Wednesday, August 27, 2008

Download the 5th Website Security Statistics Report

Whew, what a mountain of work! I’m ecstatic the complete 5th installment of our Website Security Statistics Report report (all 13-pages) is finally published and available for everyone to see – and comment. I’m also extremely proud that we’re able to capture a measurable improvement in overall website security. Good news from inside InfoSec!? I know, weird huh!? We still have a long way to go, but these statistics show we’re on the right path and doing the right things:
  • Find and prioritize all websites
  • Find and fix website vulnerabilities
  • Implement a secure software development process
  • Utilize a defense-in-depth website security strategy

Today’s webinar went extremely well, slides are available for those interested. And some quick numbers:

Total Websites: 687
Identified vulnerabilities: 11,234
Unresolved vulnerabilities: 3,541 (66% resolved)
Websites HAVING HAD at least one serious issue: 82%
Websites CURRENTLY WITH at least one serious issue: 61%
Average vulnerabilities per website: 5

The shiny new WhiteHat Top Ten

Yes! CSRF finally make the list!

Also covered is:
- Collection methodology
- Time-to-fix and remediation metrics
- Industry vertical comparisons
- Best practices & lessons learned

Feedback on what other numbers people would like us to report on in the future is very welcome.


Monday, August 25, 2008

5th Website Security Statistics Report

For the last month I’ve been compiling our third quarter 2008 Website Security Statistics Report, which contains a comprehensive vulnerability analysis of over 600 real live websites. We’re talking 11,000 verified vulnerabilities collected from typically weekly assessments. This type of data is not available from reports by Symantec, Mitre (CVE), IBM X-Force, SANS, or anywhere else and we're excited to be able to share it.

We put a ton of work into this report and there is a massive amount of data. Highlights include a revised Top Ten list of vulnerabilities, updated Time-to-Fix metrics, vulnerability remediation percentages showing progress, vertical market comparison, and so on. The information is really valuable because it provides visibility into the future trends, trouble spots, and what action items should be considered.

On Wednesday, August 27th, 11:00 AM PDT I’ll be hosting an hour-long webinar to go over the results. Attendees will be given the opportunity to be the first to see the results and ask questions. Registration is free, but space is limited. If you are interested in attending, now is the time to register.

Back at my Desk

I’m finally home from a 3-city in 3 days tour covering Atlanta, New York, and Chicago. Beyond the excellent turn out for the WH/F5 lunch and learn presentations, I’m always fond of the extracurricular activity. Since I’m still injured, visiting new BJJ academies was out of the question, so instead I substituted the time with food. Fortunately I was able to do so with meals that fit within my high protein low-carb diet (208 lbs is the goal). 30lbs to go!

In Atlanta there was Fogo de Chão, a stellar upscale all-you-can-eat Brazilian BBQ restaurant, that served 15 types of fire-roasted meats brought to your table sizzling on skewers. Now that’s hard to beat. In New York we stopped by my all-time favorite steak place, Smith & Wollensky, for a Colorado bone-in ribeye. The waiter said it was the most flavorful meat in the world, I’m thinking he was right.

Chicago, I left the venue selection to the OWASP Chicago Chapter locals. But before that Cory Scott and Jason Witty invited me deliver an encore performance of “Get Rich or Die Trying” at the recommendation of Ed Bellis (Thank you). The cool thing about that particular talk is afterwards people always clue me into other business logic flaws they’ve encountered. It’s really good content to add, especially if it involves money. For me I was excited to see the presentations by Mike Zussman and Nate McFeters since I didn’t get to see either talk at Black Hat. 

Afterwards we went out for drinks with several people including Nate McFeters, Thomas Ptacek, Shrikant Raman, and a dozen others. The appetizers were decent, but I think the chose the place more for the beer than anything else. Chicago probably has one of the more friendly and vibrant chapters around. Anyway, it’s good to be back home. I got to do some modest BJJ training over the weekend, play in the GGAFL finals (we got spanked badly), and hit some rides with the kids at Great America. Now off to do the expense reports. Yay! ;)

Wednesday, August 20, 2008

Can you identify the white ninja?

During BlackHat USA, there were sightings of a mysterious white ninja. Witness reports claim he spoke with an english accent at 300 words per minute, raved on about sandboxing code, and plotted to take over the Web with a worm to wake people up (but just for a day). Anyone know who this phantom figure is?

Bonus points for posting the best photo caption. I’m thinking “practice safe output encoding”.

Tuesday, August 12, 2008

Application Security Vendors Counting their Millions

Software security sage Gary McGraw (CTO, Cigital) published his market research on what he believes are the 2007 revenue numbers for application security vendors. Speaking for myself, I can neither confirm nor deny the accuracy of this data, certainly when it comes to WhiteHat.

Fortify: $29.2 million
Coverity: $27.2 million
Klockwork: $26 million
Watchfire (IBM): $24.1 million
SPI Dynamics (HP): $22.3 million
Cenzic + Codenomicon + WhiteHat: $12.5 million
Ounce Labs: $9.5 million

$150.8 million total for the tools / SaaS market

“The source code analysis space is now larger than the black box testing tools space….”

Sort of, but more on that in a moment.

“Tools don't run themselves”

Ain’t that the truth.

“The hard-to-track software security services space checks in around $100-140 million in 2007, with growth just shy of 20% over 2006. Services can be divided into three tracks: training (around $7 million), risk assessment ($45-60 million) and penetration testing ($50-75 million).”

I’m not sure about the risk assessment number, but I’m thinking the estimates for training and penetration testing is probably orders of magnitude lower than they should be. The rates for larger players including IBM Global Services, Verizon, Symantec, Ernst & Young, PwC, and KPMG aren’t cheap. And to some extent neither are the smaller players such as Matasano, SecTheory, iSec, Leviathan, Denim Group, Foundstone, Gotham, NGSS, FishNet, Aspect, SANS, IOActive, Immunity, NTO, NGS, BlueInfy, Net-Square and dozens of other regional players. No wonder the overall market totals are tough to track, but each takes their piece of the pie.

I believe when it comes to the black-box testing of web applications, services are likely 5x larger than the tools industry – especially if you consider that few organizations these days haven’t had a professional vulnerability assessment (and its tough to capture international sales as well). The opposite is true for white-box testing where tool purchases a way more common due to the costs of a line-by-line source code review by a consultant. Then we have WAF sales driven by VA sales, which makes sense because an organization typically must identify a need before they can justify the fix. The same was true of network firewalls, patch management, and A/V markets.

All in the all trajectory for the entire web application security segment is going up, and fast. PCI-DSS 6.6 is certainly one stimulant, but so is all the web hacking going on these days. Great numbers Gary, thanks for sharing!

Monday, August 11, 2008

BlackHat encore - Chicago OWASP next week

Chapter leaders Cory Scott or Jason Witty were gracious enough to invite me to present at this months OWASP Chicago meeting. It's always fun to visit a new chapter. I've been to about a dozen so far, and meeting like minded webappsec people from various parts of the country/world. This is also a good opportunity for those who missed Black Hat to see one of the presentations live rather than relying solely on the information in the slides.

August 21 - OWASP Chicago Chapter (6:00pm – 8:30pm)
6:00 Refreshments and Networking
6:15 Bad Cocktail: Spear Phishing + Application Hacks - Rohyt Belani, Managing Partner, Intrepidus Group
7:15 Get Rich or Die Trying - Making Money on The Web, The Black Hat Way - Jeremiah Grossman, Founder & CTO of Whitehat Security

Bank of America Plaza
540 W. Madison, Downtown Chicago, 23rd floor.

*Please RSVP to jason{AT}wittys.com by 8/19/2008 if you plan to attend. Your name will need to be entered into the building's security system in order to gain access to the meeting.*

Road Show - 3 Cities in 3 Days

For those interested in learning more about the WhiteHat Sentinel / F5 ASM integration we have a road show scheduled (If not, go ahead and stop reading now). We’re visiting Atlanta, New York, and Chicago next week. In each city presenting will be our CEO Stephanie Fohn sharing insights on the latest website vulnerability statistics, a guest customer from a financial institution sharing their experiences on “The Challenge of Managing Application Security in Today's Environment”, and myself paired with an F5 engineer performing live VA+WAF demos. A really nice lunch will be served on us and registration is free, space is limited though. Hope to see many of you there!

August 19 (Atlanta @ 11:30am – 1:30pm)
The Four Seasons Hotel
75 Fourteenth Street Atlanta, GA 30309
Guest Speaker: Allen Stone, Senior Security Specialist, E*TRADE Financial


August 20 (New York @ 11:30am – 1:30pm)
The Tribeca Grand Hotel
2 Avenue of the Americas
New York, NY 10013
Guest Speaker: Jim Routh, Chief Information Security Officer, DTCC


August 21 (Chicago @ 11:30am – 1:30pm)
The Peninsula Chicago Hotel
108 East Superior Street
Chicago, IL 60611
(312) 337-2888
Guest Speaker: Anna Sherony, Privacy and Information Protection Officer, Sammons Financial

Get Rich or Die Trying (BlackHat USA 2008)

Update 08.11.2008: Added a video interview of Trey and myself to the bottom of the post.

Our speaking slot was informally dubbed the “power hour” due to the number of stellar presentations all booked at the same time - many of which I would have loved to attend personally. Nate McFeters & Co. unveiled the details on their GIFAR research, Microsoft announced they’ll be revealing vulnerability details to certain vendors prior to public disclosure, Joanna Rutkowska on Xen Hypervisor, etc. And making matters just a little bit more interesting, we were generously given a larger ballroom. This was scary because with a speaking time near the end of the last day combined with top-notch competition, a sparsely attended room would have been entirely likely. So when the room filled to capacity, I’m guessing of around 1,000 people (standing room only) Trey Ford and I were extremely ecstatic! Which reminds me, Trey Ford (Director of Solutions Architecture) pinched hit for Arian Evans (Director of Operations) so he could focus more time on his presentation, “Encoded, Layered and Transcoded Syntax Attacks.

The premise for the “Get Rich or Die Trying” presentation was looking forward at the next 3-5 years considering that we’re probably going to see less fertile ground for XSS/SQLi/CSRF to be taken advantage of – that is if the good guys do their job well. So the bad guys will likely focus more attention on business logic flaws, which QA overlooks, scanners can’t identify, IDS/IPS can’t defend, and more importantly issues potentially generating 4, 5, 6 or even figures a month in illicit revenue. In many ways though this is sort of like predicting the present since just about every example we gave was grounded with a real-world public reference and backed by statistics. We also wanted this presentation was very different than what most are used to at BlackHat that tend to be deeply technical, hard to follow, and often dry. And while everyone in webappsec is transfixed on JavaScript malware issues, we chose another direction.

We designed a presentation meant to be a lot of fun, that taught things anyone could do, and perhaps by the end might have people questioning their ethics. Judging from much of the feedback I think we might have succeeded on the last point. :) RSnake was also a good sport when we ribbed him a little bit. For those interested in the slides, I quickly uploaded them to slideshare. The quality is decent (hard to see the references) and you can download the PDF. I’m working on slenderizing it now, so when I have it I’ll upload that as well, including the video when we get it.




Lastly thank you very much to everyone who came and supported us, it meant a lot.