5% of websites have had at least 1 SQL Injection vulnerability without needing to login

During RSA Dave Aitel, CEO of Immunity, asked me a statistics question relating to website security. Dave asked, “What percentage of websites is WhiteHat seeing as vulnerable to SQL Injection — without needing to authenticate?” That last detail is important, especially in the era of mass blast SQL Injection worms and prolific bad-guy-scanner-use searching for victims of opportunity.

I didn’t have the number off the top of my head, would have to look it up in the WhiteHat Sentinel database to be certain, but my first impression was it’s probably around 5%. I thought so was because we’re currently tracking about 14% of all websites having had at least one SQL Injection vulnerability (slide 13). Restricting to non-auth would obviously drag the number down.

To Dave’s surprise, 5% was what he is measuring as well, as was as one other he asked. I asked WhiteHat Security’s resident data scientist, Bill Coffman, to provide the real figures.To first understand our data scope, WhiteHat Sentinel is used to perform continuous vulnerability assessments on thousands of publicly facing websites. 500+ companies in all, large and small, and across industries such as financial services, retail, healthcare, energy, etc. The large majority our vulnerability assessment are conducted in a logged-in state.

Fortunately, we offer a service line named Baseline Edition (BE), which does not authenticate. BE is generally for customers who only require a “baseline” level of testing comprehensiveness, usually deployed broadly across their entire website portfolio. So, Bill restricted our data set to only a BE covered websites, which ended up encompassing many hundreds.

Of all BE websites, created under WhiteHat Sentinel before March 2011, yielded 5%. That is, 5% of websites have had at least 1 SQL Injection vulnerability without needing to login!

We restricted the sampling to a year back to ensure the websites had all their scans properly configured and had enough time to complete over a long enough period. Newer sites are not in a stable state to be statistically representative.

There is one potential caveat in the data, which we can’t properly account for that is likely to move the percentage up. Just because an assessment is conducted in a logged-in state does not mean the URL that’s vulnerable to SQL Injection can’t be exploited while NOT logged-in — an authentication / authorization issue, which should up on our statistics report top ten.

So, those are our numbers. If you are in the website vulnerability assessment business, what are yours?