The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006. The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

1. 7th Website Security
Statistics Report
Jeremiah Grossman Webinar
Founder & Chief Technology Officer 05.19.2009
© 2009 WhiteHat, Inc.

2. WhiteHat Security
• 200+ enterprise customers
• Start-ups to Fortune 500
• Flagship offering “WhiteHat Sentinel Service”
• 1000’s of assessments performed annually
• Recognized leader in website security
• Quoted hundreds of times by the mainstream press
© 2009 WhiteHat, Inc. | Page 2

3. Web Security #1 Threat
The vast majority of websites possess serious vulnerabilities
quot;82% of websites have had at least one security issue, with 63 percent still having
issues of high, critical or urgent severity.” (WhiteHat Security, 2008)
Malicious website breaches are occurring in record numbers
“70% of the top 100 most popular Web sites either hosted malicious content or
contained a masked redirect to lure unsuspecting victims from legitimate sites to
malicious sites.” (Websense, 2009)
PCI DSS Requirement 6.6 mandates application security
“Ensure that web-facing applications are protected against known attacks by applying either
of the following methods. A) Having all custom application code reviewed for common
vulnerabilities by an organization that specializes in application security.
Federal Trade Commission Fines and Investigations
Over the last three years, the FTC has settled with fourteen businesses over
alleged inadequate data security practices concerning how such businesses
protect consumers' personal information.
© 2009 WhiteHat, Inc. | Page 3

4. WhiteHat Security - Website Risk Management
• WhiteHat Sentinel Service
• Unlimited website vulnerability assessment
• SaaS-based, annual subscription model
• Combination of proprietary scanning technology and expert operations team
• 200+ enterprise customers
• 1000’s of assessments performed annually from start-ups to Fortune 500
Sentinel PE - Configured assessment delivery including comprehensive manual testing for business
logic issues. For high-risk websites with sensitive data and performs critical business functions.
Sentinel SE - Configured assessment delivery with verified vulnerability reporting – designed for
medium risk websites with complex functionality requiring extensive configuration.
Sentinel BE - Self-service, automated assessment delivery with verified vulnerability reporting –
designed for smaller, less complex, lower risk websites.
© 2009 WhiteHat, Inc. | Page

5. WASC 24 (+2)* Classes of Attacks
Business Logic: Humans Required Technical: Automation Can Identify
Authentication Command Execution
• Brute Force
• Buffer Overflow
• Format String Attack
• Insufficient Authentication
• LDAP Injection
• Weak Password Recovery Validation
• OS Commanding
• CSRF* • SQL Injection
• SSI Injection
Authorization
• XPath Injection
• Credential/Session Prediction
• Insufficient Authorization Information Disclosure
• Insufficient Session Expiration
• Directory Indexing
• Information Leakage
• Session Fixation
• Path Traversal
Logical Attacks • Predictable Resource Location
• Abuse of Functionality Client-Side
• Denial of Service • Content Spoofing
• Insufficient Anti-automation • Cross-site Scripting
• Insufficient Process Validation • HTTP Response Splitting*
© 2009 WhiteHat, Inc. | Page 5

6. Data Set
• Collection duration: January 1, 2006 to March 31, 2009
• Total websites: 1,031
• Identified vulnerabilities (custom web applications): 17,888
• Assessment frequency: ~Weekly
• Vulnerability classes: WASC Threat Classification
• Severity naming convention: PCI-DSS
Key Findings
• Unresolved vulnerabilities: 7,157 (60% resolution rate)
• Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82%
• Lifetime average number of vulnerabilities per website: 17
• Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63%
• Current average of unresolved vulnerabilities per website: 7
Percentage likelihood of a website
having a vulnerability by severity
CRITICAL
HIGH
URGENT
© 2009 WhiteHat, Inc. | Page 6

7. WhiteHat Security Top Ten
Percentage likelihood of a website having
a vulnerability by class
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Predictable Resource Location
Session Fixation
Cross-Site Request Forgery
Insufficient Authentication
HTTP Response Splitting
• Average number of inputs per website: 227
• Average ratio of vulnerability count / number of inputs: 2.58%
© 2009 WhiteHat, Inc. | Page 7

8. Overall Vulnerability Population
% of % of
URL Extension
websites vulnerabilities
unknown 59% 40%
asp 24% 25%
aspx 23% 9%
xml 10% 2%
jsp 9% 8%
do 7% 3%
php 6% 3%
html 4% 2%
old 4% 1%
dll 4% 1%
cfm 3% 4%
© 2009 WhiteHat, Inc. | Page 8

9. Industry Vertical Analysis Current
Historical Decrease
l
l cia are a m ce ial ing
tai Finan ices IT thc a rm e co ran
c
So ork
Re rv eal Ph Tel Ins
u
Se H
N etw
Percentage likelihood of a website having at least one HIGH,
CRITICAL, or URGENT issue by industry vertical
© 2009 WhiteHat, Inc. | Page 9

10. Top 5 vulnerabilities by industry vertical. Percentage likelihood of a website having at
least one HIGH, CRITICAL, or URGENT issue by class
Retail Financial Services IT Healthcare
Historical Current Historical Current Historical Current Historical Current
Pharmaceutical Telecom Insurance Social Networking
Historical Current Historical Current Historical Current Historical Current

11. Time-to-Fix (Days) - WhiteHat Top Ten
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Predictable Resource Location
Session Fixation
Cross-Site Request Forgery
Insufficient Authentication
HTTP Response Splitting
Best-case scenario: Not all vulnerabilities have been fixed...
© 2009 WhiteHat, Inc. | Page 11

12. Resolution rate - Top 5 by Severity
Class of Attack % resolved severity
Cross Site Scripting 20% urgent
Insufficient Authorization 19% urgent
SQL Injection 30% urgent
HTTP Response Splitting 75% urgent
Directory Traversal 53% urgent
Insufficient Authentication 38% critical
Cross-Site Scripting 39% critical
Abuse of Functionality 28% critical
Cross-Site Request Forgery 45% critical
Session Fixation 21% critical
Brute Force 11% high
Content Spoofing 25% high
HTTP Response Splitting 30% high
Information Leakage 29% high
Predictable Resource Location 26% high
© 2009 WhiteHat, Inc. | Page 12

13. The Long Tail of Website Vulnerability Testing
400
320
Vulnerable Websites
240
160
80
0
Vulnerability Checks
3,000
2,400
Verfied Vulnerabilities
1,800
1,200
600
0
Vulnerability Checks
© 2009 WhiteHat, Inc. | Page 13

14. Threat Capabilities
Threats / Attackers Fully Targeted
Discover unlinked / hidden functionality
Exercise business processes
‘The Analyzer’, allegedly hacked into a multiple financial
institutions using SQL Injection to steal credit and debit card Customize Business Logic Flaw Exploits
numbers that were then used by thieves in several countries to Leverage information leakage
withdraw more than $1 million from ATMs. Interact with other customers
Geeks.com, Guess, Petco, CardSystems, USC, etc.
Perform multi-stage attacks
Directed Opportunistic
Authenticated crawling
Cyber criminals use XSS vulnerabilities to create very Authenticated attacks
convincing Phishing scams that appear on the real-website as
Intelligent HTML form submission
opposed to a fake. JavaScript malware steals victims session
cookies and passwords. Test for technical vulnerabilities
Y! Mail, PayPal, SunTrust, Italian Banks,etc Customize exploits
SQL Injection (data extraction)
Cross-Site Scripting (Phishing)
Random Opportunistic
With Mass SQL Injection automated worms insert malicious Unauthenticated crawling
JavaScript IFRAMEs (pointing to malware servers) into back-
end databases and used the capability to exploit unpatched Unauthenticated attacks
Web browsers. According to Websense, “75 percent of Web Test all attack surface discovered
sites with malicious code are legitimate sites that have been Destructive attacks
compromised.”
Automated HTML form submission
SQL Injection (code insertion)
Persistent Cross-Site Scripting
Advanced Filter Evasion Techniques
Generic exploits
© 2009 WhiteHat, Inc. | Page 14

15. Operationalizing Website Security
1) Where do I start?
Locate the websites you are responsible for
2) Where do I do next?
Rank websites based upon business criticality
Risk
3) What should I be concerned about first?
Random Opportunistic, Directed Opportunistic, Fully
Targeted
4) What is our current security posture?
Vulnerability assessments, pen-tests, traffic
monitoring Resources
What is your organizations
5) How best to improve our survivability? tolerance for risk (per website)?
SDL, virtual patch, configuration change,
decommission, outsource, version roll-back, etc.
© 2009 WhiteHat, Inc. | Page 15

16. Website Risk Management Infrastructure
© 2009 WhiteHat, Inc. | Page 16

17. Thank You!
Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com
WhiteHat Security
http://www.whitehatsec.com/
© 2009 WhiteHat, Inc.