WhiteHat Website Security Statistics Report
The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.
The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
WhiteHat Website Security Statistic Report – Spring 2010, 9th Edition
Which Web Programming Languages are Most Secure?
Download a PDF of the the Report ›› 
Introduction
Security-conscious organizations make implementing a software security development lifecycle a priority. As part of the process, they evaluate a large number of development technologies for building websites. The assumption by many is that not all development environments are created equal. So the question often asked is, “What is the most secure programming language or development framework available?”
Clearly, familiarity with a specific product, whether it is designed to be secure-by-default or must be configured properly, and whether various libraries are available, can drastically impact the outcome. Still, conventional wisdom suggests that most popular modern languages / frameworks (commercial & open source) perform relatively similarly when it comes to an overall security posture. At least in theory, none is markedly or noticeably more secure than another. Suggesting PHP, Java, C# and others are any more secure than other frameworks is sure to spark heated debate.
As has been said in the past, “In theory, there is no difference between theory and practice. But, in practice, there is.” Until now, no website security study has provided empirical research measuring how various Web programming languages / frameworks actively perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that popular modern languages / frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of nearly 1,700 websites under WhiteHat Sentinel management, we may begin to answer some of these questions. These answers may enable the website security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas; software vendors may focus on areas found lacking; and, developers will increase their familiarity with the strength and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and be virtually transparent. Only then will application security progress be made.
Top 3 Key Findings (Full list available in the report)
- Empirically, programming languages / frameworks do not have similar security postures when deployed in the field. They are shown to have moderately different vulnerabilities, with different frequency of occurrence, which are fixed in different amounts of time.
- The size of a Web application’s attack surface alone does not necessarily correlate to the volume and type of issues identified. For example Microsoft’s .NET (ASPX) and Struts (DO), with near-average attack surfaces, turned in the two lowest historical vulnerability averages. ASPX and DO websites have had an average of 18.7 and 19.9 serious vulnerabilities respectively.
- Perl (PL) had the highest average number of vulnerabilities found historically by a wide margin, at 44.8 per website and also the largest number currently at 11.8.ties have taken over 50 days to fix.
Attack Surface and Number of Vulnerabilities
The size of an application’s attack surface is an extremely important security metric. Application inputs are areas where arbitrary data is received, potentially leaving the software open to attack (attack surface). Application inputs include, but are not limited to, query and POST data parameter names/values, cookies, and files paths/names. These numbers come from crawling all of a website’s Web pages while maintaining a logged-in state.
The overall average number of input points for all websites is 548, with PHP on the low-end with 352, JSP on the high end at 919, and the remainder falling in-between. Generally, the larger the attack surface, the more vulnerabilities one would expect to find, or at least the odds of this being true increases. With this assumption, we would expect similarly ordered results within the “Avg. # of serious* vulnerabilities per website during the WhiteHat Sentinel assessment lifetime”.
Past Editions of the Website Security Statistics Report
Fall 2009 – 8th Edition – Website Security Statistics Report
Listen to the presentation (53 minutes) ››› 
Download a PDF of the the report ›››
Download a PDF of the presentation (1.9 MB PDF) ›››
Spring 2009 – 7th Edition – Website Security Statistics Report
Listen to the presentation (46 minutes) ›››
Download a PDF of the the report ›››
Download a PDF of the presentation (1.3 MB PDF) ›››
December 2008 – 6th Edition – Website Security Statistics Report
Listen to the presentation (55 minutes) ›››
Download a PDF of the the report ›››
Download a PDF of the presentation (1.3 MB PDF) ›››
August 2008 – 5th Edition – Website Security Statistics Report
Listen to the presentation (68 minutes) ›››
Download a PDF of the presentation (849 KB PDF) ›››
Download a PDF of the the report ›››
March 2008 – 4th Edition – Website Security Statistics Report
Listen to the presentation (65 minutes) ›››
Download a PDF of the presentation (849 KB PDF) ›››
Download a PDF of the the report ›››
October 2007 – 3rd Edition – Website Security Statistics Report
Download a PDF of the report ›››
April 2007 – 2nd Edition – Website Security Statistics Report
Download a PDF of the report ›››
January 2007 – 1st Edition – Website Security Statistics Report
Download a PDF of the report ›››
|
Cyber-criminals are evolving. Many are in it for the money, others the data, some prefer silent command & control, and more still seek to embarrass or harass their victims. While attackers’ motivations are consistent, their methods and techniques are anything but predictable. This has made Web security a moving target. To protect themselves, organizations need timely information about the latest attack trends and defense measures, as well as visibility into their website vulnerability lifecycle.
Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is able to deliver the knowledge and solutions that organizations need to protect their brands, attain PCI-DSS2 compliance and avert potentially devastating and costly breaches.
The WhiteHat Security Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to safely conduct business online. The WhiteHat Security report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations.
WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
|
