A Statistical Journey through the Web Application Security Landscape
Citigroup, Sony, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company is immune. It doesn't matter if a business is in financial services, retail, education, gaming, social networking, government, telecom, or media. Daily headlines tell the stories of millions of lost credit-card numbers, millions of personal information records exposed, and gigabytes worth of intellectual property stolen. The net result – corporate losses in the hundreds of millions, sharp stock price declines, lawsuits, fines and costly downtime. All signs point to a worsening problem, but the most important question is, "what can be done about it?"
In this session, Mr. Grossman will explore vulnerability assessments results that WhiteHat Security has performed across hundreds of organizations on over 4,000 of the Internet's most important websites -- a process designed to identify the very same issues the bad guys routinely exploit. By mapping this volume of data against the high-profile breaches, there is a tremendous amount to be learned. Like the realization that most websites were exposed to at least one serious vulnerability every day of 2010. Or, how an organization ranks relative to their peers in the same industry. We're also able to compare the characteristic of highly secure websites versus the highly vulnerable so we can identify the business practices that work best.
Fundamentally, the answer to the software security question can be found through metrics. By carefully tracking and analyzing metrics, very particular key performance indicators (KPIs), an organization can determine where resources would be best invested.