SlideShare uma empresa Scribd logo

WhiteHat Security Website Statistics [Full Report] (2013)

Jeremiah Grossman
Jeremiah Grossman

WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely. Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security. To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.

Tecnologia
1 de 53
Baixar para ler offline
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 1 WEBSITE SECURITY STATISTICS REPORT MAY 2013
WEBSITE SECURITY STATISTICS REPORT | MAY 20132 INTRODUCTION WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely. Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security. To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches. ABOUT WHITEHAT SECURITY Founded in 2001 and headquartered in Santa Clara, California, WhiteHat Security provides end-to-end solutions for Web security. The company’s cloud website vulnerability management platform and leading security engineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete Web security at a scale and accuracy unmatched in the industry. WhiteHat Sentinel, the company’s flagship product line, currently manages more than 15,000 websites – including sites in the most regulated industries, such as top e-commerce, financial services and healthcare companies.
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 3 N EXECUTIVE SUMMARY
WEBSITE SECURITY STATISTICS REPORT | MAY 20134
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 5
WEBSITE SECURITY STATISTICS REPORT | MAY 20136
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 7 KEY FINDINGS
WEBSITE SECURITY STATISTICS REPORT | MAY 20138
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 9 2007 1000 800 400 600 200 2008 2009 2009 2010 2011 AT A GLANCE: THE CURRENT STATE OF WEBSITE SECURITY
WEBSITE SECURITY STATISTICS REPORT | MAY 201310
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 11
WEBSITE SECURITY STATISTICS REPORT | MAY 201312
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 13
WEBSITE SECURITY STATISTICS REPORT | MAY 201314
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 15 MOST COMMON VULNERABILITIES
WEBSITE SECURITY STATISTICS REPORT | MAY 201316
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 17
WEBSITE SECURITY STATISTICS REPORT | MAY 201318
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 19 Cross-Site Scripting Information Leakage Content Spoofing Cross-Site Request Forgery Brute Force Insufficient Transport Layer Protection Insufficient Authorization SQL Other 43% 11% 7% 12% 13% injection
WEBSITE SECURITY STATISTICS REPORT | MAY 201320 C-level executives, managers, and software developers often ask their security teams, “How are we doing? Are we safe, are we secure?” The real thing they may be asking for is a sense of how the organization’s current security posture compares to their peers or competitors. They want to know if the organization is leading, falling way behind, or is somewhere in between with respect to their security posture. The answers to that question are extremely helpful for progress tracking and goal setting. What many do not first consider is that some organizations (or particular websites) are ‘targets of opportunity,’ while others are ‘targets of choice.’ Targets of opportunity are breached when their security posture is weaker than the average organization (in their industry) – and they get unlucky in the total pool of potential victims. Targets of choice possess some type of unique and valuable information, or perhaps a reputation or brand that is particularly attractive to a motivated attacker. The attackers know precisely whom – or what – they want to penetrate. Here’s the thing: since ‘100% security’ is an unrealistic goal – mostly because it is flatly impossible, and the attempt is prohibitively expensive and for many completely unnecessary – it is imperative for every organization to determine if they most likely represent a target of opportunity or choice. In doing so an organization may establish and measure against a “secure enough” bar. If an organization is a target of opportunity, a goal of being just above average with respect to website security among peers is reasonable. The bad guy will generally prefer to attack weaker, and therefore easier to breach, targets. On the other hand, if an organization is a target of choice, that organization must elevate its website security posture to a point where an attacker’s efforts are detectable, preventable, and in case of a compromise, survivable. This is due to the fact that an adversary will spend whatever time is necessary looking for gaps in the defenses to exploit. Whether an organization is a target of choice or a target of opportunity, the following Industry Scorecards have been prepared to help organizations to visualize how its security posture compares to its peers (provided they know their own internal metrics, of course). INDUSTRY SCORECARDS
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 21 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 81% 54% 107 DAYS 11 Cross-Site Scripting* Information Leakage* Content Spoofing* Cross-Site Request Forgery* Brute Force* Fingerprinting* Insufficient Authorization* 30% 20% 10% 26% 21% 9% 9% 8% 8% 5% Banking Industry ScorecardApril 2013 24% 33% 9% 11% 24% THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 57% 29%57%29% 71% 24% Always Vulnerable 33% Frequently Vulnerable 271-364 days a year 9% Regularly Vulnerable 151-270 days a year 11% Occasionally Vulnerable 31-150 days a year Rarely Vulnerable 30 days or less a year
WEBSITE SECURITY STATISTICS REPORT | MAY 201322 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 81% 67% 226 DAYS 50 Cross-Site Scripting* Information Leakage* Content Spoofing* SQL injection*Cross-Site request Forgery* Brute Force* Directory Indexing* 30% 20% 10% 31% 25% 12% 9% 8% 7% 7% Financial Services Industry Scorecard THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 64% 70%50%50% 40% 28% Always Vulnerable 38% Frequently Vulnerable 271-364 days a year 10% Regularly Vulnerable 151-270 days a year 10% Occasionally Vulnerable 31-150 days a year 23% Rarely Vulnerable 30 days or less a year 28% 28% 10% 10% 23%
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 23 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 90% 53% 276 DAYS 22 Cross Site Scripting* Information Leakage* Content Spoofing* Brute Force*Insufficent Transport Layer Protection* Cross Site Request Forgery* Session Fixation* 30% 20% 10% 40% 29% 22% 13% 12% 10% 9% Healthcare Industry ScorecardApril 2013 THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 67% 67%83%50% 34% 48% Always Vulnerable 22% Frequently Vulnerable 271-364 days a year 12% Regularly Vulnerable 151-270 days a year 7% Occasionally Vulnerable 31-150 days a year 10% Rarely Vulnerable 30 days or less a year 49% 22% 12% 7% 10%
WEBSITE SECURITY STATISTICS REPORT | MAY 201324 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 91 % 54% 224 DAYS 106 Cross Site Scripting* Information Leakage* Content Spoofing* Brute Force* SQL Injection*Cross Site Request Forgery* Directory Indexing* 30% 20% 10% 31% 25% 12% 9% 8% 7% 7% Retail Industry ScorecardApril 2013 THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 73% 60%90%70% 70% 54% Always Vulnerable 21% Frequently Vulnerable 271-364 days a year 6% Regularly Vulnerable 151-270 days a year 5% Occasionally Vulnerable 31-150 days a year 13% Rarely Vulnerable 30 days or less a year 54% 21% 6% 5% 13%
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 25 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 85% 61 % 71 DAYS 18 Cross-Site Scripting* Information Leakage* Content Spoofing* Cross-Site Request Forgery* Brute Force*Fingerprinting* URL Redirector Abuse* 30% 20% 10% 41% 35% 19% 18% 14% 12% 12% Technology Industry ScorecardApril 2013 5% 64% 10% 9% 11% THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 48% 52%96%72% 32% 5% Always Vulnerable 64% Frequently Vulnerable 271-364 days a year 10% Regularly Vulnerable 151-270 days a year 9% Occasionally Vulnerable 31-150 days a year 11% Rarely Vulnerable 30 days or less a year
WEBSITE SECURITY STATISTICS REPORT | MAY 201326 SURVEY
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 27
WEBSITE SECURITY STATISTICS REPORT | MAY 201328 (Figure 7) (Figure 8)
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 29 (Figure 9)
WEBSITE SECURITY STATISTICS REPORT | MAY 201330 (Figure 11).(Figure 10)
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 31
WEBSITE SECURITY STATISTICS REPORT | MAY 201332 (Figure 14) (Figure 15)
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 33 (Figure 16) (Figure 17) (Figure 18)
WEBSITE SECURITY STATISTICS REPORT | MAY 201334 (Figure 20)
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 35 (Figure 24) (Figure 21) (Figure 22) (Figure 23)
WEBSITE SECURITY STATISTICS REPORT | MAY 201336 Figure 25).
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 37
WEBSITE SECURITY STATISTICS REPORT | MAY 201338
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 39 Answer: SOFTWARE DEVELOPMENT Answer: SECURITY DEPARTMENT Answer: BOARD OF DIRECTORS Answer: EXECUTIVE MANAGEMENT Question:If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and and what is its performance? 3rd 1St 2nd 4th 4th 3rd 3rd 1st 3rd 2nd 1st 2nd Average Vulnerabilities per Site Ranking Average Time to Fix a Vulnerability Ranking Average Number of Vulnerabilities Fixed Ranking
WEBSITE SECURITY STATISTICS REPORT | MAY 201340
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 41
WEBSITE SECURITY STATISTICS REPORT | MAY 201342
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 43
WEBSITE SECURITY STATISTICS REPORT | MAY 201344
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 45
WEBSITE SECURITY STATISTICS REPORT | MAY 201346 (Figure 37). (Figure 38). (Figure 39). (Figure 40).
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 47 RECOMMENDATIONS
WEBSITE SECURITY STATISTICS REPORT | MAY 201348
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 49
WEBSITE SECURITY STATISTICS REPORT | MAY 201350
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 51 • • • • •
WEBSITE SECURITY STATISTICS REPORT | MAY 201352
WEBSITE SECURITY STATISTICS REPORT | MAY 2013 53 Top 10 Vulnerability Classes (2011) (Sorted by vulnerability class) Overall Vulnerability Population (2011) Percentage breakdown of all the serious* vulnerabilities discovered (Sorted by vulnerability class)

Recomendados

WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment Victor Oluwajuwon Badejo
 

Recomendados

WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
WhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportWhiteHat Security 8th Website Security Statistics Report
WhiteHat Security 8th Website Security Statistics ReportJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment A Case study scenario on collaborative Portal Risk Assessment
A Case study scenario on collaborative Portal Risk Assessment Victor Oluwajuwon Badejo
 
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksThe Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksEnterprise Management Associates
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4Meg Weber
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceSecureAuth
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Proofpoint
 
3rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 20183rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 2018NormShield
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsKim Jensen
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ... 2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...Proofpoint
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security indexsukiennong.vn
 
Selling Your Organization on Application Security
Selling Your Organization on Application SecuritySelling Your Organization on Application Security
Selling Your Organization on Application SecurityVeracode
 
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)Jeremiah Grossman
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekkoDMI
 

Mais conteúdo relacionado

Mais procurados

The Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksThe Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksEnterprise Management Associates
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationNexon Asia Pacific
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityRahul Tyagi
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Kim Jensen
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4Meg Weber
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframePrecisely
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceSecureAuth
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021Management Events
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Proofpoint
 
3rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 20183rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 2018NormShield
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureDave James
 
Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsKim Jensen
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreVeracode
 
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ... 2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...Proofpoint
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security indexsukiennong.vn
 
Selling Your Organization on Application Security
Selling Your Organization on Application SecuritySelling Your Organization on Application Security
Selling Your Organization on Application SecurityVeracode
 

Mais procurados (20)

The Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot AttacksThe Imitation Game: Detecting and Thwarting Automated Bot Attacks
The Imitation Game: Detecting and Thwarting Automated Bot Attacks
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
 
2014 ota databreachguide4
2014 ota databreachguide42014 ota databreachguide4
2014 ota databreachguide4
 
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the MainframeBig Iron to Big Data Analytics for Security, Compliance, and the Mainframe
Big Iron to Big Data Analytics for Security, Compliance, and the Mainframe
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability Insurance
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't Enough
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
 
3rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 20183rd Part Cyber Risk Report - 2018
3rd Part Cyber Risk Report - 2018
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
Convince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cureConvince your board - cyber attack prevention is better than cure
Convince your board - cyber attack prevention is better than cure
 
Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t Ignore
 
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ... 2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
2020 Cost of Insider Threats Global Report with Dr. Larry Ponemon, Chairman ...
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
Selling Your Organization on Application Security
Selling Your Organization on Application SecuritySelling Your Organization on Application Security
Selling Your Organization on Application Security
 

Semelhante a WhiteHat Security Website Statistics [Full Report] (2013)

WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)Jeremiah Grossman
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekkoDMI
 
Complicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsComplicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsCA Technologies
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfAnil
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
2010 Sc World Congress Nyc
2010 Sc World Congress Nyc2010 Sc World Congress Nyc
2010 Sc World Congress NycBob Maley
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a ProductVMware Tanzu
 
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdfFour Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdfEnterprise Insider
 
BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023CBIZ, Inc.
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15James Fisher
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfSolviosTechnology
 
security-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfsecurity-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfgokuforhelp
 
Strengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdfStrengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdfEnterprise Insider
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
2 factor authentication beyond password : enforce advanced security with au...
2 factor authentication beyond password : enforce advanced security with au...2 factor authentication beyond password : enforce advanced security with au...
2 factor authentication beyond password : enforce advanced security with au...NetwayClub
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 

Semelhante a WhiteHat Security Website Statistics [Full Report] (2013) (20)

WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
WhiteHat Security "Website Security Statistics Report" FULL (Q1'09)
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
 
Complicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsComplicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analytics
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
2010 Sc World Congress Nyc
2010 Sc World Congress Nyc2010 Sc World Congress Nyc
2010 Sc World Congress Nyc
 
Simple Safe Steps to Cyber Security
Simple Safe Steps to Cyber SecuritySimple Safe Steps to Cyber Security
Simple Safe Steps to Cyber Security
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a Product
 
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdfFour Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
Four Ways Businesses Can Secure Themselves from Digital Supply Chain Attacks.pdf
 
BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023
 
Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15Foley-Cybersecurity-White-Paper_3.9.15
Foley-Cybersecurity-White-Paper_3.9.15
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
 
security-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfsecurity-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdf
 
Strengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdfStrengthening Supply Chain Security Against Cyber-Attacks.pdf
Strengthening Supply Chain Security Against Cyber-Attacks.pdf
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
2 factor authentication beyond password : enforce advanced security with au...
2 factor authentication beyond password : enforce advanced security with au...2 factor authentication beyond password : enforce advanced security with au...
2 factor authentication beyond password : enforce advanced security with au...
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 

Mais de Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Jeremiah Grossman
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 

Mais de Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
Web Breaches in 2011-“This is Becoming Hourly News and Totally Ridiculous"
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 

Último

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Último (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

WhiteHat Security Website Statistics [Full Report] (2013)

  • 1. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 1 WEBSITE SECURITY STATISTICS REPORT MAY 2013
  • 2. WEBSITE SECURITY STATISTICS REPORT | MAY 20132 INTRODUCTION WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely. Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security. To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations. Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches. ABOUT WHITEHAT SECURITY Founded in 2001 and headquartered in Santa Clara, California, WhiteHat Security provides end-to-end solutions for Web security. The company’s cloud website vulnerability management platform and leading security engineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete Web security at a scale and accuracy unmatched in the industry. WhiteHat Sentinel, the company’s flagship product line, currently manages more than 15,000 websites – including sites in the most regulated industries, such as top e-commerce, financial services and healthcare companies.
  • 3. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 3 N EXECUTIVE SUMMARY
  • 4. WEBSITE SECURITY STATISTICS REPORT | MAY 20134
  • 5. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 5
  • 6. WEBSITE SECURITY STATISTICS REPORT | MAY 20136
  • 7. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 7 KEY FINDINGS
  • 8. WEBSITE SECURITY STATISTICS REPORT | MAY 20138
  • 9. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 9 2007 1000 800 400 600 200 2008 2009 2009 2010 2011 AT A GLANCE: THE CURRENT STATE OF WEBSITE SECURITY
  • 10. WEBSITE SECURITY STATISTICS REPORT | MAY 201310
  • 11. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 11
  • 12. WEBSITE SECURITY STATISTICS REPORT | MAY 201312
  • 13. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 13
  • 14. WEBSITE SECURITY STATISTICS REPORT | MAY 201314
  • 15. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 15 MOST COMMON VULNERABILITIES
  • 16. WEBSITE SECURITY STATISTICS REPORT | MAY 201316
  • 17. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 17
  • 18. WEBSITE SECURITY STATISTICS REPORT | MAY 201318
  • 19. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 19 Cross-Site Scripting Information Leakage Content Spoofing Cross-Site Request Forgery Brute Force Insufficient Transport Layer Protection Insufficient Authorization SQL Other 43% 11% 7% 12% 13% injection
  • 20. WEBSITE SECURITY STATISTICS REPORT | MAY 201320 C-level executives, managers, and software developers often ask their security teams, “How are we doing? Are we safe, are we secure?” The real thing they may be asking for is a sense of how the organization’s current security posture compares to their peers or competitors. They want to know if the organization is leading, falling way behind, or is somewhere in between with respect to their security posture. The answers to that question are extremely helpful for progress tracking and goal setting. What many do not first consider is that some organizations (or particular websites) are ‘targets of opportunity,’ while others are ‘targets of choice.’ Targets of opportunity are breached when their security posture is weaker than the average organization (in their industry) – and they get unlucky in the total pool of potential victims. Targets of choice possess some type of unique and valuable information, or perhaps a reputation or brand that is particularly attractive to a motivated attacker. The attackers know precisely whom – or what – they want to penetrate. Here’s the thing: since ‘100% security’ is an unrealistic goal – mostly because it is flatly impossible, and the attempt is prohibitively expensive and for many completely unnecessary – it is imperative for every organization to determine if they most likely represent a target of opportunity or choice. In doing so an organization may establish and measure against a “secure enough” bar. If an organization is a target of opportunity, a goal of being just above average with respect to website security among peers is reasonable. The bad guy will generally prefer to attack weaker, and therefore easier to breach, targets. On the other hand, if an organization is a target of choice, that organization must elevate its website security posture to a point where an attacker’s efforts are detectable, preventable, and in case of a compromise, survivable. This is due to the fact that an adversary will spend whatever time is necessary looking for gaps in the defenses to exploit. Whether an organization is a target of choice or a target of opportunity, the following Industry Scorecards have been prepared to help organizations to visualize how its security posture compares to its peers (provided they know their own internal metrics, of course). INDUSTRY SCORECARDS
  • 21. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 21 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 81% 54% 107 DAYS 11 Cross-Site Scripting* Information Leakage* Content Spoofing* Cross-Site Request Forgery* Brute Force* Fingerprinting* Insufficient Authorization* 30% 20% 10% 26% 21% 9% 9% 8% 8% 5% Banking Industry ScorecardApril 2013 24% 33% 9% 11% 24% THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 57% 29%57%29% 71% 24% Always Vulnerable 33% Frequently Vulnerable 271-364 days a year 9% Regularly Vulnerable 151-270 days a year 11% Occasionally Vulnerable 31-150 days a year Rarely Vulnerable 30 days or less a year
  • 22. WEBSITE SECURITY STATISTICS REPORT | MAY 201322 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 81% 67% 226 DAYS 50 Cross-Site Scripting* Information Leakage* Content Spoofing* SQL injection*Cross-Site request Forgery* Brute Force* Directory Indexing* 30% 20% 10% 31% 25% 12% 9% 8% 7% 7% Financial Services Industry Scorecard THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 64% 70%50%50% 40% 28% Always Vulnerable 38% Frequently Vulnerable 271-364 days a year 10% Regularly Vulnerable 151-270 days a year 10% Occasionally Vulnerable 31-150 days a year 23% Rarely Vulnerable 30 days or less a year 28% 28% 10% 10% 23%
  • 23. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 23 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 90% 53% 276 DAYS 22 Cross Site Scripting* Information Leakage* Content Spoofing* Brute Force*Insufficent Transport Layer Protection* Cross Site Request Forgery* Session Fixation* 30% 20% 10% 40% 29% 22% 13% 12% 10% 9% Healthcare Industry ScorecardApril 2013 THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 67% 67%83%50% 34% 48% Always Vulnerable 22% Frequently Vulnerable 271-364 days a year 12% Regularly Vulnerable 151-270 days a year 7% Occasionally Vulnerable 31-150 days a year 10% Rarely Vulnerable 30 days or less a year 49% 22% 12% 7% 10%
  • 24. WEBSITE SECURITY STATISTICS REPORT | MAY 201324 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 91 % 54% 224 DAYS 106 Cross Site Scripting* Information Leakage* Content Spoofing* Brute Force* SQL Injection*Cross Site Request Forgery* Directory Indexing* 30% 20% 10% 31% 25% 12% 9% 8% 7% 7% Retail Industry ScorecardApril 2013 THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 73% 60%90%70% 70% 54% Always Vulnerable 21% Frequently Vulnerable 271-364 days a year 6% Regularly Vulnerable 151-270 days a year 5% Occasionally Vulnerable 31-150 days a year 13% Rarely Vulnerable 30 days or less a year 54% 21% 6% 5% 13%
  • 25. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 25 MOST COMMON VULNERABILITIES AT A GLANCE EXPOSURE AND CURRENT DEFENSE PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED AVERAGE TIME TO FIX PERCENT OF ANALYZED SITES WITH A SERIOUS* VULNERABILITY AVERAGE NUMBER OF SERIOUS* VULNERABILITIES PER SITE PER YEAR 85% 61 % 71 DAYS 18 Cross-Site Scripting* Information Leakage* Content Spoofing* Cross-Site Request Forgery* Brute Force*Fingerprinting* URL Redirector Abuse* 30% 20% 10% 41% 35% 19% 18% 14% 12% 12% Technology Industry ScorecardApril 2013 5% 64% 10% 9% 11% THE CURRENT STATE OF WEBSITE SECURITY TOP SEVEN VULNERABILITY CLASSES CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLS USED BY ORGANIZATIONS *The percent of sites that had at least one example of... *Serious vulnerabilities are defined as those in which an attacker could take control over all, or a part, of a website, compromise user accounts, access sensitive data or violate compliance requirements. DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES Programmers receive instructor led or computer-based software security training Applications contain a library or framework that centralizes and enforces security controls Perform Static Code Analysis on their website(s) underlying applications Web Application Firewall Deployed Transactional / Anti-Fraud Monitoring System Deployed 80% 100% 60% 40% 20% 48% 52%96%72% 32% 5% Always Vulnerable 64% Frequently Vulnerable 271-364 days a year 10% Regularly Vulnerable 151-270 days a year 9% Occasionally Vulnerable 31-150 days a year 11% Rarely Vulnerable 30 days or less a year
  • 26. WEBSITE SECURITY STATISTICS REPORT | MAY 201326 SURVEY
  • 27. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 27
  • 28. WEBSITE SECURITY STATISTICS REPORT | MAY 201328 (Figure 7) (Figure 8)
  • 29. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 29 (Figure 9)
  • 30. WEBSITE SECURITY STATISTICS REPORT | MAY 201330 (Figure 11).(Figure 10)
  • 31. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 31
  • 32. WEBSITE SECURITY STATISTICS REPORT | MAY 201332 (Figure 14) (Figure 15)
  • 33. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 33 (Figure 16) (Figure 17) (Figure 18)
  • 34. WEBSITE SECURITY STATISTICS REPORT | MAY 201334 (Figure 20)
  • 35. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 35 (Figure 24) (Figure 21) (Figure 22) (Figure 23)
  • 36. WEBSITE SECURITY STATISTICS REPORT | MAY 201336 Figure 25).
  • 37. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 37
  • 38. WEBSITE SECURITY STATISTICS REPORT | MAY 201338
  • 39. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 39 Answer: SOFTWARE DEVELOPMENT Answer: SECURITY DEPARTMENT Answer: BOARD OF DIRECTORS Answer: EXECUTIVE MANAGEMENT Question:If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and and what is its performance? 3rd 1St 2nd 4th 4th 3rd 3rd 1st 3rd 2nd 1st 2nd Average Vulnerabilities per Site Ranking Average Time to Fix a Vulnerability Ranking Average Number of Vulnerabilities Fixed Ranking
  • 40. WEBSITE SECURITY STATISTICS REPORT | MAY 201340
  • 41. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 41
  • 42. WEBSITE SECURITY STATISTICS REPORT | MAY 201342
  • 43. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 43
  • 44. WEBSITE SECURITY STATISTICS REPORT | MAY 201344
  • 45. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 45
  • 46. WEBSITE SECURITY STATISTICS REPORT | MAY 201346 (Figure 37). (Figure 38). (Figure 39). (Figure 40).
  • 47. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 47 RECOMMENDATIONS
  • 48. WEBSITE SECURITY STATISTICS REPORT | MAY 201348
  • 49. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 49
  • 50. WEBSITE SECURITY STATISTICS REPORT | MAY 201350
  • 51. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 51 • • • • •
  • 52. WEBSITE SECURITY STATISTICS REPORT | MAY 201352
  • 53. WEBSITE SECURITY STATISTICS REPORT | MAY 2013 53 Top 10 Vulnerability Classes (2011) (Sorted by vulnerability class) Overall Vulnerability Population (2011) Percentage breakdown of all the serious* vulnerabilities discovered (Sorted by vulnerability class)