|Jeremiah Grossman, CTO, WhiteHat Security|
WhiteHat Security launches its new quarterly Web Application Security Risk Report this quarter, offering statistics and trend data on security vulnerabilities affecting custom Web sites and applications. The intent of the report is to offer visibility into which issues are the most prevalent and severe, based on assessments WhiteHat performs on live production Web sites.
"The Web application security world is almost devoid of statistics," said Jeremiah Grossman, founder and chief technology officer of WhiteHat Security Inc. in Santa Clara, Calif. "We know there are vulnerabilities in Web sites, but we don't know how prevalent they are or what types [they are]. There is only anecdotal evidence of what is leaked to the press. [WhiteHat] is in a unique position to assess many Web sites on a continuous basis, and we want to share that data."
Custom code varies among Web sites, so it is difficult to gather data and identify trends. By WhiteHat making its data available, organizations will know what the vulnerabilities are and how their Web site stacks up against the findings, Grossman said. "If they haven't had an assessment and they're unsure of how their Web site will be attacked, it will give them data to work with. It also helps the security guys make the case."
WhiteHat Security uses the Web Application Security Consortium (WASC) threat classification of 24 Web application vulnerability classes as a baseline for classifying vulnerabilities.
WhiteHat's research reveals that eight out of 10 Web sites have serious flaws. According to the report, about 71% of Web sites are vulnerable to cross-site scripting (XSS), followed by information leakage (30%), predictable resource location (28%), content spoofing (26%), insufficient authentication (21%) and SQL injection (20%).
Grossman said the percentage of SQL injection vulnerabilities "seems to be going down; it's only showing up in one in five Web sites, which might be due to [growing] awareness."
However, SQL injection is the top high-severity vulnerability, followed by insufficient authentication, insufficient authorization, XSS and abuse of functionality. In the report, White Hat ranks vulnerability severity by the potential business impact if the issue were to be exploited. The majority of sites have at least one medium-severity vulnerability and nearly 40% have at least one high-severity vulnerability, according to the findings.
XSS was cited as the top medium-security vulnerability, appearing on more than two-thirds of Web sites. Low-severity vulnerabilities include predictable resource location and information leakage. The report notes that if these low-severity vulnerabilities do not have access to critical customer or corporate data, the ramifications are small, and it allows the security group to put them lower on the remediation list.
The report also noted that some of the OWASP Top 10 vulnerabilities, such as buffer overflows, do not appear in custom Web applications.
WhiteHat assesses hundreds of real-world Web sites each month through WhiteHat Sentinel, a continuous vulnerability assessment and management service for Web applications. "We do a combination of scanning and expert-driven assessment," Grossman said. "If you just do one or the other you will miss [vulnerabilities]."
Grossman said older Web sites are a lot more vulnerable, by "an order of magnitude." He attributes this to the built-in security of the newer development frameworks, making it less likely for vulnerabilities such as session hijacking or SQL injection to occur. "That's not to say frameworks will make the world perfect, but the decrease in vulnerabilities is hard to ignore," he said.
While software development life cycles that build in security from the beginning are important, Grossman said, modern frameworks are making more of a difference. "Say you've got a legacy ASP application and an ASP.NET application. You've got the same developers, but the security is much different. That's what we're seeing in our data," he said.
Starting with the first quarterly report, WhiteHat will be trending the data "to see if vulnerabilities are getting more prevalent," Grossman said. "We've had great feedback from the community on data they wanted to see. [Previously] it was only the guys doing assessments that had data here and there during their assessments. So for the first time you get to see large amounts of data queriable from a huge data set."
An introductory report, based on assessment results obtained over the first half of 2006, is available now on WhiteHat's Web site. The first full report, based on data collected during the second half of 2006 will be available at the end of the first quarter.