WhiteHat Security launches its new quarterly Web Application
Security Risk Report this quarter, offering statistics and trend
data on security vulnerabilities affecting custom Web sites and
applications. The intent of the report is to offer visibility into
which issues are the most prevalent and severe, based on
assessments WhiteHat performs on live production Web sites.
"The Web application security world is almost devoid of
statistics," said Jeremiah Grossman, founder and chief technology
officer of WhiteHat Security Inc. in Santa Clara, Calif. "We know
there are vulnerabilities in Web sites, but we don't know how
prevalent they are or what types [they are]. There is only
anecdotal evidence of what is leaked to the press. [WhiteHat] is in
a unique position to assess many Web sites on a continuous basis,
and we want to share that data."
Custom code varies among Web sites, so it is difficult to gather
data and identify trends. By WhiteHat making its data available,
organizations will know what the vulnerabilities are and how their
Web site stacks up against the findings, Grossman said. "If they
haven't had an assessment and they're unsure of how their Web site
will be attacked, it will give them data to work with. It also
helps the security guys make the case."
Vulnerabilities found
WhiteHat Security uses the Web Application Security Consortium
(WASC) threat classification of 24 Web application vulnerability
classes as a baseline for classifying vulnerabilities.
WhiteHat's research reveals that eight out of 10 Web sites have
serious flaws. According to the report, about 71% of Web sites are
vulnerable to cross-site scripting (XSS), followed by information
leakage (30%), predictable resource location (28%), content
spoofing (26%), insufficient authentication (21%) and SQL injection
(20%).
Grossman said the percentage of SQL injection vulnerabilities
"seems to be going down; it's only showing up in one in five Web
sites, which might be due to [growing] awareness."
However, SQL injection is the top high-severity vulnerability,
followed by insufficient authentication, insufficient
authorization, XSS and abuse of functionality. In the report, White
Hat ranks vulnerability severity by the potential business impact
if the issue were to be exploited. The majority of sites have at
least one medium-severity vulnerability and nearly 40% have at
least one high-severity vulnerability, according to the
findings.
 | | | | | If [companies] haven't had an
assessment and they're unsure of how their Web site will be
attacked, [the report] will give them data to work with.
Jeremiah Grossman
CTOWhiteHat Security |
| | | | | |
| |
|
XSS was cited as the top medium-security vulnerability,
appearing on more than two-thirds of Web sites. Low-severity
vulnerabilities include predictable resource location and
information leakage. The report notes that if these low-severity
vulnerabilities do not have access to critical customer or
corporate data, the ramifications are small, and it allows the
security group to put them lower on the remediation list.
The report also noted that some of the OWASP Top 10
vulnerabilities, such as buffer overflows, do not appear in custom
Web applications.
WhiteHat assesses hundreds of real-world Web sites each month
through WhiteHat Sentinel, a continuous vulnerability assessment
and management service for Web applications. "We do a combination
of scanning and expert-driven assessment," Grossman said. "If you
just do one or the other you will miss [vulnerabilities]."
Grossman said older Web sites are a lot more vulnerable, by "an
order of magnitude." He attributes this to the built-in security of
the newer development frameworks, making it less likely for
vulnerabilities such as session hijacking or SQL injection to
occur. "That's not to say frameworks will make the world perfect,
but the decrease in vulnerabilities is hard to ignore," he
said.
While software development life cycles that build in security
from the beginning are important, Grossman said, modern frameworks
are making more of a difference. "Say you've got a legacy ASP
application and an ASP.NET application. You've got the same
developers, but the security is much different. That's what we're
seeing in our data," he said.
Starting with the first quarterly report, WhiteHat will be
trending the data "to see if vulnerabilities are getting more
prevalent," Grossman said. "We've had great feedback from the
community on data they wanted to see. [Previously] it was only the
guys doing assessments that had data here and there during their
assessments. So for the first time you get to see large amounts of
data queriable from a huge data set."
An introductory report, based on assessment results obtained
over the first half of 2006, is available now on
WhiteHat's Web site. The
first full report, based on data collected during the second half
of 2006 will be available at the end of the first quarter.