WhiteHat Security Website Security Statistics Report

Spring 2009 – 7th Edition – Website Security Statistics Report Download a PDF of the the report ›››
Listen to the presentation (46 minutes) ›››
Download a PDF of the presentation (1.3 MB PDF) ›››

There is a difference between what is possible and what is probable, something we often lose sight of in the world of information security. For example, a vulnerability represents a possible way for an attacker to exploit an asset, but remember not all vulnerabilities are created equal. Obviously we must also keep in mind that just because a vulnerability exists does not necessarily mean it will be exploited, or indicate by whom or to what extent. Clearly, many vulnerabilities are very serious leaving the door open to compromise of sensitive information, financial loss, brand damage, violation of industry regulations, and downtime. Some vulnerabilities are more difficult to exploit than others and therefore attract different attackers. Autonomous worms & viruses may attack one type of issue, while a sentient targeted attacker may prefer another path. Better understanding of these factors enables us to make informed business decisions about website risk management and what is probable.

Q1 2009 Key Findings

82% of websites have had a HIGH, CRITICAL, or URGENT issue
63% of websites currently have a HIGH, CRITICAL, or URGENT issue
60% vulnerability resolution rate among sample with 7,157 (out of 17,888 historical vulnerabilities) unresolved issues remaining as of 3/31/09
Vulnerability time-to-fix metrics are not changing substantively, typically requiring weeks to months to achieve resolution.
Average # of HIGH, CRITICAL, or URGENT severity vulnerabilities per website during the vulnerability assessment lifetime: 17
Average number of serious unresolved vulnerabilities per website: 7
Average number of inputs (attack surface) per website: 227
Average ratio of vulnerability count / number of inputs: 2.58%

December 2008 – 6th Edition Download a PDF of the the report (998 KB) ›››

Web application security has become a priority for organizations. Just a few years ago, the security industry focused on network attacks. However, as more business moved to the Web, the attacks moved as well. Even so, it has taken several high-profile breaches, most recently websites of the U.S. Department of Homeland Security, CBS, Sony Playstation and countless other websites to raise awareness of mass scale attacks. These events have elevated Web application security to the executive level. Once business managers began to understand that Web breaches were affecting their bottom line, the motivation to prevent attacks grew. Like network security before it, Web application security has graduated from hacks for notoriety to serious business.

Phishing and other early Web attack techniques still exist, but the difference is that 79% of the attacks exploit legitimate websites. As the attackers grow smarter, the challenges for organizations become more complex. With more business on the Web, the number of sites that need to be secured has grown. The attacks are coming more frequently and using more sophisticated techniques, testing the knowledge of internal staff. Compliance requirements such as PCI are expanding their coverage of Web application security, which is also driving companies to explore solutions.

For many companies, 2008 was the year that Web application security became a reality. However, it is difficult to know where to start. After all, you cannot fix if you don’t know what is broken. That’s the race business owners are in with the criminal element.

This report provides a high-level perspective on the leading Web application security issues across industries such as retail, financial services, technology and healthcare, based on real-world sites.

After more than two years of reporting on the industry, for the first time we see a positive trend--the majority of vulnerabilities discovered have been resolved. This is significant because it demonstrates that a consistent, methodical Web application security program does in fact make organizations more secure. Consistency is important, because as the data will show, new attack techniques are constantly being tested in the wild and only a regular assessment approach will identify these new threats. PCI-DSS is also placing pressure on application security practitioners to intensify their efforts.

Data Overview

877 total websites
Vast majority of websites assessed for vulnerabilities weekly
Vulnerabilities classified according to WASC Threat Classification
Vulnerability severity naming convention aligns with PCI-DSS
Obtained between January 1, 2006 and December 1, 2008

Key Findings

Total identified vulnerabilities (open & closed): 14,718
Current open vulnerabilities: 5,283 (64% resolved)
Historically, 82% of assessed websites have had at least one issue of HIGH, CRITICAL, or URGENT severity
63% of assessed websites currently have issues of HIGH, CRITICAL, or URGENT severity
Historically, websites average 17 vulnerabilities identified during the lifetime of the assessment cycle
Websites currently average 6 open vulnerabilities
Cross-Site Request Forgery gained two spots in the Top Ten moving to #8
Vulnerability time-to-fix metrics are not changing, typically requiring weeks to months to achieve resolution
Roughly 50% of the most prevalent Urgent severity issues have been resolved

Read the full report – download a copy today (998 KB) ›››

August 2008 Website Security Statistics Report

Listen to the presentation (Aug 27 - 68 minutes) ›››
Download a PDF of the presentation (849 KB PDF) ›››
Download a PDF of the the report (4.42 MG) ›››

The Web layer is the number one target for malicious online attacks. Why? Simply put, because that is where the money is. In the span of just a few years, Web hacking has evolved from exploration and experimentation to exploitation and monetization.

The advent of this trend can be marked by the benign Samy Worm, which compromised over one million MySpace profiles in 2005, and was motivated entirely by one man’s curiosity. Today, sophisticated mass SQL Injection attacks have infected over 1.5 million Web pages worldwide in the last year alone, including those belonging to the Department of Homeland Security, the United Nations, and Sony, among others. Infected Web pages will foist malware upon their visitor’s computers, which in turn may cause the URLs to be blacklisted,4 resulting in massive loss of online traffic and revenue - not to mention the costs of the cleanup effort. These days no website is considered too small or insignificant to be targeted, because just about every website can be exploited for illicit financial gain.

Cyber-criminals are eager to break into websites to access social security numbers, credit card numbers, bank account details, customer lists, early quarterly earnings reports, as well as the email addresses they hold. To reduce the risk of financial losse5, brand damage, theft of intellectual property, legal liability and fines, this data must be rigorously protected. Yet, even if this type of sensitive data is not stored on the website or is well protected, the bad guys may not need it all to profit because their real targets are the website visitors themselves. For example, the ever popular drive-by-download attacks are designed to exploit a user’s browser and infect them with malware as soon as they arrive. The user from that point forward can be phished, passwords stolen, or even used as part of a botnet that sends out spam to infect other machines – all as a result of visiting a legitimate Web page.

March 2008 Website Security Statistics ReportListen to the presentation ››› (65 minutes)
Download a PDF of the presentation ››› (849 KB PDF)
Download a PDF of the the report ››› (1.26 MBPDF)

After two years of examining the state of website security in this report, we have seen the number and type of website attacks continue to rise. That means more sensitive information including social security numbers, credit card, names, addresses, birth dates, financial records, trade secrets, medical data are at risk than ever before. This data must be rigorously protected to reduce the risk of financial losses, brand damage, theft of intellectual property, legal liability and fines.

Vulnerability Prevalence by Severity Rating
While nine in ten websites have at least one vulnerability, this metric alone doesn’t necessarily place a company or its data at serious risk, as these could include low severity issues. The fact is not all vulnerabilities are created equal, making it important to consider the “severity” of an issue and not just raw numbers. Using the Payment Card Industry Data Security Standard11 (PCI-DSS) severity system (Urgent, Critical, High, Medium, Low) as a baseline, WhiteHat Security ranks vulnerability severity by the potential business impact if the issue were to be exploited. It should also be noted that according the PCI-DSS, any websites with URGENT, CRITICAL, or HIGH severity issues are considered non-compliant... :: Read More »

Percentage likelihood of websites having a least one vulnerability (sorted by severity)

The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.

The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.

WhiteHat issues continued installments of the Website Security Statistics Report on a quarterly basis. To ensure the report remains useful and relevant, WhiteHat incorporates feedback and ideas from leading industry thought leaders and influencers. Based on feedback already received, the latest report includes: comparing vulnerability prevalence by severity, top ten vulnerability classes sorted by percentage likelihood and an outline of the types of technology typically encountered during WhiteHat vulnerability assessments mapped with the associated vulnerability percentage breakdown.