WhiteHat Security2014 Stats Report Explained
Presented by: Jeremiah GrossmanTwitter: @jeremiahg
#2014WebStats
Founded in 2001
• 125+ web security experts: world’s largest security experts
• 30,000s of assessments: currently running at this moment
• Security leader:Gartner Magic Quadrant
Title: iCEOInfo: 15 years in Info SecurityFun fact: Brazillian Jiu-Jitsu Black Belt
Jeremiah Grossman
What I’ll discuss today…
• Overall key findings• Average vulnerabilities: security
posture• Median days open by vulnerability
class• Vulnerability class by language• Industry analysis• Recommendations/takeaways– How to use this report based on job role
Déjà Vu
• Numerous report conclusions all point to the need for more secure software– Verizon Data Breach Report– FireHost “Superfecta” Attack Report
• Cyber insurance claims reaching as high as $20 million, with an average payout of just above $900,000
Big Questions
• Are some programming languages more secure than others?
• What are the prevalent threats per programming language?
• What are the prevalent threats per industry?
• 30,000 websites in all different verticals
• Purely from WHS assessing w/ Sentinel
• Because we focused on programming language
About the Data
Overall Key Findings
Percent of URLs by Language
.NET
JAVA
ASP
PHP
ColdFusion
Perl
5% 10% 15% 20% 25% 30% 40% 50%
Mean Number Of Vulnerabilities in Each Language
11 11 11 10 7 6
.Net Java ASP PHP ColdFusion Perl
• Risk exposure does not vary widely between languages, as language choice does not affect number of vulnerabilities.
• We will take a look at risk exposure and remediation rates further into the discussion.
Risk exposure
Average vulnerabilities
Vulnerabilities Found per LanguageWhat does this mean?
.NET
JAVA
ASP
PHP
ColdFusion
Perl
5% 10% 15% 20% 25% 30% 40% 50%
(*Larger consequently more vulnerable)
Median Days Open by Vulnerability Class
Median Days Open - XSS• XSS vulnerabilities appear to take a
relative amount of effort to fix regardless of the language.
• Median days open by language– Perl open for median 184 days– ASP 135– .Net 126– PHP 49
Median Days Open - SQLi• PHP stood out from the pack with the
lowest median days 6.8• Median days open by language– ColdFusion open for median 107.4 days– ASP 97.5– Java 64.8– .Net 51.4– Perl 19.4
• ASP vulnerabilities remain open the longest at 139 days
• ColdFusion has the largest days open for SQLi at 107
• Languages with the most security controls are taking the longest to remediate. Why?
Rounding Out the Top 5
Vulnerability Classes
Vulnerabilities Percent Class by Language
Remediation Rates
Remediation Rates by Vulnerability Class
Industrial Analysis
Industry Analysis - Banking
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
57% XSS
44% Info. Leakage
49% XSS
Industry Analysis – IT
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
57% XSS
44% Info. Leakage
49% XSS
Industry Analysis – retail
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
44% Info. Leakage
57% XSS
49% XSS
Industry analysis – Financial service
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
49% XSS
44% Info. Leakage
57% XSS
Industry Analysis – Health Care
ASP
ColdFusion
.NET
Java
Perl
PHP
5% 10% 20% 30% 40% 50% 60% 70%
49% XSS
44% Info. Leakage
57% XSS
Recommendations
Language Choice
• Does not matter– Test– Test– Test– All through SDLC
• Developer training is also extremely important
Governance
• Security program– Know all assets &
Inventory of Assets– Policy Enforcement
• What is it?• Why is it important?• How do you measure risk?
Risk BasedApproach
How to Use This Report• If you are a– Developer– Security Staff– Security and/or Development Manager
• Are some programming languages more secure than others?
• What are the prevalent threats per programming language?
• What are the prevalent threats per industry?
Big Questions…Answered
Questions
Twitter: @whitehatsecEmail: [email protected] the conversation: #2014WebStatsPhone: 1-408-703-2750
Top Related