Software security, by the numbers. October 20, 2015

Transcription

1 Software security, by the numbers October 20, 2015

2 Why are we here? 2

3 Chris Wysopal, CTO & Co-Founder 15+ years focused solely on application security One of the original security researchers from mid 90 s. Was part of hacker think tank, The L0pht. Founded Veracode to build automated application security testing My son now keeps me busy installing Minecraft mods. 3

4 What is the SoSS report? 4

5 What s so special about this? Anonymized data from our customers to illustrate AppSec trends - 5

6 What questions can we answer? Which industries are doing the best job of reducing application-layer risk? Do I have more serious vulnerabilities than my peers? What percentage of vulnerabilities do my peers remediate? How many of our applications should pass the OWASP Top 10 when initially assessed? What are the Top 10 most common vulnerabilities in our vertical? Which programming languages are my peers using? 6

7 >What are the Headlines? What are the headlines? 7

8 WHO DOES BEST AGAINST INDUSTRY STANDARDS? 8

9 WHO FIXES THE MOST VULNERABILITIES? 9

10 Industry comparison: flaw profiles 10

11 Security quality on first scan 11

12 Security quality on first scan Even the best performing industry sector fails for 3 out of 5 applications 12

13 Programming languages used 13

14 Programming languages used Programming language is not a clear indicator of security quality 14

15 Flaw density 15

16 Flaw density Flaw density is only useful for benchmarking or tracking a particular application over time 16

17 Top vulnerabilities by industry 17

18 Industry comparison: remediation profiles 18

19 Flaw remediation rates Wide spread in % of flaws found vs. fixed May be due to external factors (industry regulations, competitive landscape) and/or security policies 19

20 Remediation by flaw density Small improvement in flaw density overall, greater improvement in very high and high severity flaws 20

21 Impact of remediation coaching For applications that used a readout, the development team fixed more than 2.5x the average # of flaws per megabyte 21

22 How safe is the software I buy? 22

23 Sources of software (IDG survey) 23

24 Commercial quality on first scan Code you purchase is just as likely (maybe more likely) to contain vulnerabilities as code you build Most organizations don t hold their suppliers accountable for security quality in the same way the do for functionality or performance 24

25 Three characteristics of a successful program 25

26 #1: Metrics driven Peter Drucker 26

27 #2: Remediation focused 27

28 #3: Habit forming 28

29 #3: Habit forming MONSTERS PREVENT CODE ROT! 29

30 THANK YOU

31 Appendix slides 31

32 Financial Services summary Includes: Banking, Finance, Insurance Initial quality: % of apps passed OWASP Top 10 on first scan but almost 3 in 5 still fail Remediation: - Fixed 65% of flaws found during 18 month period Flaw density: 3-36 flaws/mb overall - 5 very high or high severity flaws/mb SQL Injection prevalence: 6-29% of applications had at least one SQL Injection vulnerability, the second lowest Language Mix App Vuln Prevalence.NET 42% Java 48% Classic ASP 3% PHP 2% C++ 2% ios 2% Other 1% Android 1% ColdFusion JavaScript 0% 0% Code Quality Crypto Issues Info Leakage CRLF Injection Cross-Site Scripting Directory Traversal Insufficient Input Validation SQL Injection Credentials Mgmt Time & State 29% 25% 23% 65% 60% 58% 52% 49% 48% 41% 32

33 Manufacturing summary Includes: Manufacturing, Aerospace Initial quality: % of apps passed OWASP Top 10 on first scan but almost 2/3 still fail Remediation: - Fixed 81% of flaws found during 18 month period Flaw density: flaws/mb overall - 54 very high or high severity flaws/mb.net 36% Language Mix C++ 10% Java 37% ColdFusion 9% Classic ASP 4% ios 2% Other 2% PHP 1% JavaScript 1% Android 0% SQL Injection prevalence: 4-31% of applications had at least one SQL Injection vulnerability Code Quality Crypto Issues Info Leakage CRLF Injection Cross-Site Scripting Directory Traversal Insufficient Input Validation SQL Injection Time & State Credentials Mgmt App Vuln Prevalence 56% 51% 49% 45% 45% 40% 33% 31% 24% 17% 33

34 Technology summary Includes: Technology, Telecommunications, Electronics, Software, Security Products & Services, Consulting Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 50% of flaws found during 18 month period Flaw density: 5-83 flaws/mb overall - 29 very high or high severity flaws/mb SQL Injection prevalence: 3-28% of applications had at least one SQL Injection vulnerability.net 30% Language Mix Java 45% PHP ios 6% 6% Android 6% C++ 4% Other 3% Classic ASP 1% ColdFusion 1% JavaScript 1% Code Quality Crypto Issues Info Leakage CRLF Injection Directory Traversal Cross-Site Scripting Insufficient Input Validation Credentials Mgmt SQL Injection Time & State App Vuln Prevalence 70% 62% 62% 54% 49% 48% 37% 30% 28% 26% 34

35 Healthcare summary Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 43% of flaws found during 18 month period Flaw density: 1-15 flaws/mb overall - 2 very high or high severity flaws/mb Crypto Issues prevalence: 1-80% of applications had at least one cryptography-related vulnerability Java 30%.NET 52% Language Mix ios 7% Android 4% PHP 3% Classic ASP 2% ColdFusion 2% Other 2% JavaScript C++ 0% Crypto Issues Info Leakage Code Quality Insufficient Input Validation CRLF Injection Cross-Site Scripting Directory Traversal SQL Injection Time & State Credentials Mgmt App Vuln Prevalence 61% 60% 48% 46% 45% 43% 32% 26% 23% 80% 35

36 Retail and Hospitality summary Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 43% of flaws found during 18 month period Flaw density: 2-28 flaws/mb overall - 5 very high or high severity flaws/mb Language Mix SQL Injection prevalence: 1-25% of applications had at least one SQL Injection vulnerability, the lowest prevalence App Vuln Prevalence Java 37%.NET 45% C++ 5% ios 4% Android 4% Classic ASP 2% Other 3% PHP 2% ColdFusion 1% JavaScript 0% Code Quality Crypto Issues Info Leakage CRLF Injection Directory Traversal Cross-Site Scripting Insufficient Input Validation SQL Injection Credentials Mgmt Time & State 25% 24% 21% 68% 63% 55% 54% 52% 44% 44% 36

37 Government summary Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 27% of flaws found during 18 month period Flaw density: 4-62 flaws/mb overall - 7 very high or high severity flaws/mb SQL Injection prevalence: 7-40% of applications had at least one SQL Injection vulnerability Java 36%.NET 53% Language Mix PHP 4% Classic ASP 3% C++ Other 0% 1% ColdFusion 3% JavaScript Android ios 0% 0% Cross-Site Scripting Code Quality Info Leakage Insufficient Input Validation Crypto Issues CRLF Injection Directory Traversal SQL Injection Credentials Mgmt Time & State App Vuln Prevalence 20% 19% 70% 66% 62% 52% 51% 48% 45% 40% 37

38 All other industries summary Initial quality: % of apps passed OWASP Top 10 on first scan Remediation: - Fixed 52% of flaws found during 18 month period Flaw density: flaws/mb overall - 26 very high or high severity flaws/mb SQL Injection prevalence: 6-37% of applications had at least one SQL Injection vulnerability Language Mix App Vuln Prevalence.NET 23% PHP 10% Java 46% ios 7% Android 7% C++ 4% Other 3% Classic ASP 1% ColdFusion 1% JavaScript 1% Crypto Issues Code Quality Info Leakage CRLF Injection Cross-Site Scripting Credentials Mgmt Insufficient Input Validation Directory Traversal SQL Injection Time & State 65% 59% 53% 48% 46% 37% 34% 34% 32% 23% 38