SlideShare uma empresa Scribd logo

Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)

Transferir como PPTX, PDF
Jeremiah Grossman
Jeremiah Grossman

WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely. Website security is an ever-moving target. New website launches are common, new code is released constantly, new web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security. To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well- known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.

Tecnologia
1 de 34
Where Flow Charts Don’t Go: © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg An Examination of Web Application Security Process Management
© 2015 WhiteHat Security, Inc. Jeremiah Grossman 15 years of Application Security Brazilian Jiu-Jitsu Black Belt
WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded: 2001 Headquarters: Santa Clara, CA Employees: 300+ © 2015 WhiteHat Security, Inc.
© 2015 WhiteHat Security, Inc. Metric Definitions Average time time to fix: Average # of days to fix a vulnerability. Remediation Rate: # of closed vulnerabilities divided by # of open vulnerabilities. Days Open: Average# of days a vulnerability has been open. Vulnerability Class Likelihood: # of sites that have at least one open vulnerability in a given class over the total number of active sites. Window of Exposure: # of days a site had at least one serious vulnerability open over the analysis period. Serious Vulnerability: Vulnerability with a severity of 3 or greater as defined by WhiteHat’s Vulnerability Classification System.
© 2015 WhiteHat Security, Inc. Vulnerability Likelihood and Windows of Exposure
© 2015 WhiteHat Security, Inc. Vulnerability Likelihood
© 2015 WhiteHat Security, Inc. • Likelihood of Insufficient Transport Layer Protection has increased in recent years (70% likelihood in 2014) • Content Spoofing, XSS and Fingerprinting has declined in recent years – Content Spoofing (38% in 2010 to 26% in 2014) – Cross-site scripting (55% in 2010 to 47% in 2014) – Fingerprinting (23% in 2012 to 5% in 2014) Vulnerability Likelihood
© 2015 WhiteHat Security, Inc. • A large % of websites are always vulnerable • 60% of all Retail are always vulnerable • 52% of all Healthcare and Social Assistance sites are always vulnerable • 38% of all Information Technology websites are always vulnerable • 39% of all Finance and Insurance websites are always vulnerable Windows of Exposure Analysis 39% 52% 38% 60% 14% 10% 11% 9% 11% 12% 14% 10%18% 11% 16% 11% 17% 14% 22% 11% Finance and Insurance Health Care and Social Assistance Information Retail Trade Rarely Vulnerable 30 days or less a year Occasionally Vulnerable 31-150 days a year Regularly Vulnerable 151-270 days a year Frequently Vulnerable 271-364 days a year
© 2015 WhiteHat Security, Inc. Maturity Metrics Analysis
© 2015 WhiteHat Security, Inc. • The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models of application security programs at various organizations. • The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe. Sentinel Customer Survey Overview Active Customers: ~700 Fortune 500: 63 Commercial Banks 7 of the Top 18 Largest Banks 10 of the Top 50 Software 6 of the Top 16 Consumer Financial Services 4 of the Top 8
© 2015 WhiteHat Security, Inc. • 24% of the survey respondents have experienced a data or system breach • Those who have experienced a data or system breach have higher average # of open vulnerabilities than those who haven’t experienced a breach. (20 vs. 26) • Those who have experienced a breach have lower remediation rate than those who haven’t experienced a breach. (42% vs. 39%) Have organizations website(s) experienced a data or system breach resulting from an app layer vulnerability? 76% 83% 80% 50% 0% 24% 17% 20% 50% 100% 0% 50% 100% 150% All Finance and Insurance Information Retail Trade Health Care and Social Assistance No Yes
© 2015 WhiteHat Security, Inc. • 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 9% 29% 28% 30% 0% 5% 10% 15% 20% 25% 30% 35%
© 2015 WhiteHat Security, Inc. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open 386 364 341 299 0 100 200 300 400 500 Board of Directors Executive Management Software Development Security Department Average Time Open (Days) 129 119 108 114 95 100 105 110 115 120 125 130 135 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 34% 36% 38% 40% 42% 44% 46% Board of Directors Executive Management Software Development Security Department Remediation Rate
© 2015 WhiteHat Security, Inc. • 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities • 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities • 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities • 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities • 25% of the respondents cite other reasons for resolving website vulnerabilities Please rank your organization’s drivers for resolving website vulnerabilities. 1 lowest priority, 5 highest. 15% 6% 35% 19% 25% %ofrespondents Primary driver for resolving website vulnerabilities
© 2015 WhiteHat Security, Inc. Please rank your organization’s drivers for resolving website vulnerabilities. 1 the lowest priority, 5 the highest. 14 21 28 28 10 0 5 10 15 20 25 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average # of vulnerabilities 266 290 283 525 355 0 100 200 300 400 500 600 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Time Open (Days) 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 10% 20% 30% 40% 50% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Remediation Rate
© 2015 WhiteHat Security, Inc. • % of respondents for frequency of automatic static analysis: • Daily: 13% • With each major release: 32% • Never: 13% • # of open vulns for frequency of automatic static analysis: • Daily: 6 • With each major release: 32 • Never: 17 How frequent do you perform automated static analysis during the code review process? 0% 20% 40% 60% 80% 100% Finance and Insurance Information Retail Trade Health Care and Social Assistance All Daily Monthly Never Other (please specify) Planned 0 20 40 60 Daily Monthly Never Quarterly Weekly With each release or major update All Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2015 WhiteHat Security, Inc. • Avg time open for frequency of automatic static analysis: • Daily: 369 days • Each major release: 273 days • Never: 394 days • Remediation rate for frequency of automatic static analysis: • Daily: 39% • Each major release: 38% • Never: 45% How frequent do you perform automated static analysis during the code review process? 0 200 400 600 800 Daily Monthly Never Other (please specify) Quarterly Weekly With each release or… Average Time Open at different frequencies of Automated Static Analysis All Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20% 40% 60% 80% 100% Daily Monthly Never Quarterly Weekly With each release or… All Average remediation rate at different frequencies of Automated Static Analysis All Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2015 WhiteHat Security, Inc. • Time to fix for frequency of automatic static analysis: • Daily: 74 days • Each major release: 117 days • Never: 125 days How frequent do you perform automated static analysis during the code review process? 0 100 200 300 400 500 Daily Monthly Never Other (please specify) Quarterly Weekly With each release or major update Average Time to fix at different frequencies of Automated Static Analysis All Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 19 • % of respondents for frequency of adversarial testing: Each major release: 32% Quarterly: 11% Never: 21% • # of open vulns for frequency of adversarial testing: Each major release: 15 Quarterly: 14 Never: 34 How frequently does the QA team go beyond functional testing to perform basic adversarial tests (probing of simple edge cases and boundary conditions) example: What happens when you enter the wrong password over and over? 0% 20% 40% 60% 80% 100% Finance and… Information Retail Trade Health Care and… All Frequency of Adversarial Testing by Industry Daily Monthly Never Other (please specify) Planned Quarterly 0 20 40 60 Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average # of vulns at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 20 • Avg time open for frequency of adversarial testing: Each major release: 322 days Quarterly: 375 days Never: 254 days • Remediation rate for frequency of adversarial testing: Each major release: 41% Quarterly: 40% Never: 25% How frequently does the QA team go beyond functional testing to perform basic adversarial tests (probing of simple edge cases and boundary conditions) example: What happens when you enter the wrong password over and over? 0 200 400 600 800 Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release… (blank) Average Time Open at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information 0% 20% 40% 60% 80% Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average remediation rate at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information
© 2014 WhiteHat Security, Inc. 21 • Time to fix for frequency of adversarial testing: Each major release: 124 days Quarterly: 85 days Never: 102 days How frequently does the QA team go beyond functional testing to perform basic adversarial tests (probing of simple edge cases and boundary conditions) example: What happens when you enter the wrong password over and over? 0 100 200 300 Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or… Average Time to fix at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 22 • % of respondents for frequency of pen-testing: Annually: 21% Quarterly: 26% Never: 26% • # of open vulns for frequency of pen-testing: Annually: 12 Quarterly: 40 Never: 25 How frequently do you use external penetration testers to find problems? 0% 20% 40% 60% 80%100%120% Finance and Insurance Information Retail Trade Health Care and Social Assistance All Frequency of Penetration Testing by Industry Annually Daily Monthly Never Other (please specify) Planned 0 20 40 60 Annually Daily Monthly Never Planned Quarterly Weekly With each release… Average # of vulns at different frequencies of penetration testing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 23 • Avg time open for frequency of penetration testing: Annually: 282 days Quarterly: 273 days Never: 393 days • Remediation rate for frequency of penetration testing: Annually: 49% Quarterly: 44% Never: 34% How frequently do you use external penetration testers to find problems? 0 200 400 600 800 Annually Daily Monthly Never Other (please specify) Planned Quarterly Weekly Average Time Open at different frequencies of penetration testing Grand Total Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20% 40% 60% 80% Annually Monthly Other (please specify) Quarterly With each release or… Average remediation rate at different frequencies of penetration testing Grand Total Health Care and Social Assistance Retail Trade Information
© 2014 WhiteHat Security, Inc. 24 • Time to fix for frequency of penetration testing: Annually: 140 days Quarterly: 102 days Never: 128 days How frequently do you use external penetration testers to find problems? 0 100 200 300 Annually Daily Monthly Never Other… Planned Quarterly Weekly With each… Average Time to fix at different frequencies of penetration testing Grand Total Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 25 • % of respondents for frequency of operation monitoring feedback: Daily: 17% With each major release: 17% Never: 9% • # of open vulns for frequency of operation monitoring feedback: Daily: 40 With each major release: 23 Never: 10 How often does your organization use defects identified through operations monitoring fed back to development and used to change developer behavior? 0% 50% 100% 150% Finance and… Information Retail Trade Health Care and… All Frequency of Operations Monitoring Feedback by Industry Annually Daily Monthly Never 0 20 40 60 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average # of vulns at different frequencies of Operations Monitoring Feedback All Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 26 • Avg time open for frequency of operation monitoring feedback: Daily: 270 days With each major release: 353 days Never: 243 days • Remediation rate for frequency of operation monitoring feedback: Daily: 32% With each major release: 48% Never: 34% How often does your organization use defects identified through operations monitoring fed back to development and used to change developer behavior? 0 500 1000 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each… Average Time Open at different frequencies of Operations Monitoring Feedback Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20% 40% 60% 80% Annually Monthly Other (please specify) Quarterly With each release… Average remediation rate at different frequencies of Operations Monitoring Feedback Health Care and Social Assistance Retail Trade Information
© 2014 WhiteHat Security, Inc. 27 • Time to fix for frequency of operation monitoring feedback: Daily: 76 days With each major release: 198 days Never: 91 days How often does your organization use defects identified through operations monitoring fed back to development and used to change developer behavior? 0 100 200 300 Annually Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or major update Average Time to fix at different frequencies of Operations Monitoring Feedback Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 28 • % of respondents for frequency of ad hoc code reviews: Never: 21% Planned: 15% With each major release: 15% • # of open vulns for frequency of ad hoc code reviews: Never: 41 Planned: 10 With each major release: 13 How frequently does your organization perform ad hoc code reviews of highrisk applications in an opportunistic fashion? 0% 50% 100% 150% Finance and… Retail Trade All Frequency of Adhoc Code Review by Industry Annually Daily 0 20 40 60 80 Annually Monthly Other (please… Quarterly With each… Average # of vulns at different frequencies of Adhoc code review All Health Care and Social Assistance Retail Trade
© 2014 WhiteHat Security, Inc. 29 • Avg time open for frequency of ad hoc code reviews: Never: 309 days Planned: 264 days With each major release: 278 days • Remediation rate for frequency of ad hoc code reviews: Never: 43% Planned: 39% With each major release: 37% How frequently does your organization perform ad hoc code reviews of highrisk applications in an opportunistic fashion? 0 500 1000 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average Time Open at different frequencies of adhoc code review Health Care and Social Assistance Retail Trade Information Finance and Insurance 0 0.2 0.4 0.6 0.8 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average remediation rate at different frequencies of adhoc code review Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 30 • Time to fix for frequency of ad hoc code reviews: Never: 147 days Planned: 90 days With each major release: 102 days How frequently does your organization perform ad hoc code reviews of highrisk applications in an opportunistic fashion? 0 50 100 150 200 Annually Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or major update Average Time to fix at different frequencies of adhoc code review Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 31 • % of respondents for frequency of security review sharing: Monthly: 13% With each major release: 28% Never: 19% • # of open vulns for frequency of security review sharing: Monthly: 13 With each major release: 29 Never: 18 How frequently does your organization share results from security reviews with the QA department? 0% 50% 100% 150% Finance and… Information Retail Trade Health Care… All Frequency of Security Result Sharing by Industry Daily Monthly Never Other (please specify) 0 20 40 60 Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or… Average # of vulns at different frequencies of Security Result Sharing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 32 • Avg time open for frequency of security review sharing: Monthly: 282 days With each major release: 393 days Never: 258 days • Remediation rate for frequency of security review sharing: Monthly: 49% With each major release: 37% Never: 27% How frequently does your organization share results from security reviews with the QA department? 0 500 1000 Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… All Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20%40%60%80%100% Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release… All Health Care and Social Assistance Retail Trade Information Finance and Insurance
© 2014 WhiteHat Security, Inc. 33 • Time to fix for frequency of security review sharing: Monthly: 107 days With each major release: 162 days Never: 83 days How frequently does your organization share results from security reviews with the QA department? 0 100 200 Daily Monthly Never Other (please… Planned Quarterly Weekly With each… Average Time to fix at different frequencies of Security Result Sharing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
Questions? © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg Thank you!

Recomendados

No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsJeremiah Grossman
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportJeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
SVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSilicon Valley Bank
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSilicon Valley Bank
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&ANick Normile
 

Recomendados

No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Best of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsBest of Both Worlds: Correlating Static and Dynamic Analysis Results
Best of Both Worlds: Correlating Static and Dynamic Analysis ResultsJeremiah Grossman
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportJeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
SVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSVB Cybersecurity Impact on Innovation Report
SVB Cybersecurity Impact on Innovation ReportSilicon Valley Bank
 
SVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSVB Cybersecurity Impact on Innovation Report - Overview
SVB Cybersecurity Impact on Innovation Report - OverviewSilicon Valley Bank
 
2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&A2014-15 Cybersecurity Venture Funding and M&A
2014-15 Cybersecurity Venture Funding and M&ANick Normile
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorAccenture Insurance
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FinTech Belgium
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud PreventionGuardian Analytics
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Reportaccenture
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...CNseg
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of CybercrimeIDG
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowLeona Markham
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firmsJohn Davis
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Jef Lacson
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilienceaccenture
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbookJames Fintain Lawler
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Hewlett Packard Enterprise Business Value Exchange
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
EndpointSecurityConcerns2014
EndpointSecurityConcerns2014EndpointSecurityConcerns2014
EndpointSecurityConcerns2014Peggy Lawless
 

Mais conteúdo relacionado

Mais procurados

Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorAccenture Insurance
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FinTech Belgium
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud PreventionGuardian Analytics
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Reportaccenture
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...CNseg
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of CybercrimeIDG
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowLeona Markham
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firmsJohn Davis
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Jef Lacson
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilienceaccenture
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
 

Mais procurados (18)

Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance SectorThe Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
The Digital Multiplier: Five Steps To Digital Success In The Insurance Sector
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020 FRISS_Insurance fraud report 2020
FRISS_Insurance fraud report 2020
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
New Requirements of Fraud Prevention
New Requirements of Fraud PreventionNew Requirements of Fraud Prevention
New Requirements of Fraud Prevention
 
Cost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 ReportCost of Cybercrime Study in Financial Services: 2019 Report
Cost of Cybercrime Study in Financial Services: 2019 Report
 
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
6º Resseguro - A Evolução do Risco Cibernético e seu Impacto no Seguro - Kara...
 
2018 U.S State of Cybercrime
2018 U.S State of Cybercrime2018 U.S State of Cybercrime
2018 U.S State of Cybercrime
 
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrowFTSE350 Cyber Governance - An insight into the issues of today and tomorrow
FTSE350 Cyber Governance - An insight into the issues of today and tomorrow
 
Improve your security, minister tells major firms
Improve your security, minister tells major firmsImprove your security, minister tells major firms
Improve your security, minister tells major firms
 
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
Accounting for Cyber Risks - How much does Cyber actually cost the Industry?
 
Innovate for Cyber Resilience
Innovate for Cyber ResilienceInnovate for Cyber Resilience
Innovate for Cyber Resilience
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
 
Digital Resilience flipbook
Digital Resilience flipbookDigital Resilience flipbook
Digital Resilience flipbook
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
Executive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security StudyExecutive Summary of the 2016 Scalar Security Study
Executive Summary of the 2016 Scalar Security Study
 

Semelhante a Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)

Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
EndpointSecurityConcerns2014
EndpointSecurityConcerns2014EndpointSecurityConcerns2014
EndpointSecurityConcerns2014Peggy Lawless
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementIvanti
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk AssessmentResolver Inc.
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisNorth Texas Chapter of the ISSA
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study RoadshowScalar Decisions
 
Legal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataLegal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataKayla Catron
 
Legal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataLegal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataBluelock
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016Tudor Damian
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 
Cyber TPRM - the journey ahead
Cyber TPRM - the journey aheadCyber TPRM - the journey ahead
Cyber TPRM - the journey aheadKevin Duffey
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataSteven Schwartz
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityJoan Weber
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetCSI Solutions
 

Semelhante a Where Flow Charts Don’t Go -- Website Security Statistics Report (2015) (20)

Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
EndpointSecurityConcerns2014
EndpointSecurityConcerns2014EndpointSecurityConcerns2014
EndpointSecurityConcerns2014
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
Strategic Cybersecurity
Strategic CybersecurityStrategic Cybersecurity
Strategic Cybersecurity
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob DavisLuncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
 
2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow2016 Scalar Security Study Roadshow
2016 Scalar Security Study Roadshow
 
Legal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataLegal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive Data
 
Legal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive DataLegal Firms and the Struggle to Protect Sensitive Data
Legal Firms and the Struggle to Protect Sensitive Data
 
The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016The state of web applications (in)security @ ITDays 2016
The state of web applications (in)security @ ITDays 2016
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Cyber TPRM - the journey ahead
Cyber TPRM - the journey aheadCyber TPRM - the journey ahead
Cyber TPRM - the journey ahead
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal Data
 
Corporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber SecurityCorporate Treasurers Focus on Cyber Security
Corporate Treasurers Focus on Cyber Security
 
Broadening Your Cybersecurity Mindset
Broadening Your Cybersecurity MindsetBroadening Your Cybersecurity Mindset
Broadening Your Cybersecurity Mindset
 

Mais de Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 

Mais de Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)

  • 1. Where Flow Charts Don’t Go: © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg An Examination of Web Application Security Process Management
  • 2. © 2015 WhiteHat Security, Inc. Jeremiah Grossman 15 years of Application Security Brazilian Jiu-Jitsu Black Belt
  • 3. WhiteHat Security We help secure the Web by finding application vulnerabilities, in the source code all the way through to production, and help companies get them fixed, before the bad guys exploit them. Founded: 2001 Headquarters: Santa Clara, CA Employees: 300+ © 2015 WhiteHat Security, Inc.
  • 4. © 2015 WhiteHat Security, Inc. Metric Definitions Average time time to fix: Average # of days to fix a vulnerability. Remediation Rate: # of closed vulnerabilities divided by # of open vulnerabilities. Days Open: Average# of days a vulnerability has been open. Vulnerability Class Likelihood: # of sites that have at least one open vulnerability in a given class over the total number of active sites. Window of Exposure: # of days a site had at least one serious vulnerability open over the analysis period. Serious Vulnerability: Vulnerability with a severity of 3 or greater as defined by WhiteHat’s Vulnerability Classification System.
  • 5. © 2015 WhiteHat Security, Inc. Vulnerability Likelihood and Windows of Exposure
  • 6. © 2015 WhiteHat Security, Inc. Vulnerability Likelihood
  • 7. © 2015 WhiteHat Security, Inc. • Likelihood of Insufficient Transport Layer Protection has increased in recent years (70% likelihood in 2014) • Content Spoofing, XSS and Fingerprinting has declined in recent years – Content Spoofing (38% in 2010 to 26% in 2014) – Cross-site scripting (55% in 2010 to 47% in 2014) – Fingerprinting (23% in 2012 to 5% in 2014) Vulnerability Likelihood
  • 8. © 2015 WhiteHat Security, Inc. • A large % of websites are always vulnerable • 60% of all Retail are always vulnerable • 52% of all Healthcare and Social Assistance sites are always vulnerable • 38% of all Information Technology websites are always vulnerable • 39% of all Finance and Insurance websites are always vulnerable Windows of Exposure Analysis 39% 52% 38% 60% 14% 10% 11% 9% 11% 12% 14% 10%18% 11% 16% 11% 17% 14% 22% 11% Finance and Insurance Health Care and Social Assistance Information Retail Trade Rarely Vulnerable 30 days or less a year Occasionally Vulnerable 31-150 days a year Regularly Vulnerable 151-270 days a year Frequently Vulnerable 271-364 days a year
  • 9. © 2015 WhiteHat Security, Inc. Maturity Metrics Analysis
  • 10. © 2015 WhiteHat Security, Inc. • The analysis is based on 118 responses on a survey sent to security professionals to measure maturity models of application security programs at various organizations. • The responses obtained in the survey are correlated with the data available in Sentinel to get deeper insights. Statistics pulled from Sentinel are for 2014 timeframe. Sentinel Customer Survey Overview Active Customers: ~700 Fortune 500: 63 Commercial Banks 7 of the Top 18 Largest Banks 10 of the Top 50 Software 6 of the Top 16 Consumer Financial Services 4 of the Top 8
  • 11. © 2015 WhiteHat Security, Inc. • 24% of the survey respondents have experienced a data or system breach • Those who have experienced a data or system breach have higher average # of open vulnerabilities than those who haven’t experienced a breach. (20 vs. 26) • Those who have experienced a breach have lower remediation rate than those who haven’t experienced a breach. (42% vs. 39%) Have organizations website(s) experienced a data or system breach resulting from an app layer vulnerability? 76% 83% 80% 50% 0% 24% 17% 20% 50% 100% 0% 50% 100% 150% All Finance and Insurance Information Retail Trade Health Care and Social Assistance No Yes
  • 12. © 2015 WhiteHat Security, Inc. • 56% of all respondents did not have any part of the organization held accountable in case of data or system breach. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 9% 29% 28% 30% 0% 5% 10% 15% 20% 25% 30% 35%
  • 13. © 2015 WhiteHat Security, Inc. If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and what is it’s performance? 10 10 17 25 0 10 20 30 Board of Directors Executive Management Software Development Security Department Average Number of Vulns Open 386 364 341 299 0 100 200 300 400 500 Board of Directors Executive Management Software Development Security Department Average Time Open (Days) 129 119 108 114 95 100 105 110 115 120 125 130 135 Board of Directors Executive Management Software Development Security Department Average Time to Fix (Days) 44% 43% 37% 43% 34% 36% 38% 40% 42% 44% 46% Board of Directors Executive Management Software Development Security Department Remediation Rate
  • 14. © 2015 WhiteHat Security, Inc. • 15% of the respondents cite Compliance as the primary reason for resolving website vulnerabilities • 6% of the respondents cite Corporate Policy as the primary reason for resolving website vulnerabilities • 35% of the respondents cite Risk Reduction as the primary reason for resolving website vulnerabilities • 19% of the respondents cite Customer or Partner Demand as the primary reason for resolving website vulnerabilities • 25% of the respondents cite other reasons for resolving website vulnerabilities Please rank your organization’s drivers for resolving website vulnerabilities. 1 lowest priority, 5 highest. 15% 6% 35% 19% 25% %ofrespondents Primary driver for resolving website vulnerabilities
  • 15. © 2015 WhiteHat Security, Inc. Please rank your organization’s drivers for resolving website vulnerabilities. 1 the lowest priority, 5 the highest. 14 21 28 28 10 0 5 10 15 20 25 30 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average # of vulnerabilities 266 290 283 525 355 0 100 200 300 400 500 600 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Time Open (Days) 132 86 78 163 150 0 50 100 150 200 Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Time to Fix (Days) 55% 21% 40% 50% 33% 0% 10% 20% 30% 40% 50% 60% Compliance Corporate Policy Risk Reduction Customer or Partner Demand Other Primary reasons for resolving web site vulnerabilities Average Remediation Rate
  • 16. © 2015 WhiteHat Security, Inc. • % of respondents for frequency of automatic static analysis: • Daily: 13% • With each major release: 32% • Never: 13% • # of open vulns for frequency of automatic static analysis: • Daily: 6 • With each major release: 32 • Never: 17 How frequent do you perform automated static analysis during the code review process? 0% 20% 40% 60% 80% 100% Finance and Insurance Information Retail Trade Health Care and Social Assistance All Daily Monthly Never Other (please specify) Planned 0 20 40 60 Daily Monthly Never Quarterly Weekly With each release or major update All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 17. © 2015 WhiteHat Security, Inc. • Avg time open for frequency of automatic static analysis: • Daily: 369 days • Each major release: 273 days • Never: 394 days • Remediation rate for frequency of automatic static analysis: • Daily: 39% • Each major release: 38% • Never: 45% How frequent do you perform automated static analysis during the code review process? 0 200 400 600 800 Daily Monthly Never Other (please specify) Quarterly Weekly With each release or… Average Time Open at different frequencies of Automated Static Analysis All Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20% 40% 60% 80% 100% Daily Monthly Never Quarterly Weekly With each release or… All Average remediation rate at different frequencies of Automated Static Analysis All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 18. © 2015 WhiteHat Security, Inc. • Time to fix for frequency of automatic static analysis: • Daily: 74 days • Each major release: 117 days • Never: 125 days How frequent do you perform automated static analysis during the code review process? 0 100 200 300 400 500 Daily Monthly Never Other (please specify) Quarterly Weekly With each release or major update Average Time to fix at different frequencies of Automated Static Analysis All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 19. © 2014 WhiteHat Security, Inc. 19 • % of respondents for frequency of adversarial testing: Each major release: 32% Quarterly: 11% Never: 21% • # of open vulns for frequency of adversarial testing: Each major release: 15 Quarterly: 14 Never: 34 How frequently does the QA team go beyond functional testing to perform basic adversarial tests (probing of simple edge cases and boundary conditions) example: What happens when you enter the wrong password over and over? 0% 20% 40% 60% 80% 100% Finance and… Information Retail Trade Health Care and… All Frequency of Adversarial Testing by Industry Daily Monthly Never Other (please specify) Planned Quarterly 0 20 40 60 Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average # of vulns at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 20. © 2014 WhiteHat Security, Inc. 20 • Avg time open for frequency of adversarial testing: Each major release: 322 days Quarterly: 375 days Never: 254 days • Remediation rate for frequency of adversarial testing: Each major release: 41% Quarterly: 40% Never: 25% How frequently does the QA team go beyond functional testing to perform basic adversarial tests (probing of simple edge cases and boundary conditions) example: What happens when you enter the wrong password over and over? 0 200 400 600 800 Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release… (blank) Average Time Open at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information 0% 20% 40% 60% 80% Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average remediation rate at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information
  • 21. © 2014 WhiteHat Security, Inc. 21 • Time to fix for frequency of adversarial testing: Each major release: 124 days Quarterly: 85 days Never: 102 days How frequently does the QA team go beyond functional testing to perform basic adversarial tests (probing of simple edge cases and boundary conditions) example: What happens when you enter the wrong password over and over? 0 100 200 300 Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or… Average Time to fix at different frequencies of adversarial testing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 22. © 2014 WhiteHat Security, Inc. 22 • % of respondents for frequency of pen-testing: Annually: 21% Quarterly: 26% Never: 26% • # of open vulns for frequency of pen-testing: Annually: 12 Quarterly: 40 Never: 25 How frequently do you use external penetration testers to find problems? 0% 20% 40% 60% 80%100%120% Finance and Insurance Information Retail Trade Health Care and Social Assistance All Frequency of Penetration Testing by Industry Annually Daily Monthly Never Other (please specify) Planned 0 20 40 60 Annually Daily Monthly Never Planned Quarterly Weekly With each release… Average # of vulns at different frequencies of penetration testing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 23. © 2014 WhiteHat Security, Inc. 23 • Avg time open for frequency of penetration testing: Annually: 282 days Quarterly: 273 days Never: 393 days • Remediation rate for frequency of penetration testing: Annually: 49% Quarterly: 44% Never: 34% How frequently do you use external penetration testers to find problems? 0 200 400 600 800 Annually Daily Monthly Never Other (please specify) Planned Quarterly Weekly Average Time Open at different frequencies of penetration testing Grand Total Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20% 40% 60% 80% Annually Monthly Other (please specify) Quarterly With each release or… Average remediation rate at different frequencies of penetration testing Grand Total Health Care and Social Assistance Retail Trade Information
  • 24. © 2014 WhiteHat Security, Inc. 24 • Time to fix for frequency of penetration testing: Annually: 140 days Quarterly: 102 days Never: 128 days How frequently do you use external penetration testers to find problems? 0 100 200 300 Annually Daily Monthly Never Other… Planned Quarterly Weekly With each… Average Time to fix at different frequencies of penetration testing Grand Total Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 25. © 2014 WhiteHat Security, Inc. 25 • % of respondents for frequency of operation monitoring feedback: Daily: 17% With each major release: 17% Never: 9% • # of open vulns for frequency of operation monitoring feedback: Daily: 40 With each major release: 23 Never: 10 How often does your organization use defects identified through operations monitoring fed back to development and used to change developer behavior? 0% 50% 100% 150% Finance and… Information Retail Trade Health Care and… All Frequency of Operations Monitoring Feedback by Industry Annually Daily Monthly Never 0 20 40 60 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average # of vulns at different frequencies of Operations Monitoring Feedback All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 26. © 2014 WhiteHat Security, Inc. 26 • Avg time open for frequency of operation monitoring feedback: Daily: 270 days With each major release: 353 days Never: 243 days • Remediation rate for frequency of operation monitoring feedback: Daily: 32% With each major release: 48% Never: 34% How often does your organization use defects identified through operations monitoring fed back to development and used to change developer behavior? 0 500 1000 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each… Average Time Open at different frequencies of Operations Monitoring Feedback Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20% 40% 60% 80% Annually Monthly Other (please specify) Quarterly With each release… Average remediation rate at different frequencies of Operations Monitoring Feedback Health Care and Social Assistance Retail Trade Information
  • 27. © 2014 WhiteHat Security, Inc. 27 • Time to fix for frequency of operation monitoring feedback: Daily: 76 days With each major release: 198 days Never: 91 days How often does your organization use defects identified through operations monitoring fed back to development and used to change developer behavior? 0 100 200 300 Annually Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or major update Average Time to fix at different frequencies of Operations Monitoring Feedback Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 28. © 2014 WhiteHat Security, Inc. 28 • % of respondents for frequency of ad hoc code reviews: Never: 21% Planned: 15% With each major release: 15% • # of open vulns for frequency of ad hoc code reviews: Never: 41 Planned: 10 With each major release: 13 How frequently does your organization perform ad hoc code reviews of highrisk applications in an opportunistic fashion? 0% 50% 100% 150% Finance and… Retail Trade All Frequency of Adhoc Code Review by Industry Annually Daily 0 20 40 60 80 Annually Monthly Other (please… Quarterly With each… Average # of vulns at different frequencies of Adhoc code review All Health Care and Social Assistance Retail Trade
  • 29. © 2014 WhiteHat Security, Inc. 29 • Avg time open for frequency of ad hoc code reviews: Never: 309 days Planned: 264 days With each major release: 278 days • Remediation rate for frequency of ad hoc code reviews: Never: 43% Planned: 39% With each major release: 37% How frequently does your organization perform ad hoc code reviews of highrisk applications in an opportunistic fashion? 0 500 1000 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average Time Open at different frequencies of adhoc code review Health Care and Social Assistance Retail Trade Information Finance and Insurance 0 0.2 0.4 0.6 0.8 Annually Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… Average remediation rate at different frequencies of adhoc code review Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 30. © 2014 WhiteHat Security, Inc. 30 • Time to fix for frequency of ad hoc code reviews: Never: 147 days Planned: 90 days With each major release: 102 days How frequently does your organization perform ad hoc code reviews of highrisk applications in an opportunistic fashion? 0 50 100 150 200 Annually Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or major update Average Time to fix at different frequencies of adhoc code review Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 31. © 2014 WhiteHat Security, Inc. 31 • % of respondents for frequency of security review sharing: Monthly: 13% With each major release: 28% Never: 19% • # of open vulns for frequency of security review sharing: Monthly: 13 With each major release: 29 Never: 18 How frequently does your organization share results from security reviews with the QA department? 0% 50% 100% 150% Finance and… Information Retail Trade Health Care… All Frequency of Security Result Sharing by Industry Daily Monthly Never Other (please specify) 0 20 40 60 Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release or… Average # of vulns at different frequencies of Security Result Sharing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 32. © 2014 WhiteHat Security, Inc. 32 • Avg time open for frequency of security review sharing: Monthly: 282 days With each major release: 393 days Never: 258 days • Remediation rate for frequency of security review sharing: Monthly: 49% With each major release: 37% Never: 27% How frequently does your organization share results from security reviews with the QA department? 0 500 1000 Daily Monthly Never Other (please… Planned Quarterly Weekly With each release… All Health Care and Social Assistance Retail Trade Information Finance and Insurance 0% 20%40%60%80%100% Daily Monthly Never Other (please specify) Planned Quarterly Weekly With each release… All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 33. © 2014 WhiteHat Security, Inc. 33 • Time to fix for frequency of security review sharing: Monthly: 107 days With each major release: 162 days Never: 83 days How frequently does your organization share results from security reviews with the QA department? 0 100 200 Daily Monthly Never Other (please… Planned Quarterly Weekly With each… Average Time to fix at different frequencies of Security Result Sharing All Health Care and Social Assistance Retail Trade Information Finance and Insurance
  • 34. Questions? © 2015 WhiteHat Security, Inc. Jeremiah Grossman Founder WhiteHat Security, Inc. Twitter: @jeremiahg Thank you!