![Page 1: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/1.jpg)
WHITEHAT SECURITY WEBSITE STATISTICS REPORT (2013)
![Page 2: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/2.jpg)
Jeremiah Grossman
© 2013 WhiteHat Security, Inc. 2
ME
• Founder and CTO of WhiteHat Security • TED Alumni • InfoWorld Top 25 CTO • Co-founder of the WASC • Co-author: XSS Attacks • Former Yahoo! Information Security Officer • Brazilian Jiu-Jitsu Black Belt
Gabriel Gumbs • Director, Solutions Architecture • Multi-domain Information Security Professional • 13 years’ enterprise industry experience • Avid triathlete
![Page 3: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/3.jpg)
WhiteHat Security, Inc. • Founded 2001 • Head quartered in Santa Clara, CA • Employees: 270+ • WhiteHat Sentinel: SaaS end-to-end website risk
management platform (static and dynamic analysis) • Customers: 650+ (banking, retail, healthcare, etc.)
© 2013 WhiteHat Security, Inc. 3
THE COMPANY
![Page 4: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/4.jpg)
What we knew going in to 2012...
© 2013 WhiteHat Security, Inc. 4
HISTORY
• “Web applications abound in many larger companies, and remain a popular (54% of breaches) and successful (39% of records) attack vector.” –Verizon Data Breach Investigations Report (2012)
• “SQL injection was the means used to extract 83 percent of the total records stolen in successful hacking-related data breaches from 2005 to 2011.” –Privacyrights.org
![Page 5: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/5.jpg)
REASONS: 1) LEGACY WEB CODE
2) BUDGET MISALLOCATION 3) “BEST-PRACTICES”
© 2013 WhiteHat Security, Inc. 5
![Page 6: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/6.jpg)
ABOUT THE DATA
© 2013 WhiteHat Security, Inc. 6
![Page 7: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/7.jpg)
Average annual amount of new serious* vulnerabilities introduced per website
© 2013 WhiteHat Security, Inc. 7
AT A GLANCE
* Serious Vulnerability: A security weakness that if exploited may lead to breach or data loss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT)
![Page 8: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/8.jpg)
© 2013 WhiteHat Security, Inc. 8
AT A GLANCE: INDUSTRY
2012
![Page 9: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/9.jpg)
© 2013 WhiteHat Security, Inc. 9
WINDOW OF EXPOSURE
The average number of days in a year a website is exposed to at least one serious* vulnerability.
![Page 10: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/10.jpg)
© 2013 WhiteHat Security, Inc. 10
MOST COMMON VULNS
Top 15 Vulnerability Classes (2012) Percentage likelihood that at least one serious* vulnerability will appear in a website
2011
![Page 11: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/11.jpg)
© 2013 WhiteHat Security, Inc. 11
TOP 7: BY INDUSTRY
![Page 12: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/12.jpg)
© 2013 WhiteHat Security, Inc. 12
OVERALL
Overall Vulnerability Population (2012) Percentage breakdown of all the serious* vulnerabilities discovered
(Sorted by vulnerability class)
![Page 13: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/13.jpg)
WASC: Web Hacking Incident Database
© 2013 WhiteHat Security, Inc. 13
ATTACKS IN-THE-WILD
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 14: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/14.jpg)
SURVEY: APPLICATION SECURITY IN THE SDLC
(76 ORGANIZATIONS)
© 2013 WhiteHat Security, Inc. 14
![Page 15: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/15.jpg)
© 2013 WhiteHat Security, Inc. 15
INDUSTRY CORRELATION
![Page 16: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/16.jpg)
© 2013 WhiteHat Security, Inc. 16
INDUSTRY CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 17: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/17.jpg)
© 2013 WhiteHat Security, Inc. 17
INDUSTRY CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 18: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/18.jpg)
© 2013 WhiteHat Security, Inc. 18
INDUSTRY CORRELATION
![Page 19: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/19.jpg)
© 2013 WhiteHat Security, Inc. 19
INDUSTRY CORRELATION
![Page 20: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/20.jpg)
© 2013 WhiteHat Security, Inc. 20
INDUSTRY CORRELATION
![Page 21: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/21.jpg)
© 2013 WhiteHat Security, Inc. 21
INDUSTRY CORRELATION
![Page 22: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/22.jpg)
© 2013 WhiteHat Security, Inc. 22
INDUSTRY CORRELATION
![Page 23: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/23.jpg)
© 2013 WhiteHat Security, Inc. 23
INDUSTRY CORRELATION
![Page 24: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/24.jpg)
© 2013 WhiteHat Security, Inc. 24
INDUSTRY CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 25: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/25.jpg)
© 2013 WhiteHat Security, Inc. 25
SDLC SURVEY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 26: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/26.jpg)
© 2013 WhiteHat Security, Inc. 26
SDLC SURVEY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 27: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/27.jpg)
SURVEY: BREACH CORRELATION
© 2013 WhiteHat Security, Inc. 27
![Page 28: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/28.jpg)
© 2013 WhiteHat Security, Inc. 28
BREACH CORRELATION
Organizations that provided instructor-led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.
![Page 29: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/29.jpg)
© 2013 WhiteHat Security, Inc. 29
BREACH CORRELATION
Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.
![Page 30: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/30.jpg)
© 2013 WhiteHat Security, Inc. 30
BREACH CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 31: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/31.jpg)
© 2013 WhiteHat Security, Inc. 31
BREACH CORRELATION
Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.
![Page 32: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/32.jpg)
© 2013 WhiteHat Security, Inc. 32
BREACH CORRELATION
Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.
![Page 33: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/33.jpg)
© 2013 WhiteHat Security, Inc. 33
BREACH CORRELATION
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 34: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/34.jpg)
© 2013 WhiteHat Security, Inc. 34
BREACH CORRELATION
Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.
![Page 35: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/35.jpg)
SURVEY: DRIVERS AND ACCOUNTABILITY
CORRELATION
© 2013 WhiteHat Security, Inc. 35
![Page 36: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/36.jpg)
© 2013 WhiteHat Security, Inc. 36
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 37: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/37.jpg)
© 2013 WhiteHat Security, Inc. 37
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 38: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/38.jpg)
© 2013 WhiteHat Security, Inc. 38
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 39: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/39.jpg)
© 2013 WhiteHat Security, Inc. 39
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 40: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/40.jpg)
© 2013 WhiteHat Security, Inc. 40
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 41: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/41.jpg)
© 2013 WhiteHat Security, Inc. 41
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 42: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/42.jpg)
© 2013 WhiteHat Security, Inc. 42
ACCOUNTABILITY
![Page 43: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/43.jpg)
© 2013 WhiteHat Security, Inc. 43
ACCOUNTABILITY
![Page 44: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/44.jpg)
© 2013 WhiteHat Security, Inc. 44
ACCOUNTABILITY
http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database
![Page 45: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/45.jpg)
SOME LESSONS LEARNED (SO FAR)
© 2013 WhiteHat Security, Inc. 45
![Page 46: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/46.jpg)
© 2013 WhiteHat Security, Inc. 46
LESSONS
• “Best-Practices”─there aren’t any! • Assign an individual or group that is accountable for website security • Find your websites – all of them – and prioritize • Measure your current security posture from an attacker’s perspective • Trend and track the lifecycle of vulnerabilities • Fast detection and response
![Page 47: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/47.jpg)
47
Questions & Answers
![Page 48: WhiteHat Security Website Security Statistics Report, MAY 2013](https://reader036.vdocument.in/reader036/viewer/2022062405/557566ccd8b42a2e248b48d9/html5/thumbnails/48.jpg)
JEREMIAH GROSSMAN Founder and CTO
Twitter: @jeremiahg Email: [email protected]
Thank you!
GABRIEL GUMBS Director, Solutions Architecture Twitter: @gabrielgumbs Email: [email protected]