WhiteHat Security Website Statistics Report [SLIDES] (2013)
49
WHITEHAT SECURITY WEBSITE STATISTICS REPORT (2013)
-
Upload
jeremiah-grossman -
Category
Technology
-
view
746 -
download
1
description
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely. Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security. To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.
Transcript of WhiteHat Security Website Statistics Report [SLIDES] (2013)
- 1. WHITEHAT SECURITY WEBSITESTATISTICS REPORT (2013)
2. WhiteHat Security, Inc. Founded 2001 Head quartered in Santa Clara, CA Employees: 270+ WhiteHat Sentinel: SaaS end-to-end website riskmanagement platform (static and dynamic analysis) Customers: 650+ (banking, retail, healthcare, etc.) 2013 WhiteHat Security, Inc. 2THE COMPANY 3. POLLING QUESTION(Please vote now)How would you characterize yourself? 2013 WhiteHat Security, Inc. 3THE COMPANY 4. What we knew going in to 2012... 2013 WhiteHat Security, Inc. 4HISTORY Web applications abound in many larger companies, andremain a popular (54% of breaches) and successful (39% ofrecords) attack vector. Verizon Data Breach Investigations Report (2012) SQL injection was the means used to extract 83 percent of thetotal records stolen in successful hacking-related databreaches from 2005 to 2011. Privacyrights.org 5. REASONS:1) LEGACY WEB CODE2) BUDGET MISALLOCATION3) BEST-PRACTICES 2013 WhiteHat Security, Inc. 5 6. ABOUT THE DATA 2013 WhiteHat Security, Inc. 6 7. Average annual amount of new serious*vulnerabilities introduced per website 2013 WhiteHat Security, Inc. 7AT A GLANCE* Serious Vulnerability: A security weakness that if exploited may lead to breach or dataloss of a system, its data, or users. (PCI-DSS severity HIGH, CRITICAL, or URGENT) 8. 2013 WhiteHat Security, Inc. 8AT A GLANCE: INDUSTRY2012 9. 2013 WhiteHat Security, Inc. 9WINDOW OF EXPOSUREThe average number of days in a year a website is exposed toat least one serious* vulnerability. 10. 2013 WhiteHat Security, Inc. 10MOST COMMON VULNSTop 15 Vulnerability Classes (2012)Percentage likelihood that at least one serious* vulnerability will appear in a website2011 11. 2013 WhiteHat Security, Inc. 11TOP 7: BY INDUSTRY 12. 2013 WhiteHat Security, Inc. 12OVERALLOverall Vulnerability Population (2012)Percentage breakdown of all the serious* vulnerabilities discovered(Sorted by vulnerability class) 13. WASC: Web Hacking Incident Database 2013 WhiteHat Security, Inc. 13ATTACKS IN-THE-WILDhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 14. SURVEY: APPLICATIONSECURITY IN THE SDLC(76 ORGANIZATIONS) 2013 WhiteHat Security, Inc. 14 15. 2013 WhiteHat Security, Inc. 15INDUSTRY CORRELATION 16. 2013 WhiteHat Security, Inc. 16INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 17. 2013 WhiteHat Security, Inc. 17INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 18. 2013 WhiteHat Security, Inc. 18INDUSTRY CORRELATION 19. 2013 WhiteHat Security, Inc. 19INDUSTRY CORRELATION 20. 2013 WhiteHat Security, Inc. 20INDUSTRY CORRELATION 21. POLLING QUESTION(Please vote now)What is your #1 driver for resolving vulnerabilities? 2013 WhiteHat Security, Inc. 21THE COMPANY 22. 2013 WhiteHat Security, Inc. 22INDUSTRY CORRELATION 23. POLLING QUESTION(Please vote now)When your organizations website vulnerabilities gounresolved, whats the #1 reason why? 2013 WhiteHat Security, Inc. 23THE COMPANY 24. 2013 WhiteHat Security, Inc. 24INDUSTRY CORRELATION 25. 2013 WhiteHat Security, Inc. 25INDUSTRY CORRELATION 26. 2013 WhiteHat Security, Inc. 26INDUSTRY CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 27. 2013 WhiteHat Security, Inc. 27SDLC SURVEYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 28. 2013 WhiteHat Security, Inc. 28SDLC SURVEYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 29. SURVEY: BREACHCORRELATION 2013 WhiteHat Security, Inc. 29 30. 2013 WhiteHat Security, Inc. 30BREACH CORRELATIONOrganizations that provided instructor-led or computer-based softwaresecurity training for their programmers had 40% fewer vulnerabilities,resolved them 59% faster, but exhibited a 12% lower remediation rate. 31. 2013 WhiteHat Security, Inc. 31BREACH CORRELATIONOrganizations with software projects containing an applicationlibrary or framework that centralizes and enforces security controlshad 64% more vulnerabilities, resolved them 27% slower, butdemonstrated a 9% higher remediation rate. 32. 2013 WhiteHat Security, Inc. 32BREACH CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 33. 2013 WhiteHat Security, Inc. 33BREACH CORRELATIONOrganizations that performed Static Code Analysis on theirwebsite(s) underlying applications had 15% more vulnerabilities,resolved them 26% slower, and had a 4% lower remediation rate. 34. 2013 WhiteHat Security, Inc. 34BREACH CORRELATIONOrganizations with a Web Application Firewall deployment had 11%more vulnerabilities, resolved them 8% slower, and had a 7% lowerremediation rate. 35. 2013 WhiteHat Security, Inc. 35BREACH CORRELATIONhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 36. 2013 WhiteHat Security, Inc. 36BREACH CORRELATIONOrganizations whose website(s) experienced a data or system breach asa result of an application layer vulnerability had 51% fewer vulnerabilities,resolved them 18% faster, and had a 4% higher remediation rate. 37. SURVEY: DRIVERS ANDACCOUNTABILITYCORRELATION 2013 WhiteHat Security, Inc. 37 38. 2013 WhiteHat Security, Inc. 38ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 39. 2013 WhiteHat Security, Inc. 39ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 40. 2013 WhiteHat Security, Inc. 40ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 41. 2013 WhiteHat Security, Inc. 41ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 42. 2013 WhiteHat Security, Inc. 42ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 43. 2013 WhiteHat Security, Inc. 43ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 44. 2013 WhiteHat Security, Inc. 44ACCOUNTABILITY 45. 2013 WhiteHat Security, Inc. 45ACCOUNTABILITY 46. 2013 WhiteHat Security, Inc. 46ACCOUNTABILITYhttp://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database 47. SOME LESSONS LEARNED(SO FAR) 2013 WhiteHat Security, Inc. 47 48. 2013 WhiteHat Security, Inc. 48LESSONS Best-Practicesthere arent any! Assign an individual or group that is accountable for website security Find your websites all of them and prioritize Measure your current security posture from an attackers perspective Trend and track the lifecycle of vulnerabilities Fast detection and response 49. JEREMIAH GROSSMANFounder and CTOTwitter: @jeremiahgEmail: [email protected] you!GABRIEL GUMBSSr. Solutions ArchitectTwitter: @GabrielGumbsEmail:[email protected]
![WhiteHat Security Website Statistics [Full Report] (2013)](https://static.fdocuments.net/doc/165x107/545644dbaf79594d148b9404/whitehat-security-website-statistics-full-report-2013.jpg)
