website security statistics report · 2 website security statistics report | may 2013 introduction...

WEBSITE SECURITY STATISTICS REPORT | MAY 2013 1

WEBSITE SECURITYSTATISTICS REPORT

MAY 2013

WEBSITE SECURITY STATISTICS REPORT | MAY 20132

INTRODUCTIONWhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.

Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.

To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.

Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.

ABOUT WHITEHAT SECURITYFounded in 2001 and headquartered in Santa Clara, California, WhiteHat Security provides end-to-end solutions for Web security. The company’s cloud website vulnerability management platform and leading security engineers turn verified security intelligence into actionable insights for customers. Through a combination of core products and strategic partnerships, WhiteHat Security provides complete Web security at a scale and accuracy unmatched in the industry. WhiteHat Sentinel, the company’s flagship product line, currently manages more than 15,000 websites – including sites in the most regulated industries, such as top e-commerce, financial services and healthcare companies.


INTRODUCTIONEXECUTIVE SUMMARY

Whether you read the Verizon Data Breach Incidents Report, the Trustwave Global Security Report, the Symantec Internet Security Threat Report, or essentially all other reports throughout the industry, the story is the same -- websites and web applications are one of, if not the leading target of cyber-attack. This has been the case for years. Website breaches lead directly [V�ÄUHUJPHS�MYH\K��PKLU[P[`�[OLM[��YLN\SH[VY`�ÄULZ��IYHUK�KHTHNL��SH^Z\P[Z��KV^U[PTL��THS^HYL�propagation, and loss of customers. Given modern society’s ever-increasing reliance on the web, the impact of a breach and the associated costs are going up, and fast. While an organization may ultimately survive a cyber-crime incident, the business disruption is often severe. It is far preferable to do something now to avert and minimize harm before disaster strikes.

(KKPUN�TVYL�¸YVI\Z[¹�ÄYL^HSSZ�[V�[OL�UL[^VYR�VY�HSSVJH[PUN�TVYL�I\KNL[�[V�HU[P�]PY\Z�ZVM[^HYL�is not the answer. These controls provide nearly zero protection against today’s web-based attacks. So while protecting the network and the host layers is still important, forward-thinking professionals are now seeing the bigger picture of computer security for what it really is: a software security problem.

What’s needed is more secure software, NOT more security software.

Understanding this subtle distinction is key. Organizations must demand that software be designed in a way that makes it resilient against attack and does not require additional security products to protect it. The question that organizations should be asking themselves is: how do we integrate security throughout the software development life-cycle (SDLC)? How do we procure this type of software?

As simple as these questions sound, the answers have proven elusive. Most responses by the so-called experts are based purely on personal anecdote and devoid of any statistically compelling evidence, such as the data presented in this report. Many of these experts will cite various “best-practices,” such as software security training for developers, security testing during QA, static code analysis, centralized controls, Web Application Firewalls, penetration-testing, and more; however, the term “best-practices” implies the activity is valuable in every organization at all times. The reality, though, is that just because a certain practice works well for one organization does not mean it will work at another. Unfortunately, this hasn’t prevented many from IVPZ[LYV\ZS`�HUK�JHYLSLZZS`�HK]VJH[PUN�H�SP[HU`�VM�ILZ[�WYHJ[PJLZ�^P[O�SP[[SL�YLNHYK�MVY�[Y\L�LMÄJHJ`�and important operational considerations.

The net result: websites no less hackable today than they were yesterday.

Organizations need to better understand how various parts of the SDLC affect the introduction of vulnerabilities, which leave the door open to breaches. For example, we would like to


say, “organizations that provide software security training for their developers experience 25% fewer serious vulnerabilities annually than those who do not.” Or, “organizations that perform application security testing prior to each major production release not only have fewer ]\SULYHIPSP[PLZ�`LHY�V]LY�`LHY��I\[�L_OPIP[�H��MHZ[LY�[PTL�[V�Ä_�¹�>L�JHUUV[�THRL�Z\JO�statement today because the supporting data does not exist -- at least, not yet. If we had these insights, supported by empirical evidence, it would be nothing less than a game changer.

;V�TV]L�PU�[OPZ�KPYLJ[PVU�^L�HZRLK�>OP[L/H[�:LJ\YP[`�J\Z[VTLYZ�[V�HZZPZ[�\Z�I`�HUZ^LYPUN�YV\NOS`�H�KVaLU�]LY`�ZWLJPÄJ�Z\Y]L`�X\LZ[PVUZ�HIV\[�[OLPY�:+3*�HUK�HWWSPJH[PVU�ZLJ\YP[`�program. Questions such as: how often do you perform security tests on your code during QA? >OH[�PZ�`V\Y�[`WPJHS�YH[L�VM�WYVK\J[PVU�JVKL�JOHUNL&�+V�`V\�WLYMVYT�Z[H[PJ�JVKL�HUHS`ZPZ&�/H]L�`V\�KLWSV`LK�H�>LI�(WWSPJH[PVU�-PYL^HSS&�>OV�PU�`V\Y�VYNHUPaH[PVU�PZ�HJJV\U[HISL�PU�[OL�L]LU[�VM�H�IYLHJO&�>L�L]LU�HZRLK!�OHZ�`V\Y�^LIZP[L�ILLU�IYLHJOLK&�

>L�YLJLP]LK�YLZWVUZLZ�[V�[OPZ�Z\Y]L`�MYVT��VYNHUPaH[PVUZ��HUK�[OLU�JVYYLSH[LK�[OVZL�YLZWVUZLZ�^P[O�>OP[L/H[�:LU[PULS�^LIZP[L�]\SULYHIPSP[`�KH[H��;OL�YLZ\S[Z�^LYL�IV[O�Z[\UUPUN�HUK�KLLWS`�OLHK�ZJYH[JOPUN��;OL�JVUULJ[PVUZ�MYVT�]HYPV\Z�ZVM[^HYL�ZLJ\YP[`�JVU[YVSZ�HUK�:+3*�ILOH]PVYZ�[V�vulnerability outcomes and breaches is far more complicated than we ever imagined.

��VM�HSS�^LIZP[LZ�[LZ[LK�I`�>OP[L/H[�:LU[PULS�OHK�H[�SLHZ[�VUL�ZLYPV\Z��]\SULYHIPSP[ �̀�HUK�TVZ[�VM�[OL�[PTL�MHY�TVYL�[OHU�VUL��[V�IL�WYLJPZL��

��6U�H]LYHNL��VM�[OLZL�]\SULYHIPSP[PLZ�^LYL�YLZVS]LK��I\[�KVPUN�ZV�YLX\PYLK�HU�H]LYHNL�VM�� KH`Z�MYVT�ÄYZ[�J\Z[VTLY�UV[PÄJH[PVU�

��:LYPV\Z�]\SULYHIPSP[PLZ�HYL�KLÄULK�HZ�[OVZL�PU�^OPJO�HU�H[[HJRLY�JV\SK�[HRL�JVU[YVS�V]LY�HSS��VY�ZVTL�WHY[��VM�[OL�^LIZP[L��JVTWYVTPZL�\ZLY�HJJV\U[Z�VU�[OL�Z`Z[LT��HJJLZZ�ZLUZP[P]L�KH[H��]PVSH[L�JVTWSPHUJL�YLX\PYLTLU[Z��HUK�WVZZPIS`�THRL�OLHKSPUL�UL^Z��0U�ZOVY[��ZLYPV\Z�]\SULYHIPSP[PLZ�HYL�[OVZL�[OH[�ZOV\SK�YLHSS`�IL�Ä_LK��

(Z�OHZ�ILLU�[OL�JHZL�ZPUJL�V\Y�ÄYZ[�YLWVY[�PU��[OL�[^V�TVZ[�WYL]HSLU[�]\SULYHIPSP[`�JSHZZLZ�YLTHPU�0UMVYTH[PVU�3LHRHNL�HUK�*YVZZ�:P[L�:JYPW[PUN��PKLU[PÄLK�PU��HUK��VM�^LIZP[LZ�YLZWLJ[P]LS �̀�:83�0UQLJ[PVU�JVU[PU\LK�P[Z�KV^U^HYK�ZSPKL�MYVT��PU��[V��VM�^LIZP[LZ�PU��UV�SVUNLY�THRPUN�[OL�;VW��>OPSL�[OLYL�PZ�T\JO�^VYR�SLM[�[V�IL�KVUL��PU�THU`�respects overall website security continues to show steady signs of improvement despite the stream of news headlines.


Next, this report will detail various software security controls (or “best-practices”) our customers said were in place, and will directly correlate those responses with WhiteHat Sentinel vulnerability data:

• 57% of organizations said they provide some amount of instructor-led or computer-based software security training for their programmers. These organizations experienced 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.

• 53% of organizations said their software projects contain an application library or framework that centralizes and enforces security controls. These organizations experienced 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.

• 39% of organizations said they perform some amount of Static Code Analysis on their website(s) underlying applications. These organizations experienced 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.

• 55% of organizations said they have a Web Application Firewall (WAF) in some state of deployment. These organizations experienced 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.

•23% of organizations website(s) said they experienced a data or system breach as a result of an application layer vulnerability. These organizations experienced 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.

Much of the data above seems reasonable, even logical, while other bits seem completely counterintuitive. For instance, organizations that do perform Static Code Analysis or have a Web Application Firewall appear to have notably worse performance metrics than those who did neither.

One explanation may be that these metrics are precisely WHY these organizations [recently] HJX\PYLK�[OL�[LJOUVSVNPLZ�HUK�[OL`�^PSS�L]LU[\HSS`�YLHW�[OL�ILULÄ[Z�KVÛ�[OL�YVHK��L�N��have fewer vulnerabilities). This remains to be seen. It could also be that they are misusing or V]LYJVUÄKLU[�PU�H�WHY[PJ\SHY�ZVS\[PVU��ÔPJO�VUS`�JVTLZ�[V�SPNO[�ÔLU�>OP[L/H[�:LU[PULS�PZ�engaged. What we know for sure is there are customers for whom these solutions absolutely make a measurable positive impact -- we see it in the data -- while others receive no discernible ILULÄ[��;OL�H]LYHNL�PZ�ZVTLÔLYL�PU�[OL�TPKKSL��>L�ILSPL]L�[OH[�[OL�YLHZVU�MVY�[OPZ�KPMMLYLUJL�PZ�that there are in fact few, if any, truly universal application best-practices.

-VY�L_HTWSL��PM�KL]LSVWLYZ�HYL�UV[�Ä_PUN�YLWVY[LK�]\SULYHIPSP[PLZ��VY�PM�[OL`�HYL�[HRPUN�H�SVUN�[PTL�to do so, it could be because they don’t understand the issues well enough. If this is the case, this is a good indication that providing training is a good idea. It could also easily be that a long [PTL�[V�Ä_�VY�H�SHNNPUN�YLTLKPH[PVU�YH[L�PZ�[OL�YLZ\S[�VM�THUHNLTLU[�VW[PUN�[V�[HZR�KL]LSVWLYZ�[V^HYKZ�MLH[\YL�JYLH[PVU�YH[OLY�[OHU�]\SULYHIPSP[`�Ä_PUN��0M�ZV��HKKP[PVUHS�^VYR�PU�I\ZPULZZ�


prioritization and risk management is recommended, as is considering a Web Application Firewall with virtual patching capabilities. Either way this is why it is important for organizations to know their metrics and know what application security problems they really have. The alternative is blind adoption of “best-practices” that may only serve to disrupt the software development process for no tangible gain. Too often this is exactly what happens.

We were also curious about business drivers and the impact of compliance on website security. By a slim margin, organizations said their #1 driver for resolving vulnerabilities was compliance, narrowly ahead of risk reduction. At the same time, when we asked the same organizations to rank the reasons why their vulnerabilities go unresolved, compliance was cited as the #1 reason.

Proponents of compliance often suggest that mandatory regulatory controls be treated as a ¸ZLJ\YP[`�IHZLSPUL�¹�H�WSH[MVYT�[V�YHPZL�[OL�ÅVVY��HUK�UV[�YLWYLZLU[�[OL�JLPSPUN��>OPSL�[OPZ�PZ�H�nice concept in casual conversation, this is not the enterprise reality we see. Keep in mind that WhiteHat Sentinel reports are often used to satisfy a plethora of auditors, but WhiteHat Security is not a PCI-DSS ASV nor a QSA vendor. When organizations are required to allocate funds toward compliance, which may or may not enhance security, there are often no resources left or tolerance by the business to do anything more effective.

Finally, we also wanted to know what part(s) of the organization are held accountable in the event of a website(s) data or system breach: we found that 79% said the Security Department would be accountable. Additionally, 74% said Executive Management, 66% Software Development, and 22% Board of Directors. By analyzing the data in this report, we see evidence of a direct correlation between increased accountability and decreased breaches, and VM�[OL�LMÄJHJ`�VM�¸ILZ[�WYHJ[PJLZ¹�HUK�ZLJ\YP[`�JVU[YVSZ��

For example, if developers are required by compliance to attend security training, they’ll view it as a checkbox activity and not internalize much of anything they’ve learned in training. However, if the organization places accountability on developers should a breach occur, all of a sudden training effectiveness increases, because now there is an obvious incentive to learn. When you empower those who are also accountable, whatever best-practices are then put into place have a higher likelihood of being effective. For security to really improve, some part of the organization must be held accountable. This is our working theory, the underlying narrative of our report.

Here is the biggest lesson and the common theme we’re seeing: software security has not yet percolated into the collective consciousness as something organizations actually need to do something about proactively. While much lip service may be paid, we must address the issue that application security professionals are essentially selling preventative medicine, while much of the buying population still behaves with a wait-for-a-visit-to-the-emergency-room attitude before kicking into gear. This is a dangerous policy and in stark contrast to their pious rhetoric, which attempts to obfuscate that reality.


KEY FINDINGS

-YVT�H�JHYLLY�WLYZWLJ[P]L�I\`PUN�HUV[OLY�ÄYL^HSS�VY�(=�WYVK\J[�PZ�ZHML��ÔPSL�PU]LZ[PUN�PU�HWWSPJH[PVU�ZLJ\YP[`�PZ�UV[�¶�\USLZZ��VM�JV\YZL��[OL�I\`LY�PZ�[OL�WLYZVU�ÔV�^PSS�IL�HJJV\U[HISL�MVY�H�IYLHJO��6U�[OL�IYPNO[�ZPKL�[OLYL�PZ�H�\UPX\L�VWWVY[\UP[`�MVY�H�UL^�NLULYH[PVU�VM�JVYWVYH[L�SLHKLYZ�[V�LTLYNL��ZLJ\YP[`�L_LJ\[P]LZ�ÔV�HYL�WYVÄJPLU[�PU�ZVM[^HYL�ZLJ\YP[`�HUK�ÔV�HZWPYL�[V�KPZ[PUN\PZO�[OLTZLS]LZ��;OL`�ZLLR�[V�HKKYLZZ�[OL�YLHS�I\ZPULZZ�JOHSSLUNLZ�HUK�IHZL�[OLPY�KLJPZPVUZ�VU�KH[H��;OL�>LI�ZLJ\YP[`�^VYSK�PZ�TV]PUN�PU�[OPZ�KPYLJ[PVU�

High-Level��VM�HSS�^LIZP[LZ�OHK�H[�SLHZ[�VUL�ZLYPV\Z��]\SULYHIPSP[ �̀

��;OL�H]LYHNL�U\TILY�VM�ZLYPV\Z��]\SULYHIPSP[PLZ�PKLU[PÄLK�WLY�^LIZP[L�^HZ��JVU[PU\PUN�[OL�KVÛ^HYK�[YLUK�MYVT�� PU��HUK��PU��

��:LYPV\Z��]\SULYHIPSP[PLZ�^LYL�YLZVS]LK�PU�HU�H]LYHNL�VM�� KH`Z�MYVT�ÄYZ[�UV[PÄJH[PVU�

��VM�HSS�ZLYPV\Z��]\SULYHIPSP[PLZ�^LYL�YLZVS]LK��ZSPNO[S`�SLZZ�[OHU�[OL��K\YPUN�MYVT��I\[�Z[PSS�\W�MYVT��PU��HUK�MHY�IL[[LY�[OHU��ÔLU�P[�^HZ�Q\Z[��

Vulnerability Classes��(M[LY�YLJSHPTPUN�[OL�[VW�ZWV[�PU��*YVZZ�:P[L�:JYPW[PUN�SVZ[�P[Z�[P[SL�HZ�[OL�TVZ[�WYL]HSLU[�]\SULYHIPSP[`�[V�*VU[LU[�:WVVÄUN��PKLU[PÄLK�PU��HUK��VM�^LIZP[LZ�YLZWLJ[P]LS �̀

��:83�0UQLJ[PVU�MLSS�V\[�VM�[OL�;VW�;LU�TVZ[�WYL]HSLU[�]\SULYHIPSP[PLZ��J\YYLU[S`�YLZPKPUN�PU��[O�H[��VM�^LIZP[LZ��KVÛ�MYVT��PU��

��6M�[OL�[V[HS�WVW\SH[PVU�VM�]\SULYHIPSP[PLZ�PKLU[PÄLK��*YVZZ�:P[L�:JYPW[PUN��0UMVYTH[PVU�3LHRHNL��HUK�*VU[LU[�:WVVÄUN�[VVR�[OL�[VW�[OYLL�ZWV[Z�H[��HUK��YLZWLJ[P]LS �̀�;OPZ�PZ�H�ULHY�YLWLH[�VM��ÔLYL�[OL�WLYJLU[HNLZ�^LYL��HUK� ��

��VM�:83�0UQLJ[PVU�]\SULYHIPSP[PLZ�PKLU[PÄLK�^LYL�YLZVS]LK��\W�ZSPNO[S`�MYVT��PU��HUK�[V�KV�ZV�YLX\PYLK�HU�H]LYHNL�VM�� KH`Z��

��VM�*YVZZ�:P[L�:JYPW[PUN�]\SULYHIPSP[PLZ�^LYL�YLZVS]LK��\W�MYVT��PU��HUK�[V�KV�ZV�YLX\PYLK�HU�H]LYHNL�VM��KH`Z��

Industry��9L[HPS�^LIZP[LZ�PTWYV]LK�ZSPNO[S �̀�`L[�YLTHPU�[OL�PUK\Z[Y`�WVZZLZZPUN�[OL�ZLJVUK�TVZ[�ZLJ\YP[`�PZZ\LZ�^P[O�HU�H]LYHNL�VM��ZLYPV\Z��]\SULYHIPSP[PLZ�PKLU[PÄLK�WLY�^LIZP[L��ÔPJO�UHYYV^S`�ILH[�0;�H[��


• Every single Manufacturing, Education, Energy, Government, and Food & Beverage website OHK�H[�SLHZ[�VUL�ZLYPV\Z��]\SULYHIPSP[`�PKLU[PÄLK�

��VM�HSS�^LIZP[LZ�OHK�H[�SLHZ[�VUL�ZLYPV\Z��]\SULYHIPSP[`�L_WVZLK�L]LY`�ZPUNSL�KH`�VM��*VU]LYZLS �̀��VM�^LIZP[LZ�^LYL�]\SULYHISL�SLZZ�[OHU��KH`Z�VM�[OL�`LHY�

��;OL�PUK\Z[YPLZ�[OH[�Ä_LK�[OLPY�ZLYPV\Z��]\SULYHIPSP[PLZ�[OL�MHZ[LZ[�VU�H]LYHNL�^LYL�,U[LY[HPUTLU[� �4LKPH��KH`Z��.V]LYUTLU[��KH`Z��HUK�.HTPUN��KH`Z��

��;OL�PUK\Z[YPLZ�[OH[�Ä_LK�[OLPY�ZLYPV\Z��]\SULYHIPSP[PLZ�[OL�ZSV^LZ[�VU�H]LYHNL�^LYL�,K\JH[PVU��KH`Z��/LHS[OJHYL��KH`Z��HUK�0UZ\YHUJL��KH`Z��^LIZP[LZ��

• The industries that remediated the largest percentage of their serious* vulnerabilities on average were Entertainment & Media (81%), Telecommunications (74%), and Energy (71%) ^LIZP[LZ��

• The industries that remediated the fewest percentage of their serious* vulnerabilities on H]LYHNL�^LYL�5VU�7YVÄ[��MVSSV^LK�I`�:VJPHS�5L[^VYRPUN��.HTPUN��HUK�-VVK� �)L]LYHNL��HSS�H[��

Survey: Application Security in the SDLC (Basic)• 57% of organizations said they provide some amount of instructor led or computer-based ZVM[^HYL�ZLJ\YP[`�[YHPUPUN�MVY�[OLPY�WYVNYHTTLYZ�

��VM�VYNHUPaH[PVUZ�ZHPK�[OLPY�ZVM[^HYL�WYVQLJ[Z�JVU[HPU�HU�HWWSPJH[PVU�SPIYHY`�VY�MYHTL^VYR�[OH[�JLU[YHSPaLZ�HUK�LUMVYJLZ�ZLJ\YP[`�JVU[YVSZ�

• 85% of organizations said they perform some amount of application security testing in pre-WYVK\J[PVU�^LIZP[L�LU]PYVUTLU[Z��P�L��Z[HNPUN��8(�VY�V[OLY�WYL�WYVK�Z`Z[LTZ��

�� VM�VYNHUPaH[PVU�ZHPK�[OL`�WLYMVYT�ZVTL�HTV\U[�VM�:[H[PJ�*VKL�(UHS`ZPZ�VU�[OLPY�^LIZP[L�Z��\UKLYS`PUN�HWWSPJH[PVUZ�

��VM�VYNHUPaH[PVUZ�ZHPK�[OL`�OH]L�H�>LI�(WWSPJH[PVU�-PYL^HSS��>(-��PU�ZVTL�Z[H[L�VM�deployment

• Organizations said their #1 driver for resolving vulnerabilities was “Compliance,” narrowly HOLHK�VM�¸9PZR�9LK\J[PVU�¹�>OLU�[OL�ZHTL�VYNHUPaH[PVUZ�^LYL�HZRLK�^O`�]\SULYHIPSP[PLZ�NV�\UYLZVS]LK��¸*VTWSPHUJL¹�^HZ�HSZV�JP[LK�HZ�[OL��YLHZVU�

• In the event an organization experiences a website(s) data or system breach, 79% said the :LJ\YP[`�+LWHY[TLU[�^V\SK�IL�HJJV\U[HISL��(KKP[PVUHSS �̀��ZHPK�,_LJ\[P]L�4HUHNLTLU[��:VM[^HYL�+L]LSVWTLU[��HUK��)VHYK�VM�+PYLJ[VYZ�


2007

1000

800

400

600

200

2008 2009 2009 2010 2011

AT A GLANCE: THE CURRENT STATE OF WEBSITE SECURITY

Survey: Application Security In The SDLC (Sentinel Correlation)

• Organizations that provided instructor led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.

• Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.

• Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.

• Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.

• Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.


Over the last year we saw continued reduction in the average number of serious* vulnerabilities MV\UK�WLY�^LIZP[L�WLY�`LHY!�MYVT��PKLU[PÄLK�PU��[V�� PU��[V��PU��>OPSL�[OPZ�vulnerability reduction trend is welcome news, there are several possible explanations that must IL�[HRLU�PU[V�JVUZPKLYH[PVU��HZ�[OL�¸YLHS¹�U\TILYZ�TH`�UV[�IL�HZ�WYL[[ �̀�;OPZ�PZ�Ô`�^L�HS^H`Z�remind readers that this report illustrates a best-case scenario: websites are, at a minimum, ;/0:�]\SULYHISL��;OL�ZHTL�PZ�[Y\L�MVY�HU`�PUK\Z[Y`�YLWVY[�VM�[OPZ�RPUK��;OH[�ZHPK��[OPZ�YLK\J[PVU�PU�vulnerabilities is likely a combination of several factors:

��+LZWP[L�[OL�JVUZ[HU[�ÅVVK�VM�^LIZP[L�YLSH[LK�IYLHJO�OLHKSPULZ��ÔPJO�^V\SK�SLHK�\Z�[V�believe otherwise, websites generally may in fact be getting more “secure” — that is to say, THYRLKS`�SLZZ�]\SULYHISL��(SS�[OL�TLKPH�JV]LYHNL�YHPZLZ�H^HYLULZZ�HUK�W\[Z�WYLZZ\YL�VU�JVYWVYH[L�L_LJ\[P]LZ�[V�KV�ZVTL[OPUN�HIV\[�[OL�^LI�ZLJ\YP[`�WYVISLT��;OPZ�H^HYLULZZ�SLHKZ�to increased investment, and increased investment eventually leads to vulnerability reduction �WYV]PKLK�[OL�PU]LZ[TLU[�PZ�HWWSPLK�PU�[OL�YPNO[�^H �̀�VM�JV\YZL��

��>OPSL�^L�HYL�Z\YL�H^HYLULZZ�THRLZ�H�WVZP[P]L�PTWHJ[�¶�H[�SLHZ[�^P[OPU�[OL�>OP[L/H[�:LU[PULS�J\Z[VTLY�IHZL�¶�[OLYL�HYL�Z[PSS�THU �̀�THU`�^LIZP[LZ�^P[O�O\UKYLKZ�VM�ZLYPV\Z��]\SULYHIPSP[PLZ��>L�HSZV�RUV^�^LIZP[L�ZLJ\YP[`�PZ�NYLH[S`�PUÅ\LUJLK�I`�JVTWSPHUJL�VISPNH[PVUZ�HUK�J\Z[VTLY�ZLJ\YP[`�YLX\PYLTLU[Z��(Z�^L�MV\UK�PU�[OPZ�KH[H��ÔLU�>OP[L/H[�J\Z[VTLYZ�YLX\PYL�PUKLWLUKLU[�attestation of security readiness before business relationships move forward, things tend to PTWYV]L��>OP[L/H[�:LU[PULS�PZ�H�[Y\Z[LK�]LOPJSL�\ZLK�MVY�[OPZ�^LIZP[L�ZLJ\YP[`�WYVVM�WVPU[�

��(UV[OLY�WVZZPISL�L_WSHUH[PVU�PZ�[OH[�VYNHUPaH[PVUZ�HYL�JOVVZPUN�H�SLZZ�JVTWYLOLUZP]L�MVYT�VM�]\SULYHIPSP[`�HZZLZZTLU[��Z\JO�HZ�>OP[L/H[�:LU[PULS�:[HUKHYK�VY�)HZLSPUL�V]LY�7YLTP\T�,KP[PVU��ÔPJO�PUJS\KLZ�[LZ[PUN�MVY�I\ZPULZZ�SVNPJ�ÅH^Z��:VTL�^LIZP[LZ�VUS`�ULLK�[V�IL�YLZPSPLU[�HNHPUZ[�automated attacks rather than sentient adversaries because of their value to the business and/VY�[OLPY�SL]LS�VM�HWWSPJH[PVU�JVTWSL_P[ �̀�6I]PV\ZS`�ÔLU�^L�SVVR�MVY�ML^LY�]\SULYHIPSP[PLZ��HZ�KLÄULK�I`�[OL�HZZLZZTLU[�TL[OVKVSVN`�PU�[OH[�ZLY]PJL�SPUL��^L�^PSS�ÄUK�ML^LY�]\SULYHIPSP[PLZ��;OPZ�KVLZ�HMMLJ[�V\Y�YLWVY[»Z�Z[H[PZ[PJZ�[V�ZVTL�KLNYLL��WHY[PJ\SHYS`�[OL�]\SULYHIPSP[`�[V[HSZ��

��(UV[OLY�MHJ[VY�[OH[�TH`�IL�JVU[YPI\[PUN�[V�[OL�V]LYHSS�]\SULYHIPSP[`�YLK\J[PVU�PZ�[OH[�V\Y�ZHTWSPUN�VM�^LIZP[LZ��LZWLJPHSS`�LHYS`�VU��^HZ�UV[�YLWYLZLU[H[P]L�VM�[OL�>LI�H[�SHYNL��(Z�VM�(WYPS��5L[JYHM[�ZH`Z�[OLYL�HYL�YV\NOS`�� TPSSPVU�^LIZP[LZ�HUK�[OH[�U\TILY�Å\J[\H[LZ�PU�[OL�TPSSPVUZ�WLY�TVU[O��>OPSL�^L�HYL�HZZLZZPUN�MHY�TVYL�^LIZP[LZ��MHY�TVYL�VM[LU�[OHU�HU`�V[OLY�]LUKVY��P[�PZ�Z[PSS�H�[PU`�MYHJ[PVU�VM�[OL�ÔVSL��0[�JV\SK�HSZV�IL�[OH[�OPZ[VYPJHSS �̀�>OP[L/H[�J\Z[VTLYZ�VUS`�WYV]PKLK�\Z�^P[O�[OLPY�TVZ[�PUZLJ\YL�^LIZP[LZ�ÄYZ[��>OPSL�[OLYL�TH`�IL�ZVTL�truth to this, we have seen reports released by our peers and their numbers are not far off from V\Y�VÛ�

��;OL�TV]L�[V�TVKLYU�KL]LSVWTLU[�MYHTL^VYRZ��Z\JO�HZ�[OL�TPNYH[PVU�MYVT�[OL�SLNHJ`�4PJYVZVM[�(:7�*SHZZPJ�[V��5L[��ÔPJO�WYV]PKLZ�H\[VTH[PJ�ZLJ\YP[`�]HS\L�[V�ZVM[^HYL�KL]LSVWLYZ��5L[��HUK�MYHTL^VYRZ�^P[O�ZPTPSHY�KLZPNUZ��HYL�TVYL�MVYNP]PUN�MVY�KL]LSVWLYZ�I`�THRPUN�P[�LHZPLY�


for them to produce code that’s resilient to issues such as Cross-Site Scripting and SQL Injection without requiring them to know much about the technical details.

While overall vulnerability reduction is no doubt positive, the sheer number of serious* vulnerabilities in the wild is quite stunning. Consider for a moment that there are 1.8 million ^LIZP[LZ�[OH[�OH]L�::3�JLY[PÄJH[LZ��HU�PUKPJH[PVU�[OH[�[OL`�[YHUZHJ[�KH[H�^VY[O`�VM�RLLWPUN�private. At 56 vulnerabilities per website, we can estimate that there are over 100 million serious vulnerabilities undiscovered on the Web.

To put these numbers in context, understanding how we count is essential. If a particular URL has 5 total parameters, 3 of which are vulnerable to SQL Injection, we count that as 3 vulnerabilities – not 5 or 1. Next consider all the discrete Web applications that make up a website’s attack surface, each of which may have several input parameters, and the many ways each parameter may be exploited by dozens of vulnerability classes; then multiply that over a year with constant application code updates. Within that frame of reference, the volume of vulnerabilities may not appear so unreasonable.

Vulnerability counts alone do not provide a clear picture of the current state of website ZLJ\YP[ �̀�-VY�[OPZ��P[�PZ�ULJLZZHY`�[V�JVUZPKLY�[OL�H]LYHNL�U\TILY�VM�KH`Z�P[�[HRLZ�[V�Ä_�H�ZLYPV\Z��vulnerability (Time-to-Fix), the percentage of reported vulnerabilities that are no longer exploitable (Remediation Rate), and the average number of days a website is exposed to at least one serious* vulnerability (Window-of-Exposure). As these metrics are tallied at each VYNHUPaH[PVU��ZWLJPÄJ�VWLYH[PVUHS�HUK�ZVM[^HYL�KL]LSVWTLU[�SPMLJ`JSL�KLÄJPLUJPLZ�JHU�IL�isolated and improved.


Beyond just vulnerability volume, the high percentage of websites being vulnerable to at least VUL�ZLYPV\Z��]\SULYHIPSP[`�K\YPUN��PZ�HSHYTPUN��(SHYTPUN�UV[�VUS`�ILJH\ZL�[OL�ÄN\YLZ�HYL�80% or greater – in some industries even at 100% – but that these numbers have been largely unchanged over the years. This suggests that building web applications is inherently a task that lends itself to vulnerabilities. We are not inclined to simply blame developers – that’s too easy, and unfair – as applications increasingly become more complex and attack surface of applications grows with each newly added feature.

6UJL�^LIZP[L�]\SULYHIPSP[PLZ�HYL�PKLU[PÄLK��]LYPÄLK��HUK�YLWVY[LK�[V�J\Z[VTLYZ�I`�>OP[L/H[�:LU[PULS��H�JLY[HPU�HTV\U[�VM�[PTL�[YHUZWPYLZ�ILMVYL�[OL�PZZ\L�PZ�YLZVS]LK�HUK�JVUÄYTLK�HZ�Z\JO��As no remedy can be instantaneous, it is important to measure the amount of time,required to resolve certain vulnerabilities (Time-to-Fix). Resolution could take the form of a software update, JVUÄN\YH[PVU�JOHUNL��>LI�HWWSPJH[PVU�ÄYL^HSS�Y\SL��L[J��6WLU�]\SULYHIPSP[PLZ�YLWYLZLU[�H�window of opportunity for malicious hackers to exploit the website.

;OL�HWWYV_PTH[LS`��TVU[OZ�� KH`Z��[V�Ä_�H�ZLYPV\Z��]\SULYHIPSP[`�PZ�UV[�VUS`�\UHJJLW[HISL"�it proves that we are recording and socializing – both upwards and downwards – the wrong metrics to effect change. Fortunately some industries are doing quite well, but overall, a tracked Z[H[PZ[PJ�ÅH[[LUPUN�WVPU[Z�[V�[OL�KPZHWWLHYHUJL�VM�H�JOHUNL�HNLU[��0M�[OL�NVHS�PZ�[V�H[[HPU�HU�HJJLW[HISL�SL]LS�[OLU�ÅH[[LUPUN�TH`�IL�H�WVZP[P]L�ZPNU��(IZLU[�[OL�L]PKLUJL�VM�H�JOHUNL�HNLU[�disappearing, this statistic may require correlation with another data point to be instructive. Perhaps that’s the declining number of serious vulnerabilities.

The most common question we receive regarding the Average Time-to-Fix (Days) and Average Remediation Rate statistics is: why does it take so long for organizations to remediate vulnerabilities they’ve been informed of? To the uninitiated, the choice would seem to be a no- brainer. The fact is, again, these vulnerabilities are not resolved with a simple vendor supplied patch. This is almost always customer code we’re dealing with and, as such, it requires the creation of a custom patch. So while many contributing factors may play into the eventual KLJPZPVU�[V�Ä_�UV^�VY�[V�Ä_�SH[LY��[OL�M\UKHTLU[HS�I\ZPULZZ�JOVPJL�PZ�HSTVZ[�HS^H`Z�[OL�ZHTL!�security is a trade-off.

(Z�L]LY`VUL�PZ�^LSS�H^HYL��ZVM[^HYL�KL]LSVWTLU[�YLZV\YJLZ�HYL�UV[�PUÄUP[L��;OLYLMVYL��H�KL]LSVWTLU[�THUHNLY�MHJLZ�H�JOVPJL!�ZHJYPÄJL�H�YL]LU\L�NLULYH[PUN�MLH[\YL�[OH[��PM�P[�ZOPWZ�SH[L��will for certain cost the organization money? Or resolve a vulnerability that might be exploited and might cost the company money? The challenge is this decision must be made every day with incomplete information. There is no guarantee that any single vulnerability will get exploited today, tomorrow, or ever – and if so, what the costs will be to the organization.

0U�[OPZ�JVU[L_[�P[�ZOV\SK�IL�UV�Z\YWYPZL�[V�HU`VUL�[OH[�VM[LU�MLH[\YLZ�HYL�WYPVYP[PaLK�HOLHK�VM�]\SULYHIPSP[`�Ä_LZ��6M�JV\YZL�[OLYL�HYL�ZL]LYHS�V[OLY�ZJLUHYPVZ�[V�L_WSHPU�^O`�]\SULYHIPSP[PLZ�NV�under resolved:


Factors inhibiting organizations from remediating vulnerabilities:• No one at the organization understands, or is responsible for, maintaining the code.

• No one at the organization knows about, understands, or respects the vulnerability.

��-LH[\YL�LUOHUJLTLU[Z�HYL�WYPVYP[PaLK�HOLHK�VM�ZLJ\YP[`�Ä_LZ��

��3HJR�VM�I\KNL[�[V�Ä_�[OL�PZZ\LZ��

• Affected code is owned by an unresponsive third-party vendor.

��>LIZP[L�^PSS�IL�KLJVTTPZZPVULK�VY�YLWSHJLK�¸ZVVU�¹�;V�UV[L��^L�OH]L�L_WLYPLUJLK�deprecated websites under the Sentinel Service still in active use for over two years.

��9PZR�VM�L_WSVP[H[PVU�PZ�HJJLW[LK��

��:VS\[PVU�JVUÅPJ[Z�^P[O�I\ZPULZZ�\ZL�JHZL��

�*VTWSPHUJL�KVLZ�UV[�YLX\PYL�Ä_PUN�[OL�PZZ\L��

Later in the “Survey: Application Security In The SDLC” section of this report, we asked customers to rank the prevalence of these issue. The results were highly illuminating.

This is a good opportunity to point out that while an individual programmer can be in control of what net-new vulnerabilities they produce with each release, they often don’t have much JVU[YVS�V]LY�YLTLKPH[PVU�YH[LZ��;OL�I\NZ�[OL`�Ä_�¶�HUK�ÔLU�[OL`�HYL�Ä_LK�¶�HYL�SHYNLS`�KPJ[H[LK�by development managers.

;V�LHZL�[OPZ�KPMÄJ\S[�]\SULYHIPSP[`�YLTLKPH[PVU�KLJPZPVU��HZ�HU�PUK\Z[Y �̀�^L�T\Z[�PU]LZ[�YLZV\YJLZ�that improve true risk-decision making capabilities. With better data we can help development THUHNLYZ�KLJPKL�ÔPJO�]\SULYHIPSP[PLZ�ZOV\SK�IL�Ä_LK��OV �̂�HUK�ÔLU��;OL`�JHU�TVYL�accurately decide which issues can wait till later and be placed under the watchful eye of the operational security team.

(KKP[PVUHSS �̀�TVYL�Z[YH[LNPLZ�HUK�VW[PVUZ�^V\SK�IL�^LSJVTL�[OH[�YLK\JL�[OL�JVZ[�[V�Ä_�JVKL��such as centralized security controls, or temporarily mitigate issues that will land in production systems no matter what is done in the SDLC. A virtual patch using a Web Application Firewall PZ�H�NVVK�L_HTWSL�VM�[OPZ��6M�JV\YZL�^L�T\Z[�KV�ÔH[L]LY�^L�YLHZVUHIS`�JHU�[V�KLJYLHZL�[OL�number of vulnerabilities so that these tough choices are faced far less often than they are today.

Websites are an ongoing business concern and security must be ensured all the time, not just at H�WVPU[�PU�[PTL��;OH[»Z�HSZV�Ô`�P[�T\Z[�UL]LY�IL�MVYNV[[LU�[OH[�HU�H[[HJRLY�VUS`�ULLKZ�[V�L_WSVP[�a single vulnerability, on any given day, to win. That’s why the true Key Performance Indicator �270��VM�^LIZP[L�ZLJ\YP[`�PZ�>PUKV^�VM�,_WVZ\YL�


Figure 3. Overall Window of Exposure to Serious* Vulnerabilities (2012)The percentage of websites that fall within a particular Window of Exposure zone(Sorted by industry)

Window-of-Exposure is the number of days in a year a website is exposed to at least one serious* vulnerability. As such, Window-of-Exposure is an informative combination of the total U\TILY�VM�]\SULYHIPSP[PLZ��[PTL�[V�Ä_��HUK�YLTLKPH[PVU�YH[LZ�¶�[HRLU�V]LY�[PTL��(U`�VUL�VM�these metrics, or a combination thereof, may be the area that has the greatest impact on a given organization’s Window-of-Exposure outcome. To provide context, let’s consider two identical websites, SiteA and SiteB.

1)�:P[L(�OHK��ZLYPV\Z��]\SULYHIPSP[PLZ�PKLU[PÄLK�K\YPUN�[OL�SHZ[�`LHY�HUK�MVY��VM�[OVZL�KH`Z�P[�had at least one of those issues publicly exposed.

2) :P[L)�OHK��ZLYPV\Z��]\SULYHIPSP[PLZ�PKLU[PÄLK�K\YPUN�[OL�SHZ[�`LHY�HUK�MVY��VM�[OVZL�KH`Z�P[�had at least one of those issues publicly exposed.


MOST COMMON VULNERABILITIES

Despite having 10 times the number of vulnerabilities, we would argue that during the last year SiteB had a substantially better security posture than SiteA as measured by the Window-of-Exposure. It is revealing to see how various industries perform in the area of Window-of-Exposure. Figure 3 illustrates 2012 performance by industry.

0[�PZ�KPMÄJ\S[�[V�JVUJS\ZP]LS`�Z[H[L�^O`�JLY[HPU�PUK\Z[YPLZ�WLYMVYT�IL[[LY�[OHU�V[OLYZ��VY�L]LU� why a particular development group in a single organization seemingly performs better than the rest. All told, the data shows that the industry in which a particular website falls seems to, at best, only slightly correlate to an expected security posture. Previous reports have also explored potential correlations that may exist between organization size and development framework/programming language in use, but only small performance variations emerge. *SLHYS �̀�ZVTL�VYNHUPaH[PVUZ�OH]L�ZVTL[OPUN�ÄN\YLK�V\[��HZ�[OLPY�^LIZP[LZ�HYL�MHY�SLZZ� vulnerable than others.

Now that we have an understanding of the average total number of serious* vulnerabilities, Time-to-Fix, Remediation Rates, and Window of Exposure across industry verticals, we’ll look at the distribution of vulnerability classes. In Figure 4, the most prevalent vulnerabilities classes are calculated based upon their percentage likelihood of at least one instance being found within any given website. This approach minimizes data skewing in websites that are either highly secure or extremely risk-prone.


)LMVYL�NL[[PUN�PU[V�L_WSHPUPUN�ZWLJPÄJZ��P[�PZ�PTWVY[HU[�[V�Z[H[L�[OH[�[OLZL�]\SULYHIPSP[PLZ�YLWYLZLU[�WVZZPISL�^H`Z�H[[HJRLYZ�JHU�WLUL[YH[L�^LIZP[LZ�HUK�VY�JH\ZL�OHYT�[V�[OLPY�\ZLYZ��(SVUL��[OLZL�]\SULYHIPSP[PLZ�KV�UV[�PU�HU`�^H`�YLWYLZLU[�[OL�WYVIHIPSP[ �̀�VY�SPRLSPOVVK��[OH[�[OL`�^PSS�HJ[\HSS`�be exploited. To achieve that level of clarity it is necessary to compare our data against reports such Verizon’s Data Breach Investigation Report, Trustwave Global Security Report, and others that describe actual incident data. This type of analysis goes beyond our current scope. For UV �̂�P[»Z�MHPY�[V�ZH`�[OLZL�]\SULYHIPSP[PLZ�VUS`�YLWYLZLU[�^H`Z�[OH[�PUJPKLU[Z�TH`�[HRL�WSHJL�PU�[OL�future.

(1 & 2)�0U��0UMVYTH[PVU�3LHRHNL�V]LY[VVR�*YVZZ��:P[L�:JYPW[PUN��?::��VUJL�HNHPU�HUK�YLNHPULK�P[Z�JYVÛ�HZ�[OL�TVZ[�WYL]HSLU[�^LIZP[L�]\SULYHIPSP[ �̀�PKLU[PÄLK�PU��HUK��VM�websites respectively. Last year, coincidentally, those percentages were exactly opposite. While PU�YLJLU[�`LHYZ�IV[O�JSHZZLZ�VM�H[[HJR�^LYL�VU�[OL�Z[LHK`�KLJSPUL��UV^�Z\IZ[HU[P]L�PTWYV]LTLU[�seems to have stalled. A potential reason for this is the sheer number of them in the average ^LIZP[L��[OL�LHZL�^P[O�ÔPJO�JVKPUN�TPZ[HRLZ�JHU�SLHK�[V�]\SULYHIPSP[PLZ��HUK�UL^�^H`Z�PU�ÔPJO�[OL`�HYL�KPZJV]LYLK��L_WSVP[LK�

Note: For those unfamiliar, Information Leakage is largely a catch-all term used to describe a vulnerability where a website reveals sensitive data, such as technical details of the Web HWWSPJH[PVU��LU]PYVUTLU[��VY�\ZLY�ZWLJPÄJ�KH[H!�ZLUZP[P]L�KH[H�[OH[»Z�JVTWSL[LS`�\UULJLZZHY`�for a typical visitor, but may be used by an attacker to exploit the system, its hosting network, or users. Common examples are a failure to scrub out HTML/ JavaScript comments containing ZLUZP[P]L�PUMVYTH[PVU��KH[HIHZL�WHZZ^VYKZ��PTWYVWLY�HWWSPJH[PVU�VY�ZLY]LY�JVUÄN\YH[PVUZ��VY�differences in page responses for valid versus invalid data.

��(SZV�VU�H�KVÛ^HYK�[YLUK��`L[�YLTHPUPUN�H[��PZ�*VU[LU[�:WVVÄUN�H[��VM�^LIZP[LZ��;OPZ�PZ�H�ZSPNO[�KYVW�V]LY��ÔLYL�P[�^HZ�H[��VM�^LIZP[LZ�HUK��PU��*VU[LU[�:WVVÄUN�PZ�H�]LY`�ZPTPSHY�]\SULYHIPSP[`�[V�*YVZZ�:P[L�:JYPW[PUN��VUS`�^P[OV\[�[OL�¸ZJYPW[¹��/;43��JavaScript). This vulnerability class is most often used to force a website to display content \UH\[OVYPaLK�[V�HUV[OLY�\ZLY��(Z�Z\JO��*VU[LU[�:WVVÄUN�PZ�\ZLM\S�PU�WLYMVYTPUN�WOPZOPUN�ZJHTZ�HUK�V[OLY�THSPJPV\Z�IYHUK�H[[HJRZ�

��Brute Force moved up to fourth from sixth place in the last year and increased 10 percentage WVPU[Z�V]LY�SHZ[�`LHY�[V��VM�^LIZP[LZ��(�SHYNL�U\TILY�VM�[OLZL�)Y\[L�-VYJL�]\SULYHIPSP[PLZ�VJJ\Y�ILJH\ZL�H�^LIZP[L�SVNPU�ÄLSK�YL]LHSZ�ÔPJO�LU[Y`�VM�[OL�\ZLYUHTL��WHZZ^VYK�combination is incorrect. Due to spammers mining for valid email addresses, which double as usernames on a variety of websites, enterprises have an increased awareness and appreciation for the problem. In these cases we adjust the severity of Brute Force vulnerability accordingly.

��*YVZZ�:P[L�9LX\LZ[�-VYNLY`��*:9-��THPU[HPULK�P[Z�WSHJLTLU[�H[��K\YPUN��ÔPSL�PUJYLHZPUN�ZL]LU�WLYJLU[HNLZ�WVPU[Z�ZPUJL�[OL�`LHY�WYPVY��HUK�UV^�YLZPKLZ�PU��VM�^LIZP[LZ��*:9-�PZ�^PKLS`�JVUZPKLYLK�[V�IL�[OL�ZSLLWPUN�NPHU[�VM�>LI�ZLJ\YP[`�^P[O�[OL�PUK\Z[Y`�JVUZLUZ\Z�asserting that nearly every website has at least one vulnerability, particularly those with login JHWHIPSP[ �̀�;OL�JOHSSLUNL�OHZ�ILLU�[OH[�K\L�[V�*:9-�ZPTWSPJP[ �̀�THU`�VYNHUPaH[PVUZ�OPZ[VYPJHSS`�KPK�UV[�WLYJLP]L�*:9-�HZ�H�]\SULYHIPSP[`�¶�VY�H[�SLHZ[��UV[�HZ�VUL�[OL`�^LYL�OLSK�YLZWVUZPISL�


[V�Ä_��(Z�H�YLZ\S[��VYNHUPaH[PVUZ�LMMLJ[P]LS`�KPK�UV[�^HU[�[OLZL�PZZ\LZ�YLWVY[LK��-VY[\UH[LS`�[OPZ�TPUKZL[�OHZ�ILLU�JOHUNPUN��(Z�Z\JO��ZL]LYHS�`LHYZ�IHJR�>OP[L/H[�:LJ\YP[`�\WKH[LK�V\Y�[LZ[PUN�TL[OVKVSVN`�HUK�WYLKPJ[LK�[OL�U\TILYZ�^V\SK�YPZL��ÔPJO�MVY�`LHYZ�[OL`�KPK��H�ZLSM�M\SÄSSPUN�prophecy of sorts.

��-PUNLYWYPU[PUN��H�UL^�HKKP[PVU�[V�V\Y�[VW�[LU��WYLZLU[S`�YLZPKLZ�H[��V]LYHSS�HUK�PZ�MV\UK�PU��VM�[OL�^LIZP[LZ�^L�HZZLZZLK�PU��(U�L_[YLTLS`�JVTTVU�TL[OVKVSVN �̀�H[[HJRLYZ�ÄYZ[�footprint their target’s web presence and enumerate as much information as possible. Pieces of information may include the target’s platform distribution and version, web application software SHUN\HNL�HUK�[LJOUVSVN �̀�IHJRLUK�KH[HIHZL�[`WL�HUK�]LYZPVU��JVUÄN\YH[PVU�KL[HPSZ�HUK�WVZZPIS`�L]LU�[OLPY�UL[^VYR�HYJOP[LJ[\YL�[VWVSVN �̀�*VSSLJ[P]LS`�[OPZ�JYLH[LZ�HU�PUZ[Y\J[P]L�WYVÄSL�VM�[OL�WYVZWLJ[P]L�]PJ[PT��;OL�H[[HJRLY�TH`�[OLU�KL]LSVW�HU�H[[HJR�JOHPU�[OH[�^PSS�TVYL�LMMLJ[P]LS`�exploit one or more vulnerabilities in the target website.

Note: While the presence of Fingerprinting as a class is new, we must point out that these WHY[PJ\SHY�]\SULYHIPSP[PLZ�HYL�UV[�[LJOUPJHSS`�UL �̂�>L»]L�ILLU�YLWVY[PUN�[OLT�HSS�HSVUN��Q\Z[�placing them under the label of Information Leakage. In 2012 a change was made to break them V\[�PU�[OLPY�VÛ�JSHZZ�PU�VYKLY�[V�IL�JVUZPZ[LU[�^P[O�[OL�>(:*�;OYLH[�*SHZZPÄJH[PVU�]��

7)�0UZ\MÄJPLU[�;YHUZWVY[�3H`LY�7YV[LJ[PVU�JVTLZ�PU�H[�ZL]LU[O�VU�[OL�SPZ[�HUK�PZ�MV\UK�PU��of websites in 2012. This class allows communication to be exposed to untrusted third parties, WYV]PKPUN�HU�H[[HJR�]LJ[VY�[V�JVTWYVTPZL�^LIZP[LZ�HUK�VY�Z[LHS�ZLUZP[P]L�PUMVYTH[PVU��>LIZP[LZ�[`WPJHSS`�\ZL�:LJ\YL�:VJRL[Z�3H`LY�;YHUZWVY[�3H`LY�:LJ\YP[`��::3�;3:��[V�WYV]PKL�LUJY`W[PVU�H[�[OL�[YHUZWVY[�SH`LY��/V^L]LY��\USLZZ�[OL�^LIZP[L�PZ�JVUÄN\YLK�[V�\ZL�::3�;3:�HUK�JVUÄN\YLK�[V�\ZL�::3�;3:�WYVWLYS �̀�[OL�^LIZP[L�TH`�IL�]\SULYHISL�[V�[YHMÄJ�PU[LYJLW[PVU�HUK�TVKPÄJH[PVU��>OLU�H�^LIZP[L�\ZLZ�::3�PUJVYYLJ[S �̀�Z\JO�HZ�THRPUN�\ZL�VM�^LHR�VY�U\SS�JPWOLYZ��[OH[�HSZV�NL[Z�ÅHNNLK�HZ�0UZ\MÄJPLU[�;YHUZWVY[�3H`LY�7YV[LJ[PVU��;OL�ZHTL�PZ�[Y\L�PM�[OL�^LIZP[L�PZ�\ZPUN�VSKLY��V\[KH[LK�]LYZPVUZ�VM�::3��;OL�SHYNLZ[�ZL[�VM�]\SULYHIPSP[PLZ�PU�[OPZ�ZL[�PZ�ZPTWS`�[OL�SHJR�VM�::3�\ZL�LU[PYLS`�on the given website.

8) Session Fixation moved from #9 in 2011 to #8 in 2012 and increased by four percentage WVPU[Z�[V��VM�^LIZP[LZ��:LZZPVU�-P_H[PVU�VJJ\YZ�ÔLU�H�^LIZP[L»Z�ZLZZPVU�JYLKLU[PHS��Z\JO�HZ�H�JVVRPL��JHU�IL�MVYJPIS`�WYL�ZL[�[V�H�]HS\L�[OH[�[OL�IHK�N\`�RUV^Z��ÔPJO�[OLU�ILJVTLZ�valid after the user successfully authenticates. Fortunately, because of the nature of this issue, it KVLZU»[�ZOV^�\W�PU�SHYNL�U\TILYZ��<Z\HSS`�VUL�Ä_�PU�[OL�\UKLYS`PUN�MYHTL^VYR�JH\ZLZ�:LZZPVU�Fixation problems to go away from that particular website entirely.

9)�<93�9LKPYLJ[VY�(I\ZL��H�UL^JVTLY�[V�V\Y�[VW�]\SULYHIPSP[PLZ�SPZ[�LUJVTWHZZPUN��VM�websites and a vulnerability once largely under-appreciated, has proved itself to be an effective [VVS�PU�H�WOPZOLY»Z�HYZLUHS��4HU`�^LIZP[LZ�WVZZLZZ�M\UJ[PVUHSP[`�ÔLYL�H�]PZP[VY�PZ�YLKPYLJ[LK�from one page to another on the same website, or sent off to a completely different website. 6M[LU�[OL�KLZ[PUH[PVU�<93�PZ�ZL[�]PH�H�WHYHTL[LY�]HS\L�PU�[OL�J\YYLU[�<93��PL�O[[W!��^LIZP[L�YLKPYLJ[&KLZ[PUH[PVU$O[[W!��HU`ÔLYL��ÔPJO�JHU�IL�TVKPÄLK�[V�HU`�HYIP[YHY`�]HS\L��(�WOPZOLY�


TH`�[HRL�HK]HU[HNL�VM�[OPZ�M\UJ[PVUHSP[`�I`�ZOHYPUN�H�<93��ÔPJO�NVLZ�[V�H�JVTWSL[LS`�SLNP[PTH[L�^LIZP[L��I\[�HJ[\HSS`�SHUKZ�H�]PZP[VY�VU�H�SVVRHSPRL�WHNL�\UKLY�[OL�H[[HJRLY»Z�JVU[YVS��;OL�]PJ[PT�TH`�[OLU�IL�HZRLK�[V�JOHUNL�[OLPY�WHZZ^VYK�I`�WYLZLU[PUN�[OLPY�J\YYLU[�VUL��HUK�PZ�[OLU�effectively compromised.

Note: It is important to understand that websites did not suddenly become vulnerable to this PZZ\L�K\YPUN��;OL�]\SULYHIPSP[`�^HZ�HS^H`Z�[OLYL�HUK�^L»]L�ILLU�YLWVY[PUN�P[��VUS`�\UKLY�[OL�º0UZ\MÄJPLU[�(\[OVYPaH[PVU»�IHUULY��;VKH �̀�LHJO�UL^�PUZ[HUJL�^L�ÄUK�NVLZ�\UKLY�P[Z�VÛ�label, so we expect these numbers to climb over time because the issue is indeed pervasive.

10)�0UZ\MÄJPLU[�(\[OVYPaH[PVU��ÔPJO�^HZ�H[��VM�^LIZP[LZ�HUK�PU�[OL�MV\Y[O�ZWV[�PU��experienced a large decline during 2012, and now resides in tenth place on the list and is MV\UK�PU�Q\Z[��VM�^LIZP[LZ��;OL�[`WPJHS�0UZ\MÄJPLU[�(\[OVYPaH[PVU�]\SULYHIPSP[`�PZ�ÔLU�HU�authenticated or non-authenticated user can access data or functionality that their privilege level should not allow. For example, User A can surreptitiously obtain data from User B’s account, or perform actions reserved only for Admins, perhaps simply by changing a single number in a URL.

7YV]PKLK�[OL�^LIZP[L»Z�\UKLYS`PUN�HWWSPJH[PVU�MYHTL^VYR�OHZ�H�UV[PVU�VM�ºH\[OVYPaH[PVU»�I\PS[�in, typically these vulnerabilities are not overly voluminous; they are simple oversights and LHZ`�LUV\NO�[V�Ä_��;OPZ�JV\SK�L_WSHPU�[OL�SHYNL�KYVW��6[OLY�[PTLZ�0UZ\MÄJPLU[�(\[OVYPaH[PVU�vulnerabilities are indicative of a need for a huge platform upgrade, often put off for as long HZ�WVZZPISL�K\L�[V�[OL�^VYR�YLX\PYLK��WV[LU[PHSS`�L_WSHPUPUN�Ô`�VUL�PU��^LIZP[LZ�Z[PSS�OH]L�at least one of them. The most probable explanation of the drop is the separating out of URL Redirector Abuse vulnerabilities from this class.

Another very extremely notable change from 2011 to 2012 is that SQL Injection no longer HWWLHYZ�VU�ÔH[�^V\SK�[LJOUPJHSS`�IL�H�;VW��SPZ[��:83�0UQLJ[PVU�SHUKLK�H[��HUK�^HZ�PKLU[PÄLK�PU�Q\Z[��VM�^LIZP[LZ�HZZLZZLK��;OPZ�PZ�H�JVU[PU\H[PVU�VM�P[Z�Z[LHK`�KLJSPUL�ZPUJL��ÔLU�^L�ÄYZ[�Z[HY[LK�YLWVY[PUN��>OPSL�V]LYHSS�WYL]HSLUJL�PZ�UV^�SV �̂�HZ�TVZ[�YLHKLYZ�HYL�HJ\[LS`�H^HYL��[OPZ�OHZ�UV[�Z[VWWLK�H[[HJRLYZ�MYVT�SL]LYHNPUN�:83�0UQLJ[PVU�HZ�H�SLHKPUN�H[[HJR�]LJ[VY�to compromise websites and steal the data they possess. This is yet another proof point that vulnerHIPSP[`�WYL]HSLUJL�KVLZ�UV[�H\[VTH[PJHSS`�LX\H[L�[V�WYVIHIPSP[`�VM�L_WSVP[H[PVU�

6]LYHSS�[OL��>OP[L/H[�;VW��JVU[HPUZ�THU`�JVTTVU�MLH[\YLZ�^P[O�V\Y�;VW��SPZ[Z�MYVT�2011 and 2010. While progress is being made, wiping out particular vulnerability classes NSVIHSS`�¶�L]LU�[OL�TVZ[�^LSS�RUVÛ�¶�PZ�WYV]PUN�[V�IL�H�TVUZ[YV\ZS`�KPMÄJ\S[�[HZR��;OL�IHJRSVN�VM�^VYR�YLX\PYLK�[V�YLWHPY�\W�[V��`LHYZ�VM�]\SULYHISL�>LI�JVKL�^PSS�[HRL�H�ÔPSL��

;V�Z\WWSLTLU[�]\SULYHIPSP[`�SPRLSPOVVK�Z[H[PZ[PJZ��[OL�MVSSV^PUN�NYHWO��-PN\YL��PSS\Z[YH[LZ�prevalence by class in the overall vulnerability population. Notice how greatly it differs from the >OP[L/H[�;VW��;OL�YLHZVU�PZ�[OH[�VUL�^LIZP[L�TH`�WVZZLZZ�O\UKYLKZ�VM�\UPX\L�PZZ\LZ�VM�H�ZWLJPÄJ�JSHZZ��ÔPSL�HUV[OLY�^LIZP[L�TH`�UV[�JVU[HPU�HU �̀�=\SULYHIPSP[`�JSHZZLZ�Z\JO�HZ�*YVZZ�


Cross-Site Scripting

Information Leakage

Content Spoofing

Cross-Site Request Forgery

Brute Force

Insufficient Transport Layer Protection

Insufficient Authorization

SQL

Other

43%

11%

7%

12%

13%

injection

:P[L�:JYPW[PUN��*VU[LU[�:WVVÄUN��HUK�0UMVYTH[PVU�3LHRHNL�[HRL�[OL�[VW�[OYLL�ZWV[Z�HZ�[OL`�YLWYLZLU[��HUK��VM�[OL�[V[HS�WVW\SH[PVU�YLZWLJ[P]LS �̀�(SZV�UV[PJLHISL�VU�[OL�SPZ[�HYL�*YVZZ�:P[L�9LX\LZ[�-VYNLY`��:83�0UQLJ[PVU��HUK�)Y\[L�-VYJL��


*�SL]LS�L_LJ\[P]LZ��THUHNLYZ��HUK�ZVM[^HYL�KL]LSVWLYZ�VM[LU�HZR�[OLPY�ZLJ\YP[`�[LHTZ��¸/V^�HYL�^L�KVPUN&�(YL�^L�ZHML��HYL�^L�ZLJ\YL&¹�;OL�YLHS�[OPUN�[OL`�TH`�IL�HZRPUN�MVY�PZ�H�ZLUZL�VM�OV^�the organization’s current security posture compares to their peers or competitors. They want [V�RUV^�PM�[OL�VYNHUPaH[PVU�PZ�SLHKPUN��MHSSPUN�^H`�ILOPUK��VY�PZ�ZVTLÔLYL�PU�IL[^LLU�^P[O�YLZWLJ[�[V�[OLPY�ZLJ\YP[`�WVZ[\YL��;OL�HUZ^LYZ�[V�[OH[�X\LZ[PVU�HYL�L_[YLTLS`�OLSWM\S�MVY�WYVNYLZZ�[YHJRPUN�HUK�NVHS�ZL[[PUN�

>OH[�THU`�KV�UV[�ÄYZ[�JVUZPKLY�PZ�[OH[�ZVTL�VYNHUPaH[PVUZ��VY�WHY[PJ\SHY�^LIZP[LZ��HYL�º[HYNL[Z�VM�VWWVY[\UP[ �̀»�ÔPSL�V[OLYZ�HYL�º[HYNL[Z�VM�JOVPJL�»�;HYNL[Z�VM�VWWVY[\UP[`�HYL�IYLHJOLK�ÔLU�[OLPY�ZLJ\YP[`�WVZ[\YL�PZ�^LHRLY�[OHU�[OL�H]LYHNL�VYNHUPaH[PVU��PU�[OLPY�PUK\Z[Y`��¶�HUK�[OL`�NL[�\US\JR`�PU�[OL�[V[HS�WVVS�VM�WV[LU[PHS�]PJ[PTZ��;HYNL[Z�VM�JOVPJL�WVZZLZZ�ZVTL�[`WL�VM�\UPX\L�and valuable information, or perhaps a reputation or brand that is particularly attractive to a TV[P]H[LK�H[[HJRLY��;OL�H[[HJRLYZ�RUV^�WYLJPZLS`�ÔVT�¶�VY�ÔH[�¶�[OL`�^HU[�[V�WLUL[YH[L��

/LYL»Z�[OL�[OPUN!�ZPUJL�º��ZLJ\YP[`»�PZ�HU�\UYLHSPZ[PJ�NVHS�¶�TVZ[S`�ILJH\ZL�P[�PZ�ÅH[S`�impossible, and the attempt is prohibitively expensive and for many completely unnecessary ¶�P[�PZ�PTWLYH[P]L�MVY�L]LY`�VYNHUPaH[PVU�[V�KL[LYTPUL�PM�[OL`�TVZ[�SPRLS`�YLWYLZLU[�H�[HYNL[�VM�VWWVY[\UP[`�VY�JOVPJL��0U�KVPUN�ZV�HU�VYNHUPaH[PVU�TH`�LZ[HISPZO�HUK�TLHZ\YL�HNHPUZ[�H�¸ZLJ\YL�LUV\NO¹�IHY�

If an organization is a target of opportunity, a goal of being just above average with respect to ^LIZP[L�ZLJ\YP[`�HTVUN�WLLYZ�PZ�YLHZVUHISL��;OL�IHK�N\`�^PSS�NLULYHSS`�WYLMLY�[V�H[[HJR�^LHRLY��and therefore easier to breach, targets. On the other hand, if an organization is a target of JOVPJL��[OH[�VYNHUPaH[PVU�T\Z[�LSL]H[L�P[Z�^LIZP[L�ZLJ\YP[`�WVZ[\YL�[V�H�WVPU[�ÔLYL�HU�H[[HJRLY»Z�efforts are detectable, preventable, and in case of a compromise, survivable. This is due to the MHJ[�[OH[�HU�HK]LYZHY`�^PSS�ZWLUK�ÔH[L]LY�[PTL�PZ�ULJLZZHY`�SVVRPUN�MVY�NHWZ�PU�[OL�KLMLUZLZ�[V�exploit.

Whether an organization is a target of choice or a target of opportunity, the following Industry Scorecards have been prepared to help organizations to visualize how its security posture JVTWHYLZ�[V�P[Z�WLLYZ��WYV]PKLK�[OL`�RUV^�[OLPY�VÛ�PU[LYUHS�TL[YPJZ��VM�JV\YZL��

INDUSTRY SCORECARDS



AT A GLANCE

EXPOSURE AND CURRENT DEFENSE

PERCENT OF SERIOUS* VULNERABILITIES THAT HAVE BEEN FIXED

AVERAGE TIMETO FIX

PERCENT OF ANALYZED SITES WITH A SERIOUS*VULNERABILITY

AVERAGE NUMBER OFSERIOUS* VULNERABILITIES PER SITE PER YEAR

81% 54% 107DAYS11

Cross-Site

Scripting*

Information Leakage*

Content

Spoofing*

Cross-Site

Request Forgery*

Brute Force* Fingerprinting* Insufficient

Authorization*

30%

20%

10% 26% 21% 9% 9% 8% 8% 5%

Banking Industry ScorecardApril 2013

24% 33% 9% 11% 24%

THE CURRENT STATE OFWEBSITE SECURITY

TOP SEVEN VULNERABILITYCLASSES

CURRENT APPLICATION SECURITY BEHAVIORS AND CONTROLSUSED BY ORGANIZATIONS

*The percent of sites that had at least one example of...

*Serious vulnerabil it ies are defined as those in which an attacker could take control over al l , or a part, of a website, compromise user accounts, access sensit ive data or violate compliance requirements.

DAYS OVER A YEAR THAT A SITE IS EXPOSED TO SERIOUS* VULNERABILITIES

Programmers receive instructor led or computer-based software security training

Applications contain a library or framework that centralizes and enforces security controls

Perform Static Code Analysis on their website(s) underlying applications

Web Application Firewall Deployed

Transactional / Anti-Fraud Monitoring System Deployed

80%

100%

60%

40%

20% 57% 29%57%29% 71%

24% Always Vulnerable

33% Frequently Vulnerable 271-364 days a year

9% Regularly Vulnerable 151-270 days a year

11% Occasionally Vulnerable 31-150 days a year

Rarely Vulnerable 30 days or less a year



AT A GLANCE



AVERAGE TIMETO FIX



81 % 67% 226DAYS50

Cross-Site

Scripting*


Content

Spoofing*

SQL injection*Cross-Site request Forgery*

Brute Force* Directory

Indexing*

30%

20%

10% 31% 25% 12% 9% 8% 7% 7%

Financial Services Industry Scorecard












80%

100%

60%

40%

20% 64% 70%50%50% 40%





23% Rarely Vulnerable 30 days or less a year

28% 28% 10% 10% 23%



AT A GLANCE



AVERAGE TIMETO FIX



90% 53% 276DAYS22

Cross Site

Scripting*


Content

Spoofing*

Brute Force*Insufficent Transport

Layer Protection*

Cross SiteRequest Forgery*

Session

Fixation*

30%

20%

10% 40% 29% 22% 13% 12% 10% 9%

Healthcare Industry ScorecardApril 2013












80%

100%

60%

40%

20% 67% 67%83%50% 34%






49% 22% 12% 7% 10%



AT A GLANCE



AVERAGE TIMETO FIX



91 % 54% 224DAYS106

Cross Site

Scripting*


Content

Spoofing*

Brute Force* SQL Injection*Cross SiteRequest Forgery*

Directory

Indexing*

30%

20%

10% 31% 25% 12% 9% 8% 7% 7%

Retail Industry ScorecardApril 2013












80%

100%

60%

40%

20% 73% 60%90%70% 70%






54% 21% 6% 5% 13%



AT A GLANCE



AVERAGE TIMETO FIX



85% 61 % 71DAYS18

Cross-Site

Scripting*


Content

Spoofing*

Cross-Site

Request Forgery*

Brute Force*Fingerprinting* URL Redirector

Abuse*

30%

20%

10% 41% 35% 19% 18% 14% 12% 12%

Technology Industry ScorecardApril 2013

5% 64% 10% 9% 11%












80%

100%

60%

40%

20% 48% 52%96%72% 32%







SURVEY

APPLICATION SECURITY IN THE SDLC

More secure software, NOT more security software.

How do we integrate security throughout the software development lifecycle (SDLC)? How do we measurably improve the security of the software we produce? How do we ensure we are procuring secure software?

When attempting to address these questions, it is very easy for organizations to throw away precious time and money. Corporate security teams looking for guidance will often borrow from various industry standards listing out “best-practices” that are usually just copy-pasted from a disjointed chain of “experts.” These so-called best-practices might include software security training for developers, security testing during QA, static code analysis, centralized controls, Web Application Firewalls, penetration-testing, and others. The term “best-practices” implies the activity is valuable in every organization at all times. We think most would agree that just because a certain practice works well for one organization does not mean it will automatically work well at another.

Of course, we all would like to be able to say, “organizations that provide software security training for their developers experience 25% fewer serious vulnerabilities annually than those who do not.” Or, “organizations that perform application security testing prior to each major production release not only have fewer vulnerabilities year-over-year, but exhibit a 35% faster [PTL�[V�Ä_�¹

Unfortunately, the commonly held assumption is that the listed best-practices above have somehow been statistically demonstrated to cost-effectively increase software and website security within any organization – that there is some supporting data-backed evidence, that there are studies showing vulnerability volumes and breaches go down when these activities are implemented. The fact is there isn’t any study or data repository to this effect, at least not when it comes to anything related to website security.


What comes the closest is BSIMM (Building Security In Maturity Model) , a study of 51 real-world software security initiatives – the majority of which are from major corporations. This study provides keen insight into what these organizations are doing. Unfortunately the observed data provides zero indication that the activities actually work. By work we mean do they reduce ]\SULYHIPSP[`�]VS\TL��ZWLLK�\W�[PTL�[V�Ä_��PTWYV]L�YLTLKPH[PVU�YH[LZ��HUK�VM�JV\YZL�KLJYLHZL�the occurrence and severity of website breaches. The observations in the study are not paired ^P[O�V\[JVTLZ��(Z�Z\JO��):044�JV\SK�HJ[\HSS`�YLWYLZLU[�ÄYTZ�[OH[�VYNHUPaH[PVUZ�ZOV\SK�NOT be like if they want to keep from getting hacked.

>L�JVU[LUK�[OH[�ZLJ\YP[`�L_WLY[Z�JHUUV[�HMMVYK�[V�THRL�Z\JO�JHYLSLZZ�HZZ\TW[PVUZ�HIV\[�supposed best-practices, even those performed by large and reputable organizations. With so much at risk every day online, there must be no tolerance for tradition and sacred cows. Organizations need to better understand how various parts of their SDLC affect the introduction of vulnerabilities, which leave the door open to breaches. That said, we used BSIMM as a source of inspiration, a jumping off point to further the collective understanding of what really works in software and website security.

To move in this direction, during February 2013, we asked WhiteHat Security customers to assist \Z�I`�HUZ^LYPUN�YV\NOS`�H�KVaLU�]LY`�ZWLJPÄJ�Z\Y]L`�X\LZ[PVUZ�HIV\[�[OLPY��:+3*�HUK�HWWSPJH[PVU�ZLJ\YP[`�WYVNYHT��(Z�`V\»SS�ZLL�ILSV �̂�[OLZL�PUJS\KLK�X\LZ[PVUZ�Z\JO�HZ!�OV^�VM[LU�do you preform security tests on your code during QA? What is your typical rate of production code change? Do you perform static code analysis? Have you deployed a Web Application Firewall? Who in your organization is accountable in the event of a breach? We even asked “has your website been breached?”

We received survey responses from 76 organizations, surpassing that of BSIMM, and then correlated those responses with company demographics and WhiteHat Sentinel website vulnerability data. The results were both stunning and deeply puzzling. The connections between various software security controls and SDLC behaviors and the vulnerability outcomes and breaches is far more complicated than we ever imagined.

Note: While we are able to correlate security performance relative to the size of an organization by revenue and numbers of employees, we did not perform that analysis in this report. This may be an avenue of additional study later on.

SDLC ACTIVITIES BY INDUSTRY

1) Rate of Production Application Code ChangeA reasonable theory is that the rate at which an organization updates production code greatly affects their overall website security posture. Each code update increases the possibility for new vulnerabilities to be introduced. At the same time, each change also provides opportunities to W\ZO�Ä_LZ�[V�L_PZ[PUN�PZZ\LZ��;V�NL[�H�ZLUZL�MVY�YH[L�VM�JVKL�JOHUNL�HJYVZZ�V\Y�J\Z[VTLY�IHZL�^L�asked, “Please select the answer that best describes the typical rate of production application code change in your organization’s website(s)” and then sorted the results by industry.


0[�PZ�YHYL�^OLU�HU`VUL�NL[Z�[V�ZLL�Z\JO�ÄN\YLZ�SHPK�V\[��(Z�^L�TPNO[�OH]L�L_WLJ[LK�\W�MYVU[��UV[OPUN�YLHSS`�Z[VVK�V\[�[V�\Z��*SLHYS`�JLY[HPU�PUK\Z[YPLZ�[LUK�[V�\WKH[L�WYVK\J[PVU�TVYL�VM[LU�[OHU�V[OLYZ��Z\JO�HZ�9L[HPSLYZ�HUK�;LJOUVSVN �̀�TVYL�ZV�[OHU�)HURPUN�HUK�0UZ\YHUJL��4VZ[�WYVIHIS`�JV\SK�OH]L�WYLKPJ[LK�[OH[�YLZ\S[�\W�MYVU[��NP]LU�[OL�[`WL�VM�I\ZPULZZ�[OL`�HYL�PU��0U[LYLZ[PUNS �̀�VUS`�-PUHUJPHS�:LY]PJLZ�OHK�ZVTL�U\TILY�VM�^LIZP[LZ�[OH[�VUS`�ZH^�JOHUNL�HUU\HSS`��

2) Software Security Training5L_[�^L�^HU[LK�[V�SLHYU�OV^�THU`�KL]LSVWLYZ�HYL�YLJLP]PUN�ZVM[^HYL�ZLJ\YP[`�[YHPUPUN�HUK�OV^�T\JO�[YHPUPUN�[OL`�YLJLP]L��(NHPU��H�YLHZVUHISL�[OLVY`�PZ�[OH[�LK\JH[LK�WYVNYHTTLYZ�ZOV\SK�NLULYHSS`�WYVK\JL�TVYL�ZLJ\YL�JVKL��-PN\YLZ��

6\Y�YLZ\S[Z�ZOV^�[OH[�TVZ[�KL]LSVWLYZ��^VYRPUN�MVY�>OP[L/H[�:LJ\YP[`�J\Z[VTLYZ�YLJLP]L�ZVTL�HTV\U[�VM�ZVM[^HYL�ZLJ\YP[`�[YHPUPUN��>L�JHUUV[�H[[LZ[�[V�[OL�X\HSP[`�VY�MVYTH[�VM�[OL�[YHPUPUN�YLJLP]LK��I\[�[OL�Z\IQLJ[�H[�SLHZ[�JVTLZ�\W��>L�[HRL�[OPZ�HZ�H�WVZP[P]L�PUKPJH[VY�

(Figure 7) (Figure 8)


(Figure 9)

Across industries, we see a rather even distribution of training. No industry had near universal coverage or complete absence of training. Retailers were at the top of the list with roughly three-quarters saying their developers had received training. Perhaps this performance is stimulated by PCI-DSS compliance obligations; we’re unable to say with any certainty. What is also interesting is Technology had the lowest score by percentage, a little less than half. A cynical theory might be that this sector feels they already know what they’re doing and does not need security training. We leave it to the reader to theorize what motivating factors might be at play.

3) Centralized Software Security ControlsAnother component of an SDLC is understanding how security is technologically integrated into an application. For example, to make things easier on developers, libraries and frameworks can be made available to centralize and enforce security controls. Centralized security controls may include, but are not limited to authentication, authorization, database access, input validation, V\[W\[�ÄS[LYPUN��HUK�ZV�VU��>L�HZRLK��¸+V�`V\Y�VYNHUPaH[PVU»Z�ZVM[^HYL�WYVQLJ[Z�JVU[HPU�HU�application library or framework that centralizes and enforces security controls?”

6]LYHSS��VM�VYNHUPaH[PVUZ�ZHPK�[OLPY�ZVM[^HYL�WYVQLJ[Z�JVU[HPU�HU�HWWSPJH[PVU�SPIYHY`�VY�framework that centralizes and enforces security controls. When results are broken down by industry, we see all industries making at least some use of them. In Technology and Retail we see H�OLH]`�\ZL�VM�JLU[YHSPaLK�ZLJ\YP[`�JVU[YVSZ��ULHYS`�[OYLL�X\HY[LYZ"�PU�0UZ\YHUJL�HUK�)HURPUN��Q\Z[�V]LY�VUL�X\HY[LY��HUK�OHSM�VM�/LHS[OJHYL�HUK�-PUHUJPHS�ÄYTZ�


(Figure 11).(Figure 10)

4) Pre-Production Application Security Testing(Z�HU`VUL�^V\SK�HNYLL��ÄUKPUN�HUK�Ä_PUN�]\SULYHIPSP[PLZ�K\YPUN�[OL�8(�WYVJLZZ��ILMVYL�WYVK\J[PVU�YLSLHZL��PZ�IV[O�ZHMLY�HUK�LHZPLY�[OHU�ÄUKPUN�HUK�Ä_PUN�[OLT�PU�WYVK\J[PVU��4HU`�VYNHUPaH[PVUZ�OH]L�H�WYL�WYVK\J[PVU�WYVJLZZ�[OH[�[LZ[Z�JVKL�MVY�ZLJ\YP[ �̀��-PN\YLZ��

��VM�VYNHUPaH[PVUZ�ZHPK�[OL`�WLYMVYT�ZVTL�HTV\U[�VM�HWWSPJH[PVU�ZLJ\YP[`�[LZ[PUN�PU�WYL�WYVK\J[PVU�^LIZP[L�LU]PYVUTLU[Z��P�L��Z[HNPUN��8(�VY�V[OLY�WYL�WYVK�Z`Z[LTZ��;OH[»Z�]LY`�ULHYS`�\UP]LYZHS�JV]LYHNL��>L�KV�ZLL�ZVTL�KPMMLYLUJLZ�IL[^LLU�PUK\Z[YPLZ��8\P[L�JSLHYS`�^L»YL�ZLLPUN�-PUHUJPHS�:LY]PJLZ�KV�[OL�TVZ[�[LZ[PUN·�OHSM�ILMVYL�LHJO�HUK�L]LY`�JOHUNL��6KKS �̀�VUS`�H�ZTHSS�HTV\U[�VM�;LJOUVSVN`�ÄYTZ�HYL not�KVPUN�ZVTL�MVYT�VM�ZLJ\YP[`�8(��*V\SK�[OPZ�IL�[OL�YLZ\S[�VM�H�+L]6WZ�(NPSL�LZX\L�KL]LSVWTLU[�WYVJLZZ&�>L»YL�\UZ\YL��

5) Static Code Analysis:[H[PJ�*VKL�(UHS`ZPZ��:*(��[OL�H\[VTH[LK�WYVJLZZ�VM�HUHS`aPUN�ZV\YJL�JVKL�MVY�PZZ\LZ��OHZ�ILLU�NP]LU�H�SV[�VM�H[[LU[PVU�V]LY�[OL�SHZ[�ML^�`LHYZ��>OLU�JVKL�PZ�[LZ[LK�MVY�ZLJ\YP[`�PU�8(��[OPZ�PZ�H�JVTTVU�TL[OVK�\ZLK��*VKL�JHU�IL�[LZ[LK�MVY�ZLJ\YP[`�PZZ\LZ�HZ�P[�PZ�ILPUN�^YP[[LU��>L�^HU[LK�[V�IL[[LY�\UKLYZ[HUK�OV^�VM[LU�[OPZ�HJ[P]P[`�PZ�LTWSV`LK�ZV�^L�HZRLK��¸/V^�VM[LU�KVLZ�`V\Y�VYNHUPaH[PVU�WLYMVYT�:[H[PJ�*VKL�(UHS`ZPZ�VU�`V\Y�^LIZP[L�Z��\UKLYS`PUN�HWWSPJH[PVUZ&¹�


Overall, 39% of organizations said they perform some amount of Static Code Analysis on their websites’ underlying applications. However, when the data is sliced by industry, we see wide variation of adoption and use of SCA. Financial Services and Retail appear to be making the most use. Interestingly, 40% of Technology companies and 50% of Healthcare companies are going without any form of SCA. 6) Web Application Firewalls>L�RUV^�THU`�ÄYTZ�OH]L�HKVW[LK�[OL�\ZL�VM�>LI�(WWSPJH[PVU�-PYL^HSSZ��>(-Z��>(-Z�OH]L�many uses, including gaining visibility into incoming website attacks and the ability block them. Exposed vulnerabilities, which might otherwise be externally exploitable, may be protected with a WAF. In our experience, WAFs in production can be in a number of deployment states – not all of which are in active blocking mode. We asked, “Please describe the state of your organizations Web (WWSPJH[PVU�-PYL^HSS��>(-��KLWSV`TLU[&¹��-PN\YL��

(Figure 12)


�-PN\YL�� -PN\YL��

(Figure 13).

Overall, 55% of organizations said they have a Web Application Firewall (WAF) in some state of deployment. As it stands, WAFs are in “monitoring and actively blocking attacks” mode in nearly one-third of organizations across all industries we have data for. The only exception was Healthcare, where 17% are actively blocking, but 50% more have WAFs at least monitoring [YHMÄJ��(UK�UV[HIS �̀�VUS`�PU�)HURPUN�KV�^L�ZLL�SLZZ�[OHU�VUL�[OPYK�VM�[OL�VYNHUPaH[PVUZ�OH]L�H�WAF deployed in some mode. We also know that PCI-DSS regulation has provisions that may OH]L�Z[PT\SH[LK�>(-�HKVW[PVU�HJYVZZ�9L[HPS��7LYOHWZ�P[�OHZ��I\[�P[�PZ�KPMÄJ\S[�[V�THRL�V\[�MYVT�this chart.

7) Strong Password Controls, Anti-Fraud Monitoring, and Audit Log Monitoring There are several other controls commonly used as part of an overall website security program. These controls might include strong password controls, anti-fraud monitoring, and audit log monitoring, in which we were curious about the level of their deployment. It is important to point out that these controls, in and of themselves, may not directly affect the vulnerability metrics in a website. However, they can be highly valuable in driving up the cost of compromising a site and in understanding what happened after the fact. (Figures 14 - 18)


�-PN\YL�� (Figure 17)

(Figure 18)

DRIVERS AND FRICTION;OLYL�HYL�THU`�WVZZPISL�YLHZVUZ�^O`�VYNHUPaH[PVUZ�TH`�JOVVZL�[V�Ä_��VY�UV[�Ä_��^LIZP[L�vulnerabilities they are well aware of. We wanted to better understand these dynamics to get a sense MVY�OV^�[OL`�TPNO[�PTWHJ[�ZLJ\YP[`�WLYMVYTHUJL��:V��^L�HZRLK�>OP[L/H[�:LU[PULS�J\Z[VTLYZ�[V�MVYJL�YHUR�[OLPY�KYP]LYZ�[V�YLZVS]L�^LIZP[LZ�]\SULYHIPSP[PLZ�HUK�HSZV�MVYJL�YHUR�[OL�YLHZVUZ�^O`�[OL`�NV�unresolved. (Figures 19 & 20)


(Figure 20)

By an extremely slim margin, not perceivable in the chart, organizations said their #1 driver for resolving vulnerabilities was “Compliance,” just ahead of “Risk Reduction.” At the same time, Compliance was cited as the #1 reason why their vulnerabilities go unresolved. At ÄYZ[�[OPZ�ZV\UKLK�JVTWSL[LS`�JV\U[LY�PU[\P[P]L� then logically the results began to make perfect sense: When security is driven by something such as compliance, security teams will do what is required and no more.

Proponents of compliance often suggest that mandatory regulatory controls be treated as a “security IHZLSPUL�¹�H�WSH[MVYT�[V�YHPZL�[OL�ÅVVY��HUK�UV[�YLWYLZLU[�[OL�JLPSPUN��>OPSL�[OPZ�PZ�H�UPJL�JVUJLW[��it is not the enterprise reality we see. Keep in mind that WhiteHat Sentinel reports are often used to ZH[PZM`�H�WSL[OVYH�VM�H\KP[VYZ��I\[�>OP[L/H[�:LJ\YP[`�PZ�UV[�H�7*0�+::�(:=�UVY�H�8:(�]LUKVY��>OLU�organizations are required to allocate funds toward compliance, which may or may not enhance security, there are often no resources left or tolerance by the business to do anything more effective.

>L�HSZV�ZSPJLK�[OL�KYP]LYZ�MVY�Ä_PUN�]\SULYHIPSP[PLZ�HUK�YLHZVUZ�Ô`�[OL`�NV�\UYLZVS]LK�I`�PUK\Z[Y`�[V�see if anything stood out. Here we see Healthcare is heavily motivated by Compliance and Customer ��7HY[ULY�+LTHUK��HU�L]LU�ZWSP[��[V�Ä_�PZZ\LZ��;OLU�^L�ZLL�[OL�IPNNLZ[�YLHZVU�Ô`�]\SULYHIPSP[PLZ�PU�Healthcare websites go unresolved is “No one at the organization understands or is responsible for maintaining the code.” It seems this sector is challenged by large amounts of legacy code and systems. Perhaps this explains why we see a large deployment of WAFs in this industry.

0U�-PUHUJPHS�:LY]PJLZ��[OL�SLHKPUN�KYP]LY�[V�Ä_�]\SULYHIPSP[PLZ�^HZ�JP[LK�HZ�9PZR�9LK\J[PVU�HUK�[OL�U\TILY�VUL�YLHZVU�UV[�[V�Ä_�^HZ�*VTWSPHUJL��0U�)HURPUN��*VTWSPHUJL�^HZ�HSZV�[OL�WYPTHY`�YLHZVU�Ô`�[OL`�KPKU»[�Ä_�]\SULYHIPSP[PLZ��I\[�¸6[OLY¹�^HZ�[OL�WYPTHY`�KYP]LY�[V�Ä_��[OL�KH[H�\UMVY[\UH[LS`�KVLZ�UV[�SLUK�\Z�PUZPNO[Z�PU[V�ÔH[�¸6[OLY¹�TPNO[�OH]L�ILLU�L_HJ[S �̀�;OPZ�PZ�HUV[OLY�WSHJL�[V�RLLW�SVVRPUN�MVY�answers).


�-PN\YL��

(Figure 21) (Figure 22)

�-PN\YL��

>L�HSZV�ZSPJLK�[OL�KYP]LYZ�MVY�Ä_PUN�]\SULYHIPSP[PLZ�HUK�YLHZVUZ�Ô`�[OL`�NV�\UYLZVS]LK�I`�PUK\Z[Y`�[V�

maintaining the code.” It seems this sector is challenged by large amounts of legacy code and systems.

Ô`�[OL`�KPKU»[�Ä_�]\SULYHIPSP[PLZ��I\[�¸6[OLY¹�^HZ�[OL�WYPTHY`�KYP]LY�[V�Ä_��[OL�KH[H�\UMVY[\UH[LS`�KVLZ�UV[�SLUK�\Z�PUZPNO[Z�PU[V�ÔH[�¸6[OLY¹�TPNO[�OH]L�ILLU�L_HJ[S �̀�;OPZ�PZ�HUV[OLY�WSHJL�[V�RLLW�SVVRPUN�MVY�

In the Technology sector, vulnerability resolution is driven by Customer / Partner Demand, while ¸9PZR�VM�L_WSVP[H[PVU�PZ�HJJLW[LK¹�PZ�[OL�IPNNLZ[�YLHZVU�UV[�[V�Ä_�PZZ\LZ��(UK�ÄUHSS`�PU�9L[HPS��9PZR�9LK\J[PVU�PZ�Ô`�[OPZ�PUK\Z[Y`�WYPTHYPS`�Ä_LZ�]\SULYHIPSP[PLZ��I\[�¸3HJR�VM�I\KNL[¹�PZ�[OL�SLHKPUN�YLHZVU�Ô`�[OL`�HYL�UV[��-PN\YLZ��


-PN\YL��


We also wanted to get a general sense for how organizations perceived internal change control policies and regulatory requirements as an inhibitor to vulnerability resolution (see Figure 27 below). Across roughly half of all industries, it seems change control policies and regulations YLWVY[LK�KV�¸ZVTL^OH[¹�ZSV^�KV^U�[OL�Ä_PUN�VM�]\SULYHIPSP[PLZ��0U�-PUHUJPHS�:LY]PJLZ�HUK�Technology, roughly one in 10 organizations said both have a negative impact “all the time.” On the other hand, a good number of organizations across all industries said the impact was


“None at all.” The question we were left with is: Why do we see such widely disparate answers in the exact same industries? How do some organizations effectively manage their change control policies and regulatory obligations so as not to be slowed down while others are severely challenged? Clearly this is an area in need of further study.

/V^�KV�KYP]LYZ�MVY�Ä_PUN�]\SULYHIPSP[PLZ�PTWHJ[�ZLJ\YP[`�WLYMVYTHUJL�YLSH[P]L�[V�V[OLY�KYP]LYZ&�As we can see from Figure 28 below, if an organization’s #1 driver for resolving vulnerabilities is Corporate Policy, they perform the best when it comes to Average Vulnerabilities per Site, second in Average Time-to-Fix, and fourth in Average Number of Vulnerabilities Fixed (Remediation Rate). If Compliance is the leading driver, they have the speediest Time-to-Fix. When an organizations’ ��KYP]LY�MVY�Ä_PUN�]\SULYHIPSP[PLZ�PZ�*\Z[VTLY��7HY[ULY�+LTHUK��^L�MV\UK�[OL�NYLH[LZ[�WLYJLU[HNL�VM�Ä_LZ�MVY�[OLPY�^LIZP[L�]\SULYHIPSP[PLZ��;OLYL�HYL�H�SV[�VM�WV[LU[PHS�YLHZVUZ�MVY�[OLZL�YLZ\S[Z��I\[�we’ll leave that speculation as an exercise for our readers.


Answer:SOFTWARE DEVELOPMENT

Answer:SECURITY DEPARTMENT

Answer:BOARD OF DIRECTORS

Answer:EXECUTIVE MANAGEMENT

Question:If an organization experiences a website(s) data or system breach, which part of the organization is held accountable and and what is its performance?

3rd

1St

2nd

4th

4th

3rd

3rd

1st

3rd

2nd

1st

2nd

Average Vulnerabilities per Site Ranking

Average Time to Fix a Vulnerability Ranking

Average Number of Vulnerabilities Fixed Ranking


SURVEY ANSWERS: BREACH CORRELATIONAs shown in the Figures 30 and 31 below, nearly one-quarter of our respondents said at least one of their websites suffered a data or system breach due to an application layer vulnerability. While our sample size is nowhere near that of Verizon’s DBIR, the bulk of our breach data set occurred in the Retail and Healthcare industries.


What we wanted to know next was how the security metrics of those who had been breached compared to those who said they had not been. We found:

Organizations whose website(s) experienced a data or system breach as a result of an application layer vulnerability had 51% fewer vulnerabilities, resolved them 18% faster, and had a 4% higher remediation rate.

By a clear margin, those who were breached perform better than those who had not. Analysis here could go in a number of directions: Did the breach stimulate an increased security performance to ensure a breach would not happen again? Were these organizations just unlucky? Perhaps [OL`�^LYL�ZWLJPÄJHSS`�[HYNL[LK�HUK�^V\SK�OH]L�ILLU�IYLHJOLK�L]LU[\HSS`�YLNHYKSLZZ�VM�^OH[�[OL`�did in their SDLC or how they performed. The answer could be some combination of these, or ZVTL[OPUN�V\[ZPKL�V\Y�KH[H�ZL[�TH`�IL�PUÅ\LUJPUN�[OL�V\[JVTL��0[�PZ�PTWVY[HU[�UV[�[V�KYH^�HU`�hard conclusions, but our intuition tells us that when a breach occurs, the business really starts to get serious about security.

As anyone working in the industry will tell you, providing software security training for developers is a long-standing best-practice. The question is: Does it work? Does it measurably improve an organization’s security metrics and reduce breaches?

Organizations that provided instructor-led or computer-based software security training for their programmers had 40% fewer vulnerabilities, resolved them 59% faster, but exhibited a 12% lower remediation rate.

When it comes to security performance metrics, whatever type of training our customers’ programmers are currently receiving, it seems to be working. Clear improvements in vulnerability ]VS\TL�HUK�[PTL�[V�Ä_�HYL�ZLLU��;OL�VUS`�L_JLW[PVU�PZ�PU�[OL�HYLH�VM�YLTLKPH[PVU�YH[L��6\Y�[OLVY`�is that while developers have a level of control over the number of vulnerabilities they produce ^P[O�LHJO�YLSLHZL��[OL`�VM[LU�OH]L�SP[[SL�VYNHUPaH[PVUHS�PUÅ\LUJL�HZ�[V�^OLU�L_PZ[PUN�]\SULYHIPSP[PLZ�NL[�Ä_LK��;OH[�^VYR�PZ�HZZPNULK�[V�[OLT�I`�H�KL]LSVWTLU[�THUHNLY��0M�H�KL]LSVWLY�PZ�[VSK�[V�JYLH[L�H�MLH[\YL��[OL`�^PSS��0M�[OL`�HYL�[VSK�[V�Ä_�H�]\SULYHIPSP[ �̀�[OL`�^PSS��0U�LHJO�JHZL��OV^L]LY��[OL`�VUS`�do so when they are tasked to do so.


The larger issue is that training developers on software security does not seem to be correlated with breaches. According to Figure 32 above, among those that said they were breached, 13% had their developers attend 5 or more days of training, while those organizations in the “no-breach” category were at a very close at 8%. If there is a single thing that helps prevent website breaches – there probably is not – software security training for developers is not it. So, we have to continue looking.

Centralized software security control holds the promise of improving security metrics by making things easier on developers. Each developer working on a project no longer has to create their own custom code for dealing with authentication, authorization, database access, input validation, V\[W\[�ÄS[LYPUN�HUK�ZV�VU��0UZ[LHK��VUL�VY�TVYL�VM�[OVZL�JVU[YVSZ�PZ�THKL�H]HPSHISL�[V�HSS�programmers, and the use of it may even be required by corporate policy.

Organizations with software projects containing an application library or framework that centralizes and enforces security controls had 64% more vulnerabilities, resolved them 27% slower, but demonstrated a 9% higher remediation rate.

First and foremost, it’s important to point out that an organization may not have a comprehensive centralized control system in place. It is possible they only have one or two controls centralized, HUK�PM�ZV��[OL`�^V\SK�Z[PSS�OH]L�HUZ^LYLK��¸@LZ�¹�(SZV��VYNHUPaH[PVUZ�TH`�OH]L�KPMMLYLU[�KLÄUP[PVUZ�VM�ÔH[�JVUZ[P[\[LZ�JLU[YHSPaLK�JVU[YVSZ��5V[L!�>L�HSZV�KPK�UV[�KLÄUL�¸ZLJ\YP[`�JVU[YVSZ¹�VY�ÔH[�it means to “centralize” them ahead of asking the question). That variation cannot be discounted. >OH[�^L�JHU�ZH`�PZ�[OH[�[OLZL�ÄYTZ�KPK�H[�SLHZ[�think they had centralized security controls, and from that standpoint, it is enlightening.

Even with this in mind, we were quite stunned to see that those who supposedly had at least ZVTL�JLU[YHSPaLK�ZLJ\YP[`�JVU[YVS�PU�WSHJL�WLYMVYTLK�ZPNUPÄJHU[S`�TVYL�WVVYS`�[OHU�[OVZL�ÔV�didn’t – with the exception of the remediation rate. Perhaps what we are dealing with is an over-JVUÄKLUJL�WYVISLT�^P[O�YLZWLJ[�[V�[OLZL�JVU[YVSZ��;VV�T\JO�JVUÄKLUJL�[OH[�[OL`�HYL�WLYMLJ[�HUK�LUHISLK��ÔLU�PU�MHJ[�[OL`�HYL�UV[��0M�^L�HZZ\TL�^L�ÄUK�H�^H`�[V�I`WHZZ�[OLZL�JVU[YVSZ��[OLU�^L�identify a large number of vulnerabilities in each place they are used. And since the controls are relied upon everywhere, any updates will require extensive QA or run the risk of breaking a large number of dependent applications.

We want to make sure that we do not discourage the use of centralized security controls. We believe the concept has a tremendous amount of value. However, proper care must be taken so that they are comprehensive, effective, tested thoroughly, and measured over time.


(Figure 33).

Do those utilizing centralized security controls suffer fewer (or more) website breaches over those who do not? As with developer training, the data doesn’t indicate that centralized controls make much of a difference in either direction. Again, perhaps what works is a combination of factors. Perhaps that factor is the amount of pre-production security testing.

(Figure 34)


In Figure 34 we get a sense for how many WhiteHat Security customers are doing pre-production application security testing and how much they are doing. Here we see that, as with other factors already examined, pre-production testing does not appear to make any impact on breach volume. Next, we’ll have a look at Static Code Analysis (SCA).

Organizations that performed Static Code Analysis on their website(s) underlying applications had 15% more vulnerabilities, resolved them 26% slower, and had a 4% lower remediation rate.

As we saw in the results from centralized security controls and pre-production testing, those organizations saying they perform some amount of SCA actually show worse security metrics in every category. This measurement was extremely surprising – even shocking. Could it be an indictment of this class of testing? It could be, but we really don’t think so. More likely the chosen ZVS\[PVU��JVTTLYJPHS�VY�VWLU�ZV\YJL��PZ�SPTP[LK�PU�^OH[�P[�ÄUKZ��7LYOHWZ�[OL�]\SULYHIPSP[PLZ�[OL�SCA solution is identifying are not the same vulnerabilities that lead to website exploitation. This is a far more likely outcome. And one other possibility is that the solution was purchased, but not fully utilized and integrated in the SDLC.

(Figure 35)

Whatever the case may be for why SCA exhibits worse security metrics, the breach metrics correlation shows no difference – just like every other best-practice we’ve correlated so far.

The Web Application Firewall (WAF) is the last place we’ll look for answers as to what might help improve an organizations website security metrics. WAFs have the ability to block incoming H[[HJRZ��WYV[LJ[PUN�HNHPUZ[�[OL�L_WSVP[H[PVU�VM�]\SULYHIPSP[PLZ�[OH[�HSYLHK`�L_PZ[��;OPZ�JV\SK�KLÄUP[LS`�


positively impact website security performance.

Organizations with a Web Application Firewall deployment had 11% more vulnerabilities, resolved them 8% slower, and had a 7% lower remediation rate.

The percentages are small, but it does not appear WAF deployments are making websites SLZZ�]\SULYHISL��0[�JV\SK�IL�[OH[�TVYL�VM�[OLZL�KL]PJLZ�ULLK�[V�TV]L�MYVT�JVUÄN\YH[PVU�[V�blocking mode. Or perhaps what they are blocking needs to be more precise and actually block vulnerabilities the website has. It could also be that when a vulnerability is found, the organization needs to assign more resources to managing them to get the most out of a WAF.

(Figure 36).

And we should be used to it by now, but like everything else we’ve looked at, those with a WAF deployment fare no better or worse than those without.

Overall, the breach correlation analysis was certainly enlightening, but also disappointing. We ^LYL�YLHSS`�OVWPUN�[V�ÄUK�ZVTL[OPUN�[OH[�HJ[\HSS`�^VYRLK�YH[OLY�\UP]LYZHSS �̀�ZVTL[OPUN�[OH[�statistically improves security metrics AND decreases breaches. The closest we got was software security training for developers. Maybe that’s the only “best-practice” that really did seem to work everywhere. However, no matter what you do, it doesn’t seem to protect you from a security breach.

We don’t want to leave it here, though. What we did see in the data is that many organizations are clearly deriving value from other things such as centralized controls, pre-production testing, SCA, and WAFs – while for others, there is clearly no value. The average was somewhere in-between. What this tells us is that these solutions can work, certainly they can help, but only when implemented in the right way, at the right time, targeted at the right problem. In the next section, we hope to get at some of these answers.




SURVEY ANSWERS: ACCOUNTABILITY CORRELATION

If there is one chart in the entire report that really opened our eyes, it is Figure 38. There is a huge delta between accountability of those who said they were breached and those who haven’t ILLU��6M�[OVZL�^OV�ZHPK�[OLPY�ZLJ\YP[`�KLWHY[TLU[�^HZ�HJJV\U[HISL��ÄYZ[�YV^��VM�[OLT�ZHPK�[OLYL�^HZ�UV�IYLHJO��NYLLU��^OPSL�� ZHPK�[OLPY�OHK�ILLU��YLK��0U�ZVM[^HYL�KL]LSVWTLU[�[OL�HJJV\U[HIPSP[`�YLZ\S[Z�^LYL�ULHYS`�[OL�ZHTL��OHK�UV�IYLHJO��ZHPK�[OLYL�^HZ��,HJO�part of the organization, including the executive management and board of directors, showed similar results. Combine this with the other charts in the section and the evidence is strong: Accountability matters a great deal.

Accountability could be the underlying factor that allows SDLC activities such as training for developers, centralized controls, pre-production testing, SCA, WAFs, etc. to improve security performance metrics and decrease breaches. Accountability may be the difference between truly adopting and internalizing the activity and simply treating it as a time-wasting checkbox. The answer to what works in application and website security may certainly contain a technique and process level answer, but must include the support of an organizational mandate. The theory certainly sounds plausible.


RECOMMENDATIONS

(Figure 41).

First and foremost, we believe the data contained in this report provides supportive evidence of something most information security professionals already instinctively know: accountability is an absolute necessity for an effective security program. If web and software security are truly important to an organization, then someone in the organization must not only be held accountable for security performance, but they must also be empowered to affect change. >HYUPUN!�HZZPNUPUN�YLZWVUZPIPSP[`�^P[OV\[�WYV]PKPUN�HKLX\H[L�H\[OVYP[`�PZ�H�Z\YLÄYL�^H`�[V�frustrate individuals and encourage talent to walk out the door.

Accountability may begin at as high a level as the board of directors, which is often the case PU�[OL�HM[LYTH[O�VM�H�IYLHJO��-YVT�[OLYL��HJJV\U[HIPSP[`�^PSS�UH[\YHSS`�ÄS[LY�KV^U�[OYV\NOV\[�the organization: through executive management to security teams to software developers, and even through to the software procurement department. Without a foundation of accountability, even the best-laid plans will fail. The data leads us in this direction. With accountability, there will be a tangible return on investment regardless of what best-practices an organization might implement. Furthermore, high-end security talent appreciates this kind of responsibility and views it as a career advancement opportunity.

Secondly, there are no best-practices. Our data and experience strongly suggest that security “best-practices” in the software development lifecycle (SDLC) are not universally effective, but are situation-dependent. Whether referring to source code reviews, security testing during QA, Web Application Firewalls, or other methods, each has an appropriate time and place. The challenge in increasing the organization’s security posture cost-effectively is determining what to recommend, what to implement, what to purchase, and when. Security teams must get this right.

The tactical key to improving a web security program is having a comprehensive metrics program in place – a system capable of performing ongoing measurement of the security posture of production systems, exactly where the proverbial rubber meets the road. Doing so


WYV]PKLZ�KPYLJ[�]PZPIPSP[`�PU[V�ÔPJO�HYLHZ�VM�[OL�:+3*�WYVNYHT�HYL�KVPUN�^LSS�HUK�ÔPJO�VULZ�ULLK�PTWYV]LTLU[��-HPS\YL�[V�TLHZ\YL�HUK�\UKLYZ[HUK�ÔLYL�HU�:+3*�WYVNYHT�PZ�KLÄJPLU[�ILMVYL�[HRPUN�HJ[PVU�PZ�H�N\HYHU[LLK�^H`�[V�^HZ[L�[PTL�HUK�TVUL`�¶�IV[O�VM�ÔPJO�HYL�HS^H`Z�extremely limited.

Below is a step-by-step strategy for building out a website security program that yields results:

0) Assign an individual or group that is accountable for website security: These individuals or groups may include the board of directors, executive management, security teams, and software developers. They should be commissioned and authorized to establish a culturally consistent incentives program that will help move the organization in a positive direction with respect to security.

1) -PUK�`V\Y�^LIZP[LZ�¶�HSS�VM�[OLT�¶�HUK�WYPVYP[PaL!�7YPVYP[PaH[PVU�JHU�IL�IHZLK�VU�I\ZPULZZ�JYP[PJHSP[ �̀�KH[H�ZLUZP[P]P[ �̀�YL]LU\L�NLULYH[PVU��[YHMÄJ�]VS\TL��U\TILY�VM�\ZLYZ��VY�V[OLY�JYP[LYPH�the organization deems important. Knowing what systems need to be defended and what value they have to the organization provides a barometer for an appropriate level of security investment.

2)�4LHZ\YL�`V\Y�J\YYLU[�ZLJ\YP[`�WVZ[\YL�MYVT�HU�H[[HJRLY»Z�WLYZWLJ[P]L!�;OPZ�Z[LW�PZ�UV[�just about identifying vulnerabilities; while that is a byproduct of the exercise, it’s about understanding what classes of adversaries you need to defend against and what your current L_WVZ\YL�[V�[OLT�PZ��1\Z[�ÄUKPUN�]\SULYHIPSP[PLZ�PZ�UV[�LUV\NO��4LHZ\YL�`V\Y�ZLJ\YP[`�WVZ[\YL�[OL�ZHTL�^H`�H�IHK�N\`�^V\SK�ILMVYL�[OL`�L_WSVP[�[OL�Z`Z[LT�¶�Ä_PUN�[OVZL�]\SULYHIPSP[PLZ�ÄYZ[�PZ�what’s important.

��;YLUK�HUK�[YHJR�[OL�SPMLJ`JSL�VM�]\SULYHIPSP[PLZ!�([�H�TPUPT\T��TLHZ\YL�OV^�THU`�vulnerabilities are introduced per production code release, what vulnerability classes are most WYL]HSLU[��[OL�H]LYHNL�U\TILY�VM�KH`Z�P[�[HRLZ�[V�YLTLKPH[L�[OLT��HUK�[OL�V]LYHSS�YLTLKPH[PVU�YH[L��;OL�YLZ\S[�WYV]PKLZ�H�^H`�[V�[YHJR�[OL�VYNHUPaH[PVU»Z�WYVNYLZZ�V]LY�[PTL��HUK�ZLY]LZ�HZ�H�N\PKL�MVY�ÔPJO�VM�[OL�:+3*�YLSH[LK�HJ[P]P[PLZ�HYL�SPRLS`�[V�THRL�[OL�TVZ[�PTWHJ[��(U`[OPUN�measured tends to improve.

��-HZ[�KL[LJ[PVU�HUK�YLZWVUZL!�/PZ[VYPJHSS`�P[�OHZ�ILLU�WY\KLU[�[V�VWLYH[L�\UKLY�[OL�HZZ\TW[PVU�[OH[�BHSSD�UL[^VYRZ�HYL�JVTWYVTPZLK��VY�HYL�H[�SLHZ[�OVZ[PSL��;OPZ�PZ�[OL�JHZL�LZWLJPHSS`�ZPUJL�L]LY`VUL�PZ�VUS`�VUL�aLYV�KH`�H^H`�MYVT�H�IYLHR�PU��)VYYV^PUN�MYVT�[OH[�MYHTL�VM�YLMLYLUJL��HWWSPJH[PVU�ZLJ\YP[`�WYVMLZZPVUHSZ�HYL�^LSS�HK]PZLK�[V�[HRL�H�ZPTPSHY�HWWYVHJO�HUK�MVJ\Z�VU�[OL�PTWHJ[�VM�[OH[�HZZ\TW[PVU��:[HY[�I`�HZRPUN�[OL�X\LZ[PVU!�¸0M�T`�HWWSPJH[PVU�PZ�HSYLHK`�]\SULYHISL�ÔH[�HJ[PVU�Z��ZOV\SK�0�ILNPU�[HRPUN&¹�0M�HU�VYNHUPaH[PVU�PZ�IYLHJOLK��[OL�YLHS�KHTHNL�OHWWLUZ�ÔLU�[OL�HK]LYZHY`�PZ�PU�[OL�Z`Z[LT�MVY�KH`Z��^LLRZ��VY�TVU[OZ��0M�HU�PU[Y\KLY�JHU�IL�Z\JJLZZM\SS`�PKLU[PÄLK�HUK�RPJRLK�VMM�[OL�Z`Z[LT�^P[OPU�OV\YZ��[OL�I\ZPULZZ�PTWHJ[�VM�H�IYLHJO�can be substantially minimized.


APPENDIX A: ABOUT THE DATASET

>OP[L/H[�:LU[PULS��PZ�[OL�TVZ[�HJJ\YH[L��JVTWSL[L�HUK�JVZ[�LMMLJ[P]L�^LIZP[L�]\SULYHIPSP[`�THUHNLTLU[�ZVS\[PVU�H]HPSHISL��0[�KLSP]LYZ�[OL�ÅL_PIPSP[ �̀�ZPTWSPJP[`�HUK�THUHNLHIPSP[`�[OH[�VYNHUPaH[PVUZ�ULLK�[V�JVU[YVS�[OLPY�^LIZP[L�ZLJ\YP[`�HUK�WYL]LU[�>LI�H[[HJRZ��>OP[L/H[�:LU[PULS�is built on a Software-as-a-Service (SaaS) platform that scales massively, supports the largest LU[LYWYPZLZ��HUK�VMMLYZ�[OL�TVZ[�JVTWLSSPUN�I\ZPULZZ�LMÄJPLUJPLZ�[V�SV^LY�`V\Y�V]LYHSS�JVZ[�MVY�website security.

<USPRL�[YHKP[PVUHS�^LIZP[L�ZJHUUPUN�ZVM[^HYL�VY�JVUZ\S[HU[Z��VUS`�>OP[L/H[�:LU[PULS�JVTIPULZ�proprietary scanning technology with custom testing by the industry’s only Threat Research *LU[LY��;9*��;OL�>OP[L/H[�:LJ\YP[`�;9*�PZ�H��[LHT�VM�^LIZP[L�ZLJ\YP[`�L_WLY[Z�ÔV�HJ[�HZ�H�JYP[PJHS�HUK�PU[LNYHS�JVTWVULU[�VM�[OL�>OP[L/H[�:LU[PULS�MHTPS �̀�;OL�;9*�PZ�HZ�HU�L_[LUZPVU�VM�`V\Y�^LIZP[L�ZLJ\YP[`�[LHT�¶�HJ[P]LS`�THUHNPUN�I\ZPULZZ�^LIZP[L�YPZR�WVZ[\YL�ZV�`V\�JHU�MVJ\Z�on technology and business goals.

DATA, PLATFORM, AND METHODOLOGY��WYVK\J[PVU�HUK�WYL�WYVK\J[PVU�^LIZP[LZ�HJYVZZ��VYNHUPaH[PVUZ�YLWYLZLU[PUN�many of the ^VYSK»Z�TVZ[�YLJVNUPaHISL�IYHUKZ��HJYVZZ�PUK\Z[YPLZ�PUJS\KPUN�)HURPUN��,K\JH[PVU��,ULYN �̀�-PUHUJPHS�:LY]PJLZ��/LHS[OJHYL��0UMVYTH[PVU�;LJOUVSVN �̀�0UZ\YHUJL��4HU\MHJ[\YPUN��5VU�7YVÄ[��9L[HPS��:VJPHS�5L[^VYRPUN��;LSLJVTT\UPJH[PVUZ��L[J�

��;OL�^LIZP[LZ�>OP[L/H[�:LJ\YP[`�HZZLZZLZ�NLULYHSS`�YLWYLZLU[�[OL�TVYL�PTWVY[HU[�HUK�ZLJ\YL�^LIZP[LZ�on the Web, owned by organizations that care about the security of their websites.

��,HJO�>OP[L/H[�:LU[PULS�J\Z[VTLY�ZLSM�ZLSLJ[Z�[OL�TVZ[�HWWYVWYPH[L�PUK\Z[Y`�SHILS�MVY�LHJO�^LIZP[L�under service.

��>OPSL�>OP[L/H[�:LU[PULS�J\Z[VTLYZ�THPU[HPU�JVTWSL[L�JVU[YVS�V]LY�[OLPY�]\SULYHIPSP[`�HZZLZZTLU[�schedule, the majority of websites are assessed for vulnerabilities multiple times per month.

��;OL�>OP[L/H[�:LU[PULS�WSH[MVYT�J\YYLU[S`�WLHRZ�H[�V]LY��ZPT\S[HULV\Z�ZJHUZ��JVSSLJ[P]LS`�NLULYH[PUN�^LSS�V]LY�H�IPSSPVU�/;;7�YLX\LZ[Z�WLY�TVU[O��JVUZ\TPUN�THU`�[LYHI`[LZ�VM�/;;7�YLSH[LK�KH[H�WLY�^LLR��HUK�ULJLZZP[H[PUN��4IWZ�VM�IHUK^PK[O��_��

��=\SULYHIPSP[PLZ�HYL�JSHZZPÄLK�HJJVYKPUN�[V�>(:*�;OYLH[�*SHZZPÄJH[PVU�]��

��:L]LYP[`�UHTPUN�JVU]LU[PVU�HSPNUZ�^P[O�7*0�+::�

�>OP[L/H[�:LU[PULS�:LY]PJLO[[WZ!��^^ �̂ÔP[LOH[ZLJ�JVT�ZLU[PULSFZLY]PJLZ�ZLU[PULSFZLY]PJLZ�O[TS��>OP[L/H[�:LJ\YP[`�;OYLH[�9LZLHYJO�*LU[LY��;9*�O[[WZ!��^^ �̂ÔP[LOH[ZLJ�JVT�ZLU[PULSFZLY]PJLZ�[OYLH[FYLZLHYJO�O[TS��>(:*�;OYLH[�*SHZZPÄJH[PVU��]��O[[W!��WYVQLJ[Z�^LIHWWZLJ�VYN�;OYLH[�*SHZZPÄJH[PVU��7*0�+H[H�:LJ\YP[`�:[HUKHYK��7*0�+::�O[[WZ!��^^ �̂WJPZLJ\YP[`Z[HUKHYKZ�VYN�ZLJ\YP[`FZ[HUKHYKZ�WJPFKZZ�ZO[TS


IMPORTANT FACTORS INFLUENCING THE DATA

The Platform)\PS[�HZ�H�:VM[^HYL�HZ�H�:LY]PJL��:HH:��[LJOUVSVN`�WSH[MVYT��>OP[L/H[�:LU[PULS�JVTIPULZ�WYVWYPL[HY`�ZJHUUPUN�[LJOUVSVN`�^P[O�HUHS`ZPZ�I`�ZLJ\YP[`�L_WLY[Z�PU�P[Z�;OYLH[�9LZLHYJO�*LU[LY�[V�LUHISL�J\Z[VTLYZ�[V�PKLU[PM �̀�WYPVYP[PaL��THUHNL�HUK�YLTLKPH[L�^LIZP[L�]\SULYHIPSP[PLZ��>OP[L/H[�:LU[PULS�MVJ\ZLZ�ZVSLS`�VU�WYL]PV\ZS`�\URUVÛ�]\SULYHIPSP[PLZ�PU�J\Z[VT�>LI�HWWSPJH[PVUZ�¶�JVKL�\UPX\L�[V�HU�VYNHUPaH[PVU��,]LY`�]\SULYHIPSP[`�KPZJV]LYLK�I`�HU`�>OP[L/H[�:LU[PULS�:LY]PJL�PZ�]LYPÄLK�MVY�HJJ\YHJ`�HUK�WYPVYP[PaLK�by severity and threat.

The Methodology0U�VYKLY�MVY�VYNHUPaH[PVUZ�[V�[HRL�HWWYVWYPH[L�HJ[PVU��LHJO�^LIZP[L�]\SULYHIPSP[`�T\Z[�IL�PUKLWLUKLU[S`�

1. >LIZP[LZ�YHUNL�MYVT�OPNOS`�JVTWSL_�HUK�PU[LYHJ[P]L�^P[O�SHYNL�H[[HJR�Z\YMHJLZ�[V�Z[H[PJ�brochureware.�)YVJO\YL^HYL�^LIZP[LZ��ILJH\ZL�VM�[OLPY�YLSH[P]LS`�SPTP[LK�H[[HJR�Z\YMHJL��[LUK�[V�OH]L�H�SV^LY�U\TILY�VM�¸J\Z[VT¹�>LI�HWWSPJH[PVU�]\SULYHIPSP[PLZ�

2. The customer-base is largely, but not exclusively, US-based, as are their websites.��/V^L]LY��H�ZPNUPÄJHU[�U\TILY�VM�^LIZP[LZ�HYL�SVJHSPaLK�PU�H�]HYPL[`�VM�SHUN\HNLZ�

�� =\SULYHIPSP[PLZ�HYL�JV\U[LK�I`�\UPX\L�>LI�HWWSPJH[PVU�HUK�]\SULYHIPSP[`�JSHZZ��0M�[OYLL�VM�[OL�Ä]L�WHYHTL[LYZ�VM�H�ZPUNSL�>LI�HWWSPJH[PVU��MVV�^LIHWW�JNP��HYL�]\SULYHISL�[V�:83�0UQLJ[PVU��[OPZ�PZ�JV\U[LK�HZ��PUKP]PK\HS�]\SULYHIPSP[PLZ��L�N��H[[HJR�]LJ[VYZ��:LJVUKS �̀�PM�H�ZPUNSL�WHYHTL[LY�JHU�IL�exploited in more than one way, each of those are counted as well. We count this way because a vulnerability in each parameter may actually lead to a different problem in a different part of the code.

�� Only serious* vulnerabilities that can be directly and remotely exploitable and that may lead to data loss or account compromise are included.

�� ¸)LZ[�WYHJ[PJL¹�ÄUKPUNZ�HYL�UV[�PUJS\KLK�PU�[OL�YLWVY[�� For example, if a website mixes SSL content with non-SSL on the same Web page, while this may be considered a policy violation, it must be [HRLU�VU�H�JHZL�I`�JHZL�IHZPZ��

�� Our vulnerability assessment processes are incremental and ongoing. ;OL�MYLX\LUJ`�VM�HZZLZZTLU[Z��ÔPJO�PZ�J\Z[VTLY�KYP]LU��ZOV\SK�UV[�H\[VTH[PJHSS`�IL�JVUZPKLYLK�¸JVTWSL[L�¹��

7. It is best to view this report as a best-case scenario, and there are always more vulnerabilities to be found.�5L^�H[[HJR�[LJOUPX\LZ�HYL�JVUZ[HU[S`�ILPUN�YLZLHYJOLK�[V�\UJV]LY�WYL]PV\ZS`�\URUVÛ�]\SULYHIPSP[PLZ��PUJS\KPUN�PU�WYL]PV\ZS`�[LZ[LK�HUK�\UJOHUNLK�JVKL��3PRL^PZL�HZZLZZTLU[Z�TH`�IL�conducted in different forms of authenticated state (i.e. user, admin, etc.).

8. >LIZP[LZ�TH`�IL�JV]LYLK�I`�KPMMLYLU[�>OP[L/H[�:LU[PULS�:LY]PJL��7YLTP\T��7,��:[HUKHYK��:,��)HZLSPUL��),��HUK�7YL3H\UJO��73��VMMLY�]HY`PUN�KLNYLLZ�VM�[LZ[PUN�JYP[LYPH��I\[�HSS�PUJS\KL�]LYPÄJH[PVU� 7,�JV]LYZ�HSS�[LJOUPJHS�]\SULYHIPSP[PLZ�HUK�I\ZPULZZ�SVNPJ�ÅH^Z�PKLU[PÄLK�I`�[OL�>(:*�;OYLH[�*SHZZPÄJH[PVU��HUK�ZVTL�IL`VUK��:,�MVJ\ZLZ�WYPTHYPS`�VU�[OL�[LJOUPJHS�]\SULYHIPSP[PLZ��),�I\UKSLZ�JYP[PJHS�[LJOUPJHS�ZLJ\YP[`�JOLJRZ�PU[V�H�WYVK\J[PVU�ZHML��M\SS`�H\[VTH[LK�ZLY]PJL�

9. ;OLYL�PZ�ZVTL�HTV\U[�VM�KV\ISL�^LIZP[L��]\SULYHIPSP[`�JV\U[PUN��*\Z[VTLYZ�ZVTL[PTLZ�KLWSV`�>OP[L/H[�:LU[PULS�ZPT\S[HULV\ZS`�VU�WYVK\J[PVU�^LIZP[LZ�HUK�[OLPY�PU[LYUHS�8(�:[HNPUN�TPYYVYZ��(Z�Z[HUKHYK�WYHJ[PJL��V\Y�WYVJLZZ�THRLZ�UV�HZZ\TW[PVU�[OH[�HU`�^LIZP[L�PZ�PKLU[PJHS�[V�HUV[OLY��0[�PZ�HSZV�PTWVY[HU[�[V�UV[L�[OH[�P[�PZ�Z[H[PZ[PJHSS`�YHYL�MVY�WYVK\J[PVU�HUK�8(�:[HNPUN�[V�OH]L�PKLU[PJHS�vulnerabilities.


L]HS\H[LK�MVY�I\ZPULZZ�JYP[PJHSP[ �̀��-VY�L_HTWSL��UV[�HSS�*YVZZ�:P[L�:JYPW[PUN�VY�:83�0UQLJ[PVU�]\SULYHIPSP[PLZ�HYL�LX\HS��THRPUN�P[�ULJLZZHY`�[V�JVUZPKLY�P[Z�[Y\L�ZL]LYP[`�MVY�HU�PUKP]PK\HS�VYNHUPaH[PVU��<ZPUN�[OL�7H`TLU[�*HYK�0UK\Z[Y`�+H[H�:LJ\YP[`�:[HUKHYK��7*0�+::��ZL]LYP[`�Z`Z[LT��<YNLU[��*YP[PJHS��/PNO��4LKP\T��3V^��HZ�H�IHZLSPUL��>OP[L/H[�:LJ\YP[`�YH[LZ�]\SULYHIPSP[`�ZL]LYP[`�I`�[OL�WV[LU[PHS�I\ZPULZZ�PTWHJ[�PM�[OL�PZZ\L�^LYL�[V�IL�exploited and does not rely solely on default scanner settings.

>OP[L/H[�:LU[PULS�VMMLYZ�MV\Y�KPMMLYLU[�SL]LSZ�VM�ZLY]PJL��7YLTP\T��:[HUKHYK��)HZLSPUL��HUK�7YL3H\UJO��[V�TH[JO�[OL�SL]LS�VM�ZLJ\YP[`�HZZ\YHUJL�YLX\PYLK�I`�[OL�VYNHUPaH[PVU��(KKP[PVUHSS �̀�>OP[L/H[�:LU[PULS�L_JLLKZ�7*0��HUK��YLX\PYLTLU[Z�MVY�>LI�HWWSPJH[PVU�ZJHUUPUN�

Scanning Technology

• Production Safe (PE, SE, BE): Non-invasive testing with less performance impact than a single user.

• -HSZL�WVZP[P]LZ!�,]LY`�]\SULYHIPSP[`�PZ�]LYPMPLK�MVY�HJJ\YHJ`�I`�>OP[L/H[�:LJ\YP[`»Z�;OYLH[�9LZLHYJO�*LU[LY�

• >LI��:\WWVY[!�1H]H:JYPW[��-SHZO��(1(?��1H]H�(WWSL[Z��HUK�(J[P]L?�HYL�OHUKSLK�ZLHTSLZZS �̀

• Authenticated Scans: Patented automated login and session-state management for complete website

coverage.

• )\ZPULZZ�3VNPJ!�J\Z[VTPaLK�[LZ[Z�HUHS`aL�L]LY`�MVYT��I\ZPULZZ�WYVJLZZ��HUK�H\[OLU[PJH[PVU��

authorization component.

APPENDIX B At a Glance: !e Current State of Website Security (2011) (Sorted by Industry)


;VW��=\SULYHIPSP[`�*SHZZLZ��(Sorted by vulnerability class)

Overall Vulnerability Population (2011)7LYJLU[HNL�IYLHRKV^U�VM�HSS�[OL�ZLYPV\Z��]\SULYHIPSP[PLZ�KPZJV]LYLK��(Sorted by vulnerability class)

website security statistics report · 2 website security statistics report | may 2013 introduction...

Documents