SlideShare uma empresa Scribd logo

WhiteHat Security 8th Website Security Statistics Report

Jeremiah Grossman
Jeremiah Grossman

Web security is a moving target and enterprises need timely information about the latest attack trends, how they can best defend their websites, and visibility into their vulnerability lifecycle. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the knowledge and solutions that organizations need to protect their brands, attain PCI compliance and avert costly breaches. The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to safely conduct business online. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, tracks vertical market trends and identifies new attack techniques, since 2006. The WhiteHat Security report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization,

Tecnologia
1 de 20
Baixar para ler offline
8th Website Security Statistics Report Full Report Available https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209 Jeremiah Grossman Founder & Chief Technology Officer Webinar 11.12.2009 © 2009 WhiteHat, Inc.
Jeremiah Grossman • Technology R&D and industry evangelist • InfoWorld's CTO Top 25 for 2007 • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat Security, Inc. | Page 2
WhiteHat Security • 250+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted thousands of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3
WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2009 WhiteHat, Inc. | Page 4
Know Your Enemy Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) Directed Opportunistic • Commercial / Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2009 WhiteHat, Inc. | Page 5
Website Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 6
Data Overview • 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities* • Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification • Vulnerability severity naming convention aligns with PCI-DSS • Average number of links per website: 766** • Average number of inputs (attack surface) per website: 246 • Average ratio of vulnerability count / number of inputs: 2.14% • Anti-Clickjacking X-FRAME-OPTIONS: 1 Technology Breakdown • HTTPOnly flag: 150 % of % of URL Extension websites vulnerabilities * Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/ unknown 62% 39% webapp.cgi), three of which are vulnerable to SQL Injection, it is aspx 23% 9% counted as one vulnerability (not three). asp 22% 24% ** WhiteHat Sentinel seeks to identify all of a websites externally xml 11% 2% available attack surface, which may or may not require spidering all jsp 10% 8% of its available links. do 6% 3% php 6% 3% html 5% 2% old 3% 1% cfm 3% 4% bak 3% 1% dll 2% 1% © 2009 WhiteHat, Inc. | Page 9 7
Key Findings All Websites • 83% of websites have had a HIGH, CRITICAL, or URGENT issue • 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7 • Average number of serious unresolved vulnerabilities per website: 6.5 SSL-Only Websites • 44% of websites are using SSL • 81% of websites have had a HIGH, CRITICAL, or URGENT issue • 58% of websites currently have a HIGH, CRITICAL, or URGENT issue • 58% vulnerability resolution rate among sample with 2,484 out of 5,863 historical vulnerabilities unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 9.7 • Average number of serious unresolved vulnerabilities per website: 4.1 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page
WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 9
Vulnerability Population 63% 8% 7% 6% 5% 4% 4% 3% Cross-Site Content SQL Information Other Predictable HTTP Insufficient Scripting Spoofing Injection Leakage Resource Response Authorization Location Splitting © 2009 WhiteHat, Inc. | Page 10
Time-to-Fix (Days) Cross-Site Scripting 9↑ Information Leakage 7↓ Content Spoofing 16 ↑ Insufficient Authorization 15 ↓ SQL Injection 24 ↑ Pred. Res. Loc. 39 ↓ Cross-Site Request Forgery 37 ↑ Session Fixation 2↑ HTTP Response Splitting 5↓ Abuse of Functionality - * Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11
Resolution Rates Class of Attack % resolved Δ severity Cross Site Scripting 12% 8↓ urgent Insufficient Authorization 18% 1↓ urgent SQL Injection 40% 10 ↑ urgent HTTP Response Splitting 12% 15 ↓ urgent Directory Traversal 65% 12 ↑ urgent Insufficient Authentication 37% 1↓ critical Cross-Site Scripting 44% 5↑ critical Abuse of Functionality 14% 14 ↓ critical Cross-Site Request Forgery 39% 6↓ critical Session Fixation 31% 10 ↑ critical Brute Force 31% 20 ↑ high Content Spoofing 46% 21 ↑ high HTTP Response Splitting 32% 2↑ high Information Leakage 30% 21 ↑ high Predictable Resource Location 34% 8↑ high * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 12
Zero-Vulnerability Websites • 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue • 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue • 1,800 verified custom web application vulnerabilities • Lifetime average number of vulnerabilities per website: 3.7 • Average number of inputs per website: 244 • Average ratio of vulnerability count / number of inputs: 2.11% Percentage likelihood of a website Technology Breakdown having a vulnerability by class # of % of URL Extension 1. Cross-Site Scripting (37.3%) websites vulnerabilities 2. Information Leakage (22.2%) unknown 33% 33% 3. Content Spoofing (10.7%) aspx 7% 10% 4. Predictable Resource Location (7.8%) asp 14% 25% 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) jsp 7% 9% 7. Insufficient Authorization (4.1%) do 7% 8% 8. Session Fixation (4.1%) html 2% 2% 9. Cross Site Request Forgery (3.7%) old 2% 2% 10. HTTP Response Splitting (3.1%) cfm 2% 3% © 2009 WhiteHat, Inc. | Page 13
Vulnerability Population Zero-Vulnerability Websites 62% 9% 8% 6% 6% 5% 4% Cross-Site Information Content SQL Predictable Cross-Site Other Scripting Leakage Spoofing Injection Resource Request Location Forgery © 2009 WhiteHat, Inc. | Page 14
Time-to-Fix (Days) Zero-Vulnerability Websites Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Pred. Res. Loc. Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 15
Industry Verticals 3↓ 3↑ 15 ↑ 1↑ 12 ↑ 6↑ - - 1↑ l l cia e ma cia ing tail an s IT car ar m nce So ork tio n Re Fin rvice th Ph eco sur a ca eal el In tw du Se H T Ne E * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 16
Operationalize 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic Resources monitoring What is your organizations tolerance for risk (per website)? 5) How best to improve our survivability? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 17
Website Risk Management Infrastructure © 2009 WhiteHat, Inc. | Page 18
© 2009 WhiteHat, Inc. | Page 19
Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.

Recomendados

Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Michal Špaček
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 

Recomendados

Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Bezpečnostní útoky na webové aplikace, Čtvrtkon 5
Bezpečnostní útoky na webové aplikace, Čtvrtkon 5Michal Špaček
 
All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Mais conteúdo relacionado

Mais de Jeremiah Grossman

Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 

Mais de Jeremiah Grossman (20)

Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 

Último

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

WhiteHat Security 8th Website Security Statistics Report

  • 1. 8th Website Security Statistics Report Full Report Available https://whitehatsec.market2lead.com/go/whitehatsec/WPstats111209 Jeremiah Grossman Founder & Chief Technology Officer Webinar 11.12.2009 © 2009 WhiteHat, Inc.
  • 2. Jeremiah Grossman • Technology R&D and industry evangelist • InfoWorld's CTO Top 25 for 2007 • Frequent international conference speaker • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2009 WhiteHat Security, Inc. | Page 2
  • 3. WhiteHat Security • 250+ enterprise customers • Start-ups to Fortune 500 • Flagship offering “WhiteHat Sentinel Service” • 1000’s of assessments performed annually • Recognized leader in website security • Quoted thousands of times by the mainstream press © 2009 WhiteHat, Inc. | Page 3
  • 4. WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed • Unique SaaS-based solution – Highly scalable delivery of service at a fixed cost • Production Safe – No Performance Impact • Full Coverage – On-going testing for business logic flaws and technical vulnerabilities – uses WASC 24 classes of attacks as reference point • Unlimited Assessments – Anytime websites change • Eliminates False Positives – Security Operations Team verifies all vulnerabilities • Continuous Improvement & Refinement – Ongoing updates and enhancements to underlying technology and processes © 2009 WhiteHat, Inc. | Page 4
  • 5. Know Your Enemy Fully Targeted • Customize their own tools • Focused on business logic • Clever and profit driven ($$$) Directed Opportunistic • Commercial / Open Source Tools • Authentication scans • Multi-step processes (forms) Random Opportunistic • Fully automated scripts • Unauthenticated scans • Targets chosen indiscriminately © 2009 WhiteHat, Inc. | Page 5
  • 6. Website Classes of Attacks Business Logic: Humans Required Technical: Automation Can Identify Authentication Command Execution • Brute Force • Buffer Overflow • Insufficient Authentication • Format String Attack • Weak Password Recovery Validation • LDAP Injection • CSRF* • OS Commanding • SQL Injection Authorization • SSI Injection • Credential/Session Prediction • XPath Injection • Insufficient Authorization • Insufficient Session Expiration Information Disclosure • Session Fixation • Directory Indexing • Information Leakage Logical Attacks • Path Traversal • Abuse of Functionality • Predictable Resource Location • Denial of Service • Insufficient Anti-automation Client-Side • Insufficient Process Validation • Content Spoofing • Cross-site Scripting • HTTP Response Splitting* © 2009 WhiteHat, Inc. | Page 6
  • 7. Data Overview • 1,364 32% ↑ total websites • 22,776 4,888 ↑ verified custom web application vulnerabilities* • Data collected from January 1, 2006 to October 1, 2009 • Vast majority of websites assessed for vulnerabilities weekly • Vulnerabilities classified according to WASC Threat Classification • Vulnerability severity naming convention aligns with PCI-DSS • Average number of links per website: 766** • Average number of inputs (attack surface) per website: 246 • Average ratio of vulnerability count / number of inputs: 2.14% • Anti-Clickjacking X-FRAME-OPTIONS: 1 Technology Breakdown • HTTPOnly flag: 150 % of % of URL Extension websites vulnerabilities * Vulnerabilities are counted by unique Web application and class of attack. If there are five parameters in a single Web application (/foo/ unknown 62% 39% webapp.cgi), three of which are vulnerable to SQL Injection, it is aspx 23% 9% counted as one vulnerability (not three). asp 22% 24% ** WhiteHat Sentinel seeks to identify all of a websites externally xml 11% 2% available attack surface, which may or may not require spidering all jsp 10% 8% of its available links. do 6% 3% php 6% 3% html 5% 2% old 3% 1% cfm 3% 4% bak 3% 1% dll 2% 1% © 2009 WhiteHat, Inc. | Page 9 7
  • 8. Key Findings All Websites • 83% of websites have had a HIGH, CRITICAL, or URGENT issue • 64% of websites currently have a HIGH, CRITICAL, or URGENT issue • 61% vulnerability resolution rate with 8,902 unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 16.7 • Average number of serious unresolved vulnerabilities per website: 6.5 SSL-Only Websites • 44% of websites are using SSL • 81% of websites have had a HIGH, CRITICAL, or URGENT issue • 58% of websites currently have a HIGH, CRITICAL, or URGENT issue • 58% vulnerability resolution rate among sample with 2,484 out of 5,863 historical vulnerabilities unresolved issues remaining • Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 9.7 • Average number of serious unresolved vulnerabilities per website: 4.1 Percentage likelihood of a website having a vulnerability by severity CRITICAL HIGH URGENT © 2009 WhiteHat, Inc. | Page
  • 9. WhiteHat Security Top Ten Percentage likelihood of a website having a vulnerability by class Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 9
  • 10. Vulnerability Population 63% 8% 7% 6% 5% 4% 4% 3% Cross-Site Content SQL Information Other Predictable HTTP Insufficient Scripting Spoofing Injection Leakage Resource Response Authorization Location Splitting © 2009 WhiteHat, Inc. | Page 10
  • 11. Time-to-Fix (Days) Cross-Site Scripting 9↑ Information Leakage 7↓ Content Spoofing 16 ↑ Insufficient Authorization 15 ↓ SQL Injection 24 ↑ Pred. Res. Loc. 39 ↓ Cross-Site Request Forgery 37 ↑ Session Fixation 2↑ HTTP Response Splitting 5↓ Abuse of Functionality - * Up/down arrows indicate the increase or decrease since the last report. Best-case scenario: Not all vulnerabilities have been fixed... © 2009 WhiteHat, Inc. | Page 11
  • 12. Resolution Rates Class of Attack % resolved Δ severity Cross Site Scripting 12% 8↓ urgent Insufficient Authorization 18% 1↓ urgent SQL Injection 40% 10 ↑ urgent HTTP Response Splitting 12% 15 ↓ urgent Directory Traversal 65% 12 ↑ urgent Insufficient Authentication 37% 1↓ critical Cross-Site Scripting 44% 5↑ critical Abuse of Functionality 14% 14 ↓ critical Cross-Site Request Forgery 39% 6↓ critical Session Fixation 31% 10 ↑ critical Brute Force 31% 20 ↑ high Content Spoofing 46% 21 ↑ high HTTP Response Splitting 32% 2↑ high Information Leakage 30% 21 ↑ high Predictable Resource Location 34% 8↑ high * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 12
  • 13. Zero-Vulnerability Websites • 485 total websites • 17% of websites have never had a HIGH, CRITICAL, or URGENT issue • 36% of websites currently do not have a HIGH, CRITICAL, or URGENT issue • 1,800 verified custom web application vulnerabilities • Lifetime average number of vulnerabilities per website: 3.7 • Average number of inputs per website: 244 • Average ratio of vulnerability count / number of inputs: 2.11% Percentage likelihood of a website Technology Breakdown having a vulnerability by class # of % of URL Extension 1. Cross-Site Scripting (37.3%) websites vulnerabilities 2. Information Leakage (22.2%) unknown 33% 33% 3. Content Spoofing (10.7%) aspx 7% 10% 4. Predictable Resource Location (7.8%) asp 14% 25% 5. SQL Injection (7.4%) 6. Abuse of Functionality (4.3%) jsp 7% 9% 7. Insufficient Authorization (4.1%) do 7% 8% 8. Session Fixation (4.1%) html 2% 2% 9. Cross Site Request Forgery (3.7%) old 2% 2% 10. HTTP Response Splitting (3.1%) cfm 2% 3% © 2009 WhiteHat, Inc. | Page 13
  • 14. Vulnerability Population Zero-Vulnerability Websites 62% 9% 8% 6% 6% 5% 4% Cross-Site Information Content SQL Predictable Cross-Site Other Scripting Leakage Spoofing Injection Resource Request Location Forgery © 2009 WhiteHat, Inc. | Page 14
  • 15. Time-to-Fix (Days) Zero-Vulnerability Websites Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Pred. Res. Loc. Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality © 2009 WhiteHat, Inc. | Page 15
  • 16. Industry Verticals 3↓ 3↑ 15 ↑ 1↑ 12 ↑ 6↑ - - 1↑ l l cia e ma cia ing tail an s IT car ar m nce So ork tio n Re Fin rvice th Ph eco sur a ca eal el In tw du Se H T Ne E * Up/down arrows indicate the increase or decrease since the last report. © 2009 WhiteHat, Inc. | Page 16
  • 17. Operationalize 1) Where do I start? Locate the websites you are responsible for 2) Where do I do next? Rank websites based upon business criticality Risk 3) What should I be concerned about first? Random Opportunistic, Directed Opportunistic, Fully Targeted 4) What is our current security posture? Vulnerability assessments, pen-tests, traffic Resources monitoring What is your organizations tolerance for risk (per website)? 5) How best to improve our survivability? SDL, virtual patch, configuration change, decommission, outsource, version roll-back, etc. © 2009 WhiteHat, Inc. | Page 17
  • 18. Website Risk Management Infrastructure © 2009 WhiteHat, Inc. | Page 18
  • 19. © 2009 WhiteHat, Inc. | Page 19
  • 20. Thank You! Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/ © 2009 WhiteHat, Inc.