Hacking by Numbers OWASP. The OWASP Foundation

Similar documents
Web Application Security Statistics Project 2007

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

90% of data breaches are caused by software vulnerabilities.

RiskSense Attack Surface Validation for Web Applications

Important Points to Note

CSWAE Certified Secure Web Application Engineer

Web Application Vulnerabilities: OWASP Top 10 Revisited

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

NEW. WhiteHat Website Security Statistics Report. A WhiteHat Security Whitepaper. October 2007 Jeremiah Grossman Founder and CTO, WhiteHat Security

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Certified Secure Web Application Engineer

Engineering Your Software For Attack

Solutions Business Manager Web Application Security Assessment

Web Application Whitepaper

Trustwave Managed Security Testing

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Web Application Threats and Remediation. Terry Labach, IST Security Team

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Vulnerabilities in online banking applications

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

Micro Focus Fortify Application Security

Managed Application Security trends and best practices in application security

Bank Infrastructure - Video - 1

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

CoreMax Consulting s Cyber Security Roadmap

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

C1: Define Security Requirements

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Ethical Hacking and Prevention

A (sample) computerized system for publishing the daily currency exchange rates

Web Application Penetration Testing

Continuously Discover and Eliminate Security Risk in Production Apps

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

7 Ways to Scale Web Security

Penetration testing.

Automating the Top 20 CIS Critical Security Controls

Trustwave Managed Security Testing

TRAINING CURRICULUM 2017 Q2

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Improving Security in the Application Development Life-cycle

A Strategic Approach to Web Application Security

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

The Top 6 WAF Essentials to Achieve Application Security Efficacy

THE CONTRAST ASSESS COST ADVANTAGE

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Protect your apps and your customers against application layer attacks

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Application security : going quicker

Aguascalientes Local Chapter. Kickoff

Tiger Scheme SST Standards Web Applications

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Certified Secure Web Application Security Test Checklist

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

Professional Services Overview

Development*Process*for*Secure* So2ware

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Curso: Ethical Hacking and Countermeasures

epldt Web Builder Security March 2017

Security Solutions. Overview. Business Needs

Secure Programming Techniques

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

SIEMLESS THREAT MANAGEMENT

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Vulnerability Assessment with Application Security

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Security Religions & Risk Windows

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

Web Security, Summer Term 2012

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

8 Must Have. Features for Risk-Based Vulnerability Management and More

Endpoint Security - what-if analysis 1

CS 356 Operating System Security. Fall 2013

Securing Your Company s Web Presence

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

Web Applications (Part 2) The Hackers New Target

WEB APPLICATION VULNERABILITIES

OWASP RFP CRITERIA v 1.1

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Security Communications and Awareness

Integrigy Consulting Overview

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Security Fundamentals for your Privileged Account Security Deployment

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Imperva Incapsula Website Security

Transcription:

Hacking by Numbers OWASP Tom Brennan WhiteHat Security Inc. tom.brennan@whitehatsec.com 973-506-9303 skype: jinxpuppy Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org

2009 WhiteHat, Inc. Page 2

2009 WhiteHat Security page Web Application - User s View

Web Application Hacker s View Cross-site scripting Session Hijacking Parameter Manipulation CSRF Password Guessing Account Enumeration SQL Injection Denial of Service 2009 WhiteHat Security page

Data collected from January 1, 2006 to March 25, 2010 Which web programming languages and industries are most secure?

WhiteHat Security 300+ enterprise customers Start-ups to Fortune 500 Flagship offering WhiteHat Sentinel Service Thousands of assessments performed annually Recognized leader in website security Jeremiah Grossman CTO Quoted thousands of times by the mainstream press 2010 WhiteHat Security, Inc. Page 6

WhiteHat Sentinel Complete Website Vulnerability Management Customer Controlled & Expert Managed Unique SaaS-based solution Highly scalable delivery of service at a fixed cost Production Safe No Performance Impact Full Coverage On-going testing for business logic flaws and technical vulnerabilities uses WASC 24 classes of attacks as reference point Unlimited Assessments Anytime websites change Eliminates False Positives Security Operations Team verifies all vulnerabilities Continuous Improvement & Refinement Ongoing updates and enhancements to underlying technology and processes 2010 WhiteHat Security, Inc. Page 7

Website Classes of Attacks Technical: Automation Can Identify Command Execution Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection XPath Injection Information Disclosure Directory Indexing Information Leakage Path Traversal Predictable Resource Location Client-Side Content Spoofing Cross-site Scripting HTTP Response Splitting* Business Logic: Humans Required Authentication Brute Force Insufficient Authentication Weak Password Recovery Validation CSRF* Authorization Credential/Session Prediction Insufficient Authorization Insufficient Session Expiration Session Fixation Logical Attacks Abuse of Functionality Denial of Service Insufficient Anti-automation Insufficient Process Validation 2010 WhiteHat Security, Inc. Page 8

Attacker Profile/Targeting Random Opportunistic Fully automated scripts Unauthenticated scans Targets chosen indiscriminately Directed Opportunistic Commercial and Open Source Tools Authentication scans Multi-step processes (forms) Fully Targeted (APT?) Customize their own tools Focused on business logic Profit or goal driven ($$$) 2010 WhiteHat Security, Inc. Page 9

Vulnerability Overlap What s a website? Websites, which may be a collection of multiple web servers and hostnames, often utilize more than one programming language or framework. As such, a single website may contain vulnerabilities with multiple different extensions. ASP ASPX CFM DO ASPX 11% ASP 36% ASPX JSP ASP 4% PHP 4% JSP 15% ASPX 6% ASP 9% JSP PHP PL ASP 6% PHP DO 5% ASPX ASPX 8% JSP 5% ASP 1 ASPX JSP 11% PHP 12% 2010 WhiteHat Security, Inc. Page 10

Data Overview 1,659 total websites 24,286 verified custom web application vulnerabilities Data collected from January 1, 2006 to March 25, 2010 Vast majority of websites assessed for vulnerabilities weekly Vulnerabilities classified according to WASC Threat Classification, the most comprehensive listing of Web application vulnerabilities Vulnerability severity naming convention aligns with PCI-DSS Contrasted and compared ASP Classic,.NET, Cold Fusion, Struts, Java Server Pages, PHP, and Perl. Average # of inputs (attack surface) per website Average ratio of vulnerability count / number of inputs ASP ASPX CFM DO JSP PHP PL 470 484 457 569 919 352 588 8.7% 6.2% 8.4% 6. 9.8% 8.1% 11.6% 2009 WhiteHat, Inc. Page 11 9

Key Findings Languages / frameworks do not have identical security postures when deployed in the field -- they have moderately different vulnerabilities, with different frequency of occurrence, which are fixed in different amounts of time. Perl (PL) had the highest average number of vulnerabilities found historically by a wide margin, at 44.8 per website and also the largest number currently at 11.8. Struts (DO) edged out Microsoft s.net (ASPX) for the lowest average number of currently open vulnerabilities per website at 5.5 versus 6.2. Cold Fusion (CFM) had the second highest average number of vulnerabilities per website historically at 34.4, but the lowest likelihood of having a single serious* unresolved vulnerability if currently managed under WhiteHat Sentinel (54%). Perl (PL), Cold Fusion (CFM), JSP, and PHP websites were the most likely to have at least one serious* vulnerability, at roughly 80% of the time. 37% of Cold Fusion (CFM) websites had SQL Injection vulnerabilities, the highest of all measured, while Struts (DO) and JSP had the lowest with 14% and 15%. PHP and Perl websites were among the worst in average vulnerability counts, but had fastest average Cross-Site Scripting remediation times -- 52 and 53 days respectively. At same time Microsoft s.net (ASPX) performed among the best in vulnerability count averages, but placed dead last for remediation times at 87 days. 2009 WhiteHat, Inc. Page

Key Findings - 1,659 ASP ASPX CFM DO JSP PHP PL Websites having had at least one serious* vulnerability Websites currently with at least one serious* vulnerability Avg. # of serious* vulnerabilities per website during the WhiteHat Sentinel assessment lifetime Avg. # of serious* severity unresolved vulnerabilities per website 74% 7 86% 77% 80% 80% 88% 57% 58% 54% 56% 59% 6 75% 25 18.7 34.3 19.9 25.8 26.6 44.8 8.9 6.2 8.6 5.5 9.6 8.3 11.8 2009 WhiteHat, Inc. Page

Top Ten Classes of Attack Percentage likelihood of a website having a vulnerability by class 1 9% 15% 15% 17% 1 8% 19% 16% 9% 29% 19% 17% 41% 35% 54% 66% 18% 9% 25% 18% 2 29% 37% 42% 75% 10% 14% 21% 14% 20% 26% 16% 8% 19% 18% 18% 24% 21% 15% 2 27% 35% 19% 14% 15% 25% 40% 46% 47% 57% 59% 5 20% 20% 25% 36% 39% 36% 32% 66% 80% 66% 56% 72% 66% 70% 71% 82% ASP ASPX CFM DO JSP PHP PL 2010 WhiteHat Security, Inc. Page 14

Vulnerability Population

Time-to-Fix (Days) ASP 84 68 85 49 44 71 84 27 91 117 124 1532 ASPX 87 57 71 51 52 72 68 72 139 78 125 29 49 CFM 72 70 79 140 79 92342 122 1024 DO 76 58 83 57 52 59 104 56 81 121 2042 71 JSP PHP PL AVG. 67 52 53 70 58 73 29 56 47 78 36 62 62 53 56 51 32 52 62 62 80 5120459 81 90 57 65 71 57 54 43 78 49 112 115 117 76 2232 85 112 131 501934 Cross-Site Scripting Information Leakage Content Spoofing Insufficient Authorization SQL Injection Predictable Resource Location Cross-Site Request Forgery Session Fixation HTTP Response Splitting Abuse of Functionality Insufficient Authentication Directory Traversal Directory Indexing 2010 WhiteHat Security, Inc. Page 16

Resolution Rates by Severity Class of Attack Severity ASP ASPX CFM DO JSP PHP PL SQL Injection Urgent 70% 72% 66% 79% 58% 70% 71% Insufficient Authorization Urgent 21% 45% 46% 20% 25% 18% 10% Directory Traversal Urgent 4 20% 67% 0% 3 32% 16% Cross Site Scripting Urgent 100% 0% 100% 0% 0% 50% 0% Cross-Site Scripting Critical 51% 57% 50% 51% 52% 66% 54% Cross-Site Request Forgery Critical 18% 34% 17% 27% 39% 57% 27% Session Fixation Critical 19% 18% 0% 36% 50% 50% 100% Abuse of Functionality Critical 76% 2 82% 38% 57% 59% 97% Insufficient Authentication Critical 55% 37% 0% 3 71% 0% 100% Information Leakage High 32% 34% 57% 49% 45% 39% 29% Content Spoofing High 31% 30% 4 37% 44% 46% 69% Predictable Resource Loc. High 29% 64% 85% 64% 5 56% 29% HTTP Response Splitting High 28% 24% 3 10% 36% 42% 35% Directory Indexing High 3 56% 40% 25% 27% 3 18% TOTAL 65% 67% 75% 72% 6 69% 74% 2010 WhiteHat Security, Inc. Page 17

3 2% 16% 17% 4% 1% 28% 7% 8% 19% 11% 1% 10% 22% 7% 1% 2% 4% 4% 2% 4% 11% n at io 18% 24% 17% 6% 14% 26% uc Ed 11% 15% 5 om Te l 14% 40% 50% ec et w N al 1 32% 25% 16% 14% 2% ci ar m Ph 14% 35% 27% a ce an ur In s lth H IT ea l ai et 24% 20% So 27% R ASP ASPX CFM DO JSP PHP PL Fi n an ci ca al re Se or ki rv ic ng es Technology in Use 21% 32% 24% 9% 17% 1 11% 4% 2010 WhiteHat Security, Inc. Page 18 10

Top Five by Technology in Use & Industry 11

Final Thoughts Technically speaking, one Web programming language / development framework can be made basically just as secure (or not) as any other. You can't secure what you don't know you own Inventory your Web applications to gain visibility into what data is at risk and where attackers can exploit the money or data transacted. Assign a champion Designate someone who can own and drive data security and is strongly empowered to direct numerous teams for support. Without accountability, security, and compliance, will suffer. Don't wait for developers to take charge of security Deploy shielding technologies to mitigate the risk of vulnerable Web applications. Shift budget from infrastructure to Web application security With the proper resource allocation, corporate risk can be dramatically reduced. Community - get personally involved in supporting OWASP, leverage the projects that can help you Open Software Assurance Maturity Model (Open SAMM) 2009 WhiteHat, Inc. Page

Thank You Tom Brennan tom.brennan@whitehatsec.com Full Report Available https://www.whitehatsec.com/home/ assets/wpstats_spring10_9thfr.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback