Managing application security is not easy. That is why we created the WhiteHat Security Index (WSI). WSI is a way to measure an application’s security status or risk. A key feature of WhiteHat Sentinel Dynamic, WSI scores applications between 0 and 800, with a higher score indicating better security. WSI takes a holistic approach to application security, looking at not just the current security posture, but at many factors — including past vulnerability history, the remediation rates, scanning frequency, site complexity, and more. WSI measures application security risk for a site in the same way that a FICO score measures credit worthiness for an individual.
Many of our customers in the past have asked what a reasonable goal for their WSI score would be. 500? 600? Higher than that? So we decided to perform some analysis on WSI scores for all sites scanned by Sentinel Dynamic to see how sites’ security postures vary.
We found some interesting insights:
- Cluster analysis performed on WSI scores shows three clusters:
Twenty-four percent (24%) of the sites have fairly low scores (below 450); 46% have moderate scores (between 450 and 600); 30% have WSI scores over 600. So 70% of sites scanned have significant room for improvement.
- This cluster analysis also suggests that a WSI score of 600 is a good target to shoot for when managing web application security, since currently only thirty percent of the websites have a WSI score of 600 or over. Of course, once your assets achieve 600, you should raise the bar and continue to improve your security posture. That is the beauty of WSI: it allows you to measure and monitor your application security status on a continuous basis.
- Interestingly, cluster analysis also shows that the WSI distribution across sites remains relatively consistent across most industries. (Manufacturing industries and industries in the “Arts, Entertainment and Recreation” cluster are doing better than the rest, with 44% (mfg.) and 53% (AE&R) of their sites showing WSI scores above 600.) Across the Retail, Healthcare, Finance and Information sectors far fewer sites are showing scores above 600.
These findings are consistent with the findings in our 2016 Web Applications Security Statistics Report, which states, “Most web sites are vulnerable most of the time”, and “Average vulnerabilities per site varies from five (in Manufacturing) to 32 (in IT). Regulated industries – such as financial services and healthcare – are not performing significantly better than the rest.”
If you are a Sentinel Dynamic customer, utilize WSI to measure, monitor and improve your appsec status, set SLAs based on WSI scores and encourage your team to meet or beat those SLAs. Make the WSI score very visible in your department dashboards. Our customers who have large, successful appsec programs are already doing that, and finding it effective.
What are your thoughts? What is working or not working in your appsec program? Share your thoughts. We’d love to hear from you.
Data Analysis courtesy of Wenmin Wang, Sr. Data Scientist