whitehat security 2014 statistics report explained
DESCRIPTION
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites? By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.TRANSCRIPT
WhiteHat Security2014 Stats Report Explained
Presented by: Jeremiah GrossmanTwitter: @jeremiahg
#2014WebStats
Founded in 2001
• 125+ web security experts: world’s largest security experts
• 30,000s of assessments: currently running at this moment
• Security leader:Gartner Magic Quadrant
Title: iCEOInfo: 15 years in Info SecurityFun fact: Brazillian Jiu-Jitsu Black Belt
Jeremiah Grossman
What I’ll discuss today…
• Overall key findings• Average vulnerabilities: security
posture• Median days open by vulnerability
class• Vulnerability class by language• Industry analysis• Recommendations/takeaways– How to use this report based on job role
Déjà Vu
• Numerous report conclusions all point to the need for more secure software– Verizon Data Breach Report– FireHost “Superfecta” Attack Report
• Cyber insurance claims reaching as high as $20 million, with an average payout of just above $900,000
Big Questions
• Are some programming languages more secure than others?
• What are the prevalent threats per programming language?
• What are the prevalent threats per industry?
• 30,000 websites in all different verticals
• Purely from WHS assessing w/ Sentinel
• Because we focused on programming language
About the Data
Overall Key Findings
Percent of URLs by Language
.NET
JAVA
ASP
PHP
ColdFusion
Perl
5% 10% 15% 20% 25% 30% 40% 50%
Mean Number Of Vulnerabilities in Each Language
11 11 11 10 7 6
.Net Java ASP PHP ColdFusion Perl
• Risk exposure does not vary widely between languages, as language choice does not affect number of vulnerabilities.
• We will take a look at risk exposure and remediation rates further into the discussion.
Risk exposure
Average vulnerabilities
Vulnerabilities Found per LanguageWhat does this mean?
.NET
JAVA
ASP
PHP
ColdFusion
Perl
5% 10% 15% 20% 25% 30% 40% 50%
(*Larger consequently more vulnerable)
Median Days Open by Vulnerability Class
Median Days Open - XSS• XSS vulnerabilities appear to take a
relative amount of effort to fix regardless of the language.
• Median days open by language– Perl open for median 184 days– ASP 135– .Net 126– PHP 49
Median Days Open - SQLi• PHP stood out from the pack with the
lowest median days 6.8• Median days open by language– ColdFusion open for median 107.4 days– ASP 97.5– Java 64.8– .Net 51.4– Perl 19.4
• ASP vulnerabilities remain open the longest at 139 days
• ColdFusion has the largest days open for SQLi at 107
• Languages with the most security controls are taking the longest to remediate. Why?
Rounding Out the Top 5
Vulnerability Classes
Vulnerabilities Percent Class by Language
Remediation Rates
Remediation Rates by Vulnerability Class
Industrial Analysis
Industry Analysis - Banking
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
57% XSS
44% Info. Leakage
49% XSS
Industry Analysis – IT
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
57% XSS
44% Info. Leakage
49% XSS
Industry Analysis – retail
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
44% Info. Leakage
57% XSS
49% XSS
Industry analysis – Financial service
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
49% XSS
44% Info. Leakage
57% XSS
Industry Analysis – Health Care
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
49% XSS
44% Info. Leakage
57% XSS
Recommendations
Language Choice
• Does not matter– Test– Test– Test– All through SDLC
• Developer training is also extremely important
Governance
• Security program– Know all assets &
Inventory of Assets– Policy Enforcement
• What is it?• Why is it important?• How do you measure risk?
Risk BasedApproach
How to Use This Report• If you are a– Developer– Security Staff– Security and/or Development Manager
• Are some programming languages more secure than others?
• What are the prevalent threats per programming language?
• What are the prevalent threats per industry?
Big Questions…Answered
Questions
Twitter: @whitehatsecEmail: [email protected] the conversation: #2014WebStatsPhone: 1-408-703-2750