2,000 Websites Later Which Web Programming Languages are Most Secure?



Similar documents
Attack Vector Detail Report Atlassian

Web Application Report

Web Application Security: Connecting the Dots

Web App Security Audit Services

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

WhiteHat Security Sentinel Service

locuz.com Professional Services Security Audit Services

Web Application Security

Web application vulnerability statistics for

Static & Dynamic Analysis for Web Applications. OWASP Atlanta Chapter March 2010 Meeting. The OWASP Foundation

Last update: February 23, 2004

Cross-Site Scripting

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

AppDefend Application Firewall Overview

Executive Summary On IronWASP

Web Application Security How to Minimize Prevalent Risk of Attacks

SAST, DAST and Vulnerability Assessments, = 4

MANAGED SECURITY TESTING

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

7th edition. WhiteHat Website Security Statistic Report. Spring 2009, 7th Edition

elearning for Secure Application Development

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Application Security Testing. Generic Test Strategy

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Where every interaction matters.

Chapter 1 Web Application (In)security 1

Web application security

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Challenges of Automated Web Application Scanning

WEB APPLICATION VULNERABILITY STATISTICS (2013)

Moving to the Cloud? Take Your Application Security Solution with You. A WhiteHat Security Whitepaper. September 2010

11th edition. WhiteHat Website Security Statistic Report. Winter 2011, 11th Edition Measuring Website Security: Windows of Exposure

Certified Secure Web Application Security Test Checklist

WHITEPAPER. Nessus Exploit Integration

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Million Browser Botnet

2014 Website Security Statistics Report

(WAPT) Web Application Penetration Testing

Web application security: automated scanning versus manual penetration testing.

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Early Vulnerability Detection for Supporting Secure Programming

Columbia University Web Security Standards and Practices. Objective and Scope

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Programming Flaws and How to Fix Them

Adobe Systems Incorporated

Testing the OWASP Top 10 Security Issues

Web Security Testing Cookbook*

Secure development and the SDLC. Presented By Jerry

The monsters under the bed are real World Tour

Is your software secure?

Essential IT Security Testing

05.0 Application Development

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Web Application Penetration Testing

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

The Top Five Myths of Website Security

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Software security, by the numbers. October 20, 2015

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

Intrusion detection for web applications

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

IJMIE Volume 2, Issue 9 ISSN:

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Table of Contents. Page 2/13

WHITEHAT SECURITY WEBSITE STATISTICS REPORT

OWASP Top Ten Tools and Tactics

Are our Educational Technology Systems Secured?

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Annex B - Content Management System (CMS) Qualifying Procedure

ensuring security the way how we do it

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

Application Code Development Standards

F5 and Microsoft Exchange Security Solutions

Threat Modeling. Deepak Manohar

Web Hacking Incidents Revealed: Trends, Stats and How to Defend. Ryan Barnett Senior Security Researcher SpiderLabs Research

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Magento Security and Vulnerabilities. Roman Stepanov

Sample Report. Security Test Plan. Prepared by Security Innovation

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

CS 558 Internet Systems and Technologies

SQuAD: Application Security Testing

Using Web Security Scanners to Detect Vulnerabilities in Web Services

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Detecting SQL Injection Vulnerabilities in Web Services

Developing Secure Software in the Age of Advanced Persistent Threats

Transcription:

2,000 Websites Later Which Web Programming Languages are Most Secure? Jeremiah Grossman Founder & Chief Technology Officer 2010 WhiteHat Security, Inc.

WhiteHat Security Founder & Chief Technology Officer 2010 RSA Security Bloggers Award (Best Corporate Blog) InfoWorld's CTO Top 25 (2007) 5th most popular Jeremiah according to Google Brazilian Jiu-Jitsu Brown Belt Narcissistic Vulnerability Pimp Former Yahoo! information security officer me. 2010 WhiteHat Security, Inc. Page 2

WhiteHat Security 350+ enterprise customers Start-ups to Fortune 500 Flagship offering WhiteHat Sentinel Service 1000 s of assessments performed annually Recognized leader in website security Quoted thousands of times by the mainstream press 2010 WhiteHat Security, Inc. Page 3

WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed Unique SaaS-based solution Highly scalable delivery of service at a fixed cost Production Safe No Performance Impact Full Coverage On-going testing for business logic flaws and technical vulnerabilities uses WASC 24 classes of attacks as reference point Unlimited Assessments Anytime websites change Eliminates False Positives Security Operations Team verifies all vulnerabilities Continuous Improvement & Refinement Ongoing updates and enhancements to underlying technology and processes 2010 WhiteHat Security, Inc. Page 4

Website Classes of Attacks Technical: Automation Can Identify Command Execution Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection XPath Injection Information Disclosure Directory Indexing Information Leakage Path Traversal Predictable Resource Location Client-Side Content Spoofing Cross-site Scripting HTTP Response Splitting* Business Logic: Humans Required Authentication Brute Force Insufficient Authentication Weak Password Recovery Validation CSRF* Authorization Credential/Session Prediction Insufficient Authorization Insufficient Session Expiration Session Fixation Logical Attacks Abuse of Functionality Denial of Service Insufficient Anti-automation Insufficient Process Validation 2010 WhiteHat Security, Inc. Page 5

Attacker Targeting Fully Targeted (APT?) Customize their own tools Focused on business logic Profit or goal driven ($$$) Directed Opportunistic Commercial and Open Source Tools Authentication scans Multi-step processes (forms) Random Opportunistic Fully automated scripts Unauthenticated scans Targets chosen indiscriminately 2010 WhiteHat Security, Inc. Page 6

Evolution of Expectations 1. Quantity phase -- where more is more 2. Quality phase -- where less is more 3. Actionable phase -- how do I fix/improve things going forward with this data? 4. Consistency phase -- how do I do this consistently across time, because my software is always changing, without spending a zillion hours doing it? 2010 WhiteHat Security, Inc. Page 7

Vulnerability Overlap What s a website? Websites, which may be a collection of multiple web servers and hostnames, often utilize more than one programming language or framework. As such, a single website may contain vulnerabilities with multiple different extensions. ASP ASPX CFM DO ASPX 11% ASP 36% ASPX 3% JSP 3% ASP 4% PHP 4% JSP 15% ASPX 6% ASP 9% JSP PHP PL ASP 6% PHP 3% DO 5% ASPX 3% ASPX 8% JSP 5% ASP 13% ASPX 3% JSP 11% PHP 12% 2010 WhiteHat Security, Inc. Page 8

Data Overview 1,659 total websites 24,286 verified custom web application vulnerabilities Data collected from January 1, 2006 to March 25, 2010 Vast majority of websites assessed for vulnerabilities weekly Vulnerabilities classified according to WASC Threat Classification, the most comprehensive listing of Web application vulnerabilities Vulnerability severity naming convention aligns with PCI-DSS Contrasted and compared ASP Classic,.NET, Cold Fusion, Struts, Java Server Pages, PHP, and Perl. ASP ASPX CFM DO JSP PHP PL Average # of inputs (attack surface) per website Average ratio of vulnerability count / number of inputs 470 484 457 569 919 352 588 8.7% 6.2% 8.4% 6.3% 9.8% 8.1% 11.6% 2010 WhiteHat, Inc. Page 9

Key Findings ASP ASPX CFM DO JSP PHP PL Websites having had at least one serious* vulnerability 74% 73% 86% 77% 80% 80% 88% Websites currently with at least one serious* vulnerability Avg. # of serious* vulnerabilities per website during the WhiteHat Sentinel assessment lifetime Avg. # of serious* severity unresolved vulnerabilities per website 57% 58% 54% 56% 59% 63% 75% 25 18.7 34.3 19.9 25.8 26.6 44.8 8.9 6.2 8.6 5.5 9.6 8.3 11.8 2010 WhiteHat, Inc. Page

Top Ten Classes of Attack Percentage likelihood of a website having a vulnerability by class 2010 WhiteHat Security, Inc. Page 11

Time-to-Fix (Days) Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality Insufficient Authentication Directory Traversal Directory Indexing 2010 WhiteHat Security, Inc. Page 12

Resolution Rates by Severity Class of Attack Severity ASP ASPX CFM DO JSP PHP PL SQL Injection Urgent 70% 72% 66% 79% 58% 70% 71% Insufficient Authorization Urgent 21% 45% 46% 20% 25% 18% 10% Directory Traversal Urgent 43% 20% 67% 0% 33% 32% 16% Cross Site Scripting Urgent 100% 0% 100% 0% 0% 50% 0% Cross-Site Scripting Critical 51% 57% 50% 51% 52% 66% 54% Cross-Site Request Forgery Critical 18% 34% 17% 27% 39% 57% 27% Session Fixation Critical 19% 18% 0% 36% 50% 50% 100% Abuse of Functionality Critical 76% 23% 82% 38% 57% 59% 97% Insufficient Authentication Critical 55% 37% 0% 33% 71% 0% 100% Information Leakage High 32% 34% 57% 49% 45% 39% 29% Content Spoofing High 31% 30% 43% 37% 44% 46% 69% Predictable Resource Loc. High 29% 64% 85% 64% 53% 56% 29% HTTP Response Splitting High 28% 24% 33% 10% 36% 42% 35% Directory Indexing High 33% 56% 40% 25% 27% 33% 18% TOTAL 65% 67% 75% 72% 63% 69% 74% 2010 WhiteHat Security, Inc. Page 13

ASP ASPX CFM DO JSP PHP PL nc uc Ed om s ic e ki ng N et w or a at io n Te le c ci al So m ce an ur ar Ph In s e rv Se ar ia l lth c H ea IT R et ai l Fi na Technology in Use 2010 WhiteHat Security, Inc. Page 14 10

Lessons & Observations You can't secure what you don't know you own Inventory Web applications to gain visibility into what data is at risk and where attackers can exploit the money or data transacted. Assign a champion Designate someone who can own and drive data security and is strongly empowered to direct numerous teams for support. Without accountability, security, and compliance, will suffer. Don't wait for developers to take charge of security Deploy shielding technologies to mitigate the risk of vulnerable Web applications. 2010 WhiteHat Security, Inc. Page 15

Questions? Jeremiah Grossman Founder & Chief Technology Officer Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com 2010 WhiteHat Security, Inc. Page 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information