012) Percentage breakdown of all the serious* vulnerabilities discovered (Sorted by vulnerability class)
  • 13. WASC: Web Hacking Incident Database © 2013 WhiteHat Security, Inc. 13 ATTACKS IN-THE-WILD http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 14. SURVEY: APPLICATION SECURITY IN THE SDLC (76 ORGANIZATIONS) © 2013 WhiteHat Security, Inc. 14
  • 15. © 2013 WhiteHat Security, Inc. 15 INDUSTRY CORRELATION
  • 16. © 2013 WhiteHat Security, Inc. 16 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 17. © 2013 WhiteHat Security, Inc. 17 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 18. © 2013 WhiteHat Security, Inc. 18 INDUSTRY CORRELATION
  • 19. © 2013 WhiteHat Security, Inc. 19 INDUSTRY CORRELATION
  • 20. © 2013 WhiteHat Security, Inc. 20 INDUSTRY CORRELATION
  • 21. POLLING QUESTION (Please vote now) What is your #1 driver for resolving vulnerabilities? © 2013 WhiteHat Security, Inc. 21 THE COMPANY
  • 22. © 2013 WhiteHat Security, Inc. 22 INDUSTRY CORRELATION
  • 23. POLLING QUESTION (Please vote now) When your organization’s website vulnerabilities go unresolved, what's the #1 reason why? © 2013 WhiteHat Security, Inc. 23 THE COMPANY
  • 24. © 2013 WhiteHat Security, Inc. 24 INDUSTRY CORRELATION
  • 25. © 2013 WhiteHat Security, Inc. 25 INDUSTRY CORRELATION
  • 26. © 2013 WhiteHat Security, Inc. 26 INDUSTRY CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 27. © 2013 WhiteHat Security, Inc. 27 SDLC SURVEY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 28. © 2013 WhiteHat Security, Inc. 28 SDLC SURVEY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 29. SURVEY: BREACH CORRELATION © 2013 WhiteHat Security, Inc. 29
  • 30. © 2013 WhiteHat Security, Inc. 30 BREACH CORRELATION Organizations that provided instructor-led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.
  • 31. © 2013 WhiteHat Security, Inc. 31 BREACH CORRELATION Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.
  • 32. © 2013 WhiteHat Security, Inc. 32 BREACH CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 33. © 2013 WhiteHat Security, Inc. 33 BREACH CORRELATION Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.
  • 34. © 2013 WhiteHat Security, Inc. 34 BREACH CORRELATION Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.
  • 35. © 2013 WhiteHat Security, Inc. 35 BREACH CORRELATION http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 36. © 2013 WhiteHat Security, Inc. 36 BREACH CORRELATION Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.
  • 37. SURVEY: DRIVERS AND ACCOUNTABILITY CORRELATION © 2013 WhiteHat Security, Inc. 37
  • 38. © 2013 WhiteHat Security, Inc. 38 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 39. © 2013 WhiteHat Security, Inc. 39 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 40. © 2013 WhiteHat Security, Inc. 40 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 41. © 2013 WhiteHat Security, Inc. 41 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 42. © 2013 WhiteHat Security, Inc. 42 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 43. © 2013 WhiteHat Security, Inc. 43 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 44. © 2013 WhiteHat Security, Inc. 44 ACCOUNTABILITY
  • 45. © 2013 WhiteHat Security, Inc. 45 ACCOUNTABILITY
  • 46. © 2013 WhiteHat Security, Inc. 46 ACCOUNTABILITY http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
  • 47. SOME LESSONS LEARNED (SO FAR) © 2013 WhiteHat Security, Inc. 47
  • 48. © 2013 WhiteHat Security, Inc. 48 LESSONS • “Best-Practices”─there aren’t any! • Assign an individual or group that is accountable for website security • Find your websites – all of them – and prioritize • Measure your current security posture from an attacker’s perspective • Trend and track the lifecycle of vulnerabilities • Fast detection and response
  • 49. JEREMIAH GROSSMAN Founder and CTO Twitter: @jeremiahg Email: jeremiah@whitehatsec.com Thank you! GABRIEL GUMBS Sr. Solutions Architect Twitter: @GabrielGumbs Email:gabriel.gumbs@whitehatsec.com

Notas del editor

  1. Not Technology
  2. The connections from various software security controls and SDLC behaviors to vulnerability outcomes and breaches is far more complicated than we ever imagined.
  3. Assign an individual or group that is accountable for website security: These individuals or groups may include the board of directors, executive management, security teams, and software developers. They should be commissioned and authorized to establish a culturally consistent incentives program that will help move the organization in a positive direction with respect to security. Find your websites – all of them – and prioritize: Prioritization can be based on business criticality, data sensitivity, revenue generation, traffic volume, number of users, or other criteria the organization deems important. Knowing what systems need to be defended and what value they have to the organization provides a barometer for an appropriate level of security investment. Measure your current security posture from an attacker’s perspective: This step is not just about identifying vulnerabilities; while that is a byproduct of the exercise, it’s about understanding what classes of adversaries you need to defend against and what your current exposure to them is. Just finding vulnerabilities is not enough. Measure your security posture the same way a bad guy would before they exploit the system – fixing those vulnerabilities first is what’s important. Trend and track the lifecycle of vulnerabilities: At a minimum, measure how many vulnerabilities are introduced per production code release, what vulnerability classes are most prevalent, the average number of days it takes to remediate them, and the overall remediation rate. The result provides a way to track the organization’s progress over time and serves as a guide for which of the SDLC-related activities are likely to make the most impact. Anything measured tends to improve. Fast detection and response: It has been prudent to operate under the assumption that [all] networks are compromised. This is the case especially since everyone is only one zero-day away from a break-in. Borrowing from that frame of reference, application security professionals are well advised to take a similar approach and focus on the impact of that assumption – start by asking the question “If my application is already vulnerable what action(s) should I begin taking?” If an organization is to become breached, the real damage happens when the adversary is in the system for days, weeks, or months. If they can be successfully identified and kicked off the system within hours, the business impact of a breach can be minimized.