2015 Vulnerability Statistics Report



Similar documents
Adobe Systems Incorporated

External Supplier Control Requirements

Interactive Application Security Testing (IAST)

Where every interaction matters.

Vulnerability Management

The Hillstone and Trend Micro Joint Solution

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

SAST, DAST and Vulnerability Assessments, = 4

SWAT PRODUCT BROCHURE

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Table of Contents. Page 2/13

elearning for Secure Application Development

Protecting Your Organisation from Targeted Cyber Intrusion

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

IT Security & Compliance. On Time. On Budget. On Demand.

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Attack Vector Detail Report Atlassian

SERENA SOFTWARE Serena Service Manager Security

Concierge SIEM Reporting Overview

How to Instrument for Advanced Web Application Penetration Testing

G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Passing PCI Compliance How to Address the Application Security Mandates

How To Manage Web Content Management System (Wcm)

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

OWASP AND APPLICATION SECURITY

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Assuring Application Security: Deploying Code that Keeps Data Safe

IBM Security IBM Corporation IBM Corporation

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Expert Services Group (Security Testing) Nilesh Dasharathi Sadaf Kazi Aztecsoft Limited

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

AN OVERVIEW OF VULNERABILITY SCANNERS

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

The Business Case for Security Information Management

Developing Secure Software in the Age of Advanced Persistent Threats

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

Scanless Vulnerability Assessment. A Next-Generation Approach to Vulnerability Management

CyberArk Privileged Threat Analytics. Solution Brief

End-user Security Analytics Strengthens Protection with ArcSight

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

A HELPING HAND TO PROTECT YOUR REPUTATION

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Specific recommendations

The Cyber Threat Profiler

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

90% of data breaches are caused by software vulnerabilities.

IBM Security Strategy

Application Security in the Software Development Lifecycle

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Application Security 101. A primer on Application Security best practices

Cyber Essentials. Test Specification

Strategic Information Security. Attacking and Defending Web Services

The Web AppSec How-to: The Defenders Toolbox

Reducing Application Vulnerabilities by Security Engineering

Penetration Test Report

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

ALERT LOGIC FOR HIPAA COMPLIANCE

Integrated Threat & Security Management.

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

SAFECode Security Development Lifecycle (SDL)

Continuous Network Monitoring

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

HP Application Security Center

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

QRadar SIEM and FireEye MPS Integration

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CyberSecurity Innovation Assessing your Organizations Vulnerability to a Cyber breach

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Penetration Testing Report Client: Business Solutions June 15 th 2015

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Web Application Security

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

10 Things Every Web Application Firewall Should Provide Share this ebook

Network Test Labs (NTL) Software Testing Services for igaming

THE TOP 4 CONTROLS.

Web Application Security 101

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

PCI DSS Reporting WHITEPAPER

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

The Cloud App Visibility Blindspot

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

IT Risk Management: Guide to Software Risk Assessments and Audits

Transcription:

2015 Vulnerability Statistics Report

Introduction or bugs in software may enable cyber criminals to exploit both Internet facing and internal systems. Fraud, theft (financial, identity or data) and denial-of-service attacks are often the result, leaving companies with serious losses or damage of reputation. However, some of these issues can be easily avoided or at least mitigated. This document discusses the vulnerabilities discovered by edgescan over the past year 2015. The vulnerabilities discovered are a result of providing continuous vulnerability management to a wide range of client verticals; from Small Businesses to Global Enterprises; Telecoms & Media, Software Development, Gaming, Energy and Medical organisations. edgescan Portal About edgescan SaaS: edgescan is a Software-as-a-Service (SaaS) vulnerability management service which provides continuous detection and validation of vulnerabilities in both web & mobile applications and hosting servers alike. Accuracy: All vulnerabilities discovered by edgescan are verified by our expert security analysts to make sure they are a real and appropriately risk rated. Our validated findings provide actionable intelligence and remediation advice to help you maintain a secure posture. Full-stack Scalable Assessments: edgescan scales to hundreds or thousands of servers and web applications whilst still maintaining accuracy and coverage. edgescan detects both known (CVE) vulnerabilities and also web application vulnerabilities unique to the application being assessed due to our hybrid assessment approach. Analytics & Depth: Coupling leading-edge risk analytics, production-safe automation and human intelligence, edgescan provides deep authenticated and unauthenticated vulnerability assessment across all layers of a systems technical stack. Our edgescan Advanced service also provides deep logical and behavioural testing on demand. Both Internal and public Internet facing systems can be assessed using edgescan. Integration & Alerting: edgescan provides integration via its API and JIRA plugin to easily integrate with other bug tracking and GRC systems. It also has customisable real-time alerting to inform you if a new vulnerability has been discovered. Continuous Asset Profiling: edgescan provides continuous asset profiling, alerting you to changes in your environment and eliminate network blind spots via our unique HIDE (Host Index Detection & Enumeration) technology. SAMPLE VENDOR Gartner Hype Cycle for Application Security 2015 NOTABLE VENDOR Magic Quadrant for Managed Security Services

2015 in Review Executive Summary 2015 has been a year of large security breaches: Adult Finder May 2015 US OPM July 2015 11 Million 80 Million 3.9 Million RecordsStolen 37 Million 21.5 Million 15 Million Premera January 2015 Anthem February 2015 Ashley Madison July 2015 Experian September 2015 The above are examples of significant system breaches resulting in millions of records and personal data being stolen. Why? Awareness, Detection and Response are key aspects in defending against cyber-attacks and edgescan helps with this approach. In terms of operational approaches, organisational trends towards DevSecOps should assist with security becoming more integrated and earlier in the system development lifecycle; Pushing Left. Hosting systems: Using Secure Baselines or Builds in cloud environments such that when vulnerabilities are discovered, rather than patch, we deploy a new baseline. Error monitoring and log analysis solutions are also assisting with detective controls and helping organisations detect anomalies earlier and reacting quicker. Overall host & server security below layer 7 is still a rich area for vulnerabilities. Component Security (Application Security Food-Chain) Of all the vulnerabilities discovered by edgescan in 2015, 63% could have been mitigated via patch, configuration and component management combined. Patching and component management relates to web applications, frameworks and hosting servers running insecure instances and services. In terms of web applications, many instances of insecure frameworks, plugins, components to support Cryptography, HTTP, language processors and parsers, contained exploitable vulnerabilities. In addition, the operating systems and services supporting such components also had known vulnerabilities (CVE s). 63% Application Layer: A drive towards DAST and SAST integration into the build process is catching issues early and often which assists in more secure software. We still see component security being overlooked. Components can be defined as open source code, frameworks and code used by developers but not written by the application developer teams. Could Be Mitigated

Our measuring tool and data repository As discussed above, the vulnerability data used for this report has all been discovered on our clients systems over the past year (2015). All of the findings in edgescan are manually validated and risk rated to ensure accuracy and also to assist our clients with understanding which issues need to be prioritised. Assets: edgescan assesses both server and web application layer systems for vulnerabilities. For our clients we call these collectively Assets. This gives our clients the ability to group similar and related systems into asset groups for easier management. 15.1% of Assets have high or critical risk vulnerabilities High or critical vulnerabilities are defined as: Easily exploitable Remotely exploitable Such issues can affect both application and network layers combined in some cases Root Cause: Coding errors, Configuration flaws and out-of-date/no patching applied. Remediation: Even though patch management is not as exciting as other aspects of security, it s still a vital aspect of maintaining a secure and robust posture. Security patches are a result of security bugs being discovered in application, framework & operating systems provided by system vendors. In relation to web application security we still talk about Secure Application Development. It s our view that security touch points and developer education is a good starting place to correct the problem. Vulnerability Statistics Web Applications and Web Site Security: Likelihood of a vulnerability being discovered Web Applications 61% 52% 39% 25% 21% 19% 15% 11% 6% 4% SSL XSS Content Injection Authorisation Session Management Information Leakage Authentication XXE SQL Injection Other Injection Above is a snapshot of the most common vulnerabilities discovered in 2015 for the web application layer as discovered by edgescan. As you can see, SSL/Crypto weaknesses are most common followed by Cross-Site-Scripting (XSS). SQL Injection is thankfully less common, akin to other injection vulnerabilities (Command Injection, Remote Code Execution), all of which can result in total system-wide compromise. A new entry to the list is XML external Entity attacks (XXE) which leverages XML parser misconfiguration and can result in data compromise. Likelihood of a vulnerability being discovered in Hosting & Component Layers by root cause 37% Security Patching 15% Misconfiguration 6% Exposed Service 5% Unsupported System In relation to hosting security, 37% of hosting layer vulnerabilities could have been prevented by adopting a robust approach to patching. Patching relates to keeping the hosting and component system up-todate to help close-off known risks. Misconfiguration, Exposed Services and Unsupported Systems relate to both Operating systems and hosted frameworks or components. Maintenance and component security are key to maintaining a robust approach to full-stack security.

Risk Density In 2015 we discovered on average 1.5 Critical, High or Medium risk vulnerabilities per asset assessed. This is a result of insecure coding practices on the web layer, poor component / framework and operating system security weaknesses. The vulnerabilities ranged from remote code execution, to command Injection to SQL Injection. like Shellshock, Poodle and Logjam were common across hosting environments. Apache, Adobe and Microsoft systems and services were the platforms with the highest risk density. Risk Profile Application Layer 3.2% Critical Risk 4.8% High Risk 6% Medium Risk Risk Profile Hosting/Server Layer Best practices: Success Stories In terms of vulnerability mitigation the turnaround time varies depending on where in the stack the discovered vulnerability resides. It appears patching of systems for known vulnerabilities (CVE s) can be achieved in a relatively short amount of time. Time-To-Remediation has security significance when looking at the size of the Window of Exposure for a given system. Component Security: Time-To-Remediation appears to take the longest amount of time. This is based on the complexities of retro-fitting new versions of the vulnerable components. It is also understood that many organisations lack a component patching policy and implementing such processes in a live environment is a daunting task. Developer Code: Time-To-Remediation for code level (developer bugs) vulnerabilities can be fast particularly in the case of new deployments. Older web deployments appear to take more time to remediate mainly due to lack of knowledge of the code-base or the web application not being on the current critical path for the business in terms of assignment of resources to address the issue. 2.9% 4.2% 4.9% OS/Host Patching : Time-To-Remediation for patching appears to have the fastest turnaround time. This is due apparent and relative ease of applying patches to operating systems and services. Critical Risk High Risk Medium Risk Time-To-Remediation (TTR) for Critical/High Risk issues discovered Total (Full-Stack) Of all assets assessed in 2015 26% of vulnerabilities discovered had a Medium Critical Risk. Critical Risk Density: 6.1% High Risk Density: 9.0% Component Security 32 Days 280+ Days Developer Code 22 Days 157+ Days OS/Host Patching 9 Days 110+ Days 2015 Assessed Assets Medium Risk Density: 10.9%

Patching & Component Security Time-To-Remediation for host/os patching appears to have the fastest turnaround time. This is due to the apparent and relative ease of applying patches to operating systems and services when a critical or important patch is required. Interestingly, patching is never straight forward and needs to be tested in a pre-production environment prior to deploying to live. The most common root cause of a vulnerability poor patching / maintenance 63% of vulnerabilities discovered in 2015 could have been avoided if a robust patching, component security policy and/or procedure was implemented Over 7.1% of patch related vulnerabilities were Critical or High The Patching weaknesses discovered were in relation to operating system and software components, frameworks such as OpenSSL, PHP, Spring, Struts, Apache Server, MySQL, Linux, Windows etc SSL/TLS Cryptography The most common weakness on hosting servers was in relation to SSL (Secure Sockets Layer) or TLS (Transport Layer Security) cryptography and protection of data in transit. For every three servers assessed, there was at least two high/medium risk SSL/TLS cryptography issues discovered In other words, 61.4% of servers were potentially vulnerable to attackers attempts to attack private communications between web servers and end-user browsers. For example, in 2015 edgescan reported that 25% of the servers under management assessed were vulnerable to the Poodle (CVE-2014-3566) vulnerability. SSL is now deprecated and TLS should be used for protecting data in transit. https://tools.ietf.org/html/rfc7568 Recommendation: Using trusted and commonly used frameworks and components still introduces vulnerabilities into web applications and servers throughno fault of the developers Component & Framework security should be a consideration for critical applications at a minimum 2 of every 3 servers contained high-medium risk SSL/TLS cryptography weakness Client Security - Cross-Site-Scripting (XSS) Client-side vulnerabilities such as Cross-Site-Scripting (XSS), are a type of attack in which malicious code is injected into otherwise benign and trusted websites. XSS can be used to steal a user s credentials, install malware and redirect end users to questionable websites, etc. For every application assessed, edgescan verified an average XSS density of 4.87 per web application XSS vulnerabilities were discovered on both web applications and hosting server environments Remediation: Consider contextual output encoding when rendering or using non trusted data in the client s browser. XSS issues can also occur on the component layer such as framework or service used by the application, patching & maintenance is required to address such issues. For more see: https://edgescan.com/ secure_application_dev_training_material.html HTTP Security Headers The lack of Security headers is interesting given how easy they are to implement. Approximately 15% of application layer vulnerabilities discovered (including some SSL issues) could have been mitigated or risk reduced by using HTTP Security headers. HTTP headers don t affect system performance and simply instruct the user s browser to respect certain conditions of interaction. Only 1.73% of all Web applications assessed had adequate HTTP Security headers. For more about security headers see: https://edgescan.com/ secure_application_dev_training_material.html 15% Potential Risk Reduction 1.73% Adequate HTTP Header Security

What is edgescan? edgescan is a managed security service which identifies and provides vulnerability intelligence on an on-going basis. It detects technical vulnerabilities in both internal and Internet facing systems and provides you with the power to understand, prioritise and fix. It provides you the ability to manage both network and web application security issues for tens, hundreds or even thousands of your systems. edgescan conducts Application & Server vulnerability management with manual validation to help ensure your application & server security. edgescan reports are virtually False Positive free due to our hybrid approach of combining automated testing with manual validation. edgescan provides continuous asset profiling letting you see what systems and services are live and available at any point in time and provides alerting to let you detect rogue, APT or delinquent systems within your asset estate. edgescan gives you: Unbeatable price-performance ratio Continuous Asset profiling and Alerting Manual threat verification and accuracy of all issues reported - false positive free Prioritisation of security risks and remediation advise from our experts 24/7 dashboard access and customisable reporting Continuous vulnerability assessment across both web and hosting layers Integration via API/JIRA to plug into your management systems False Positve Free, Full-Stack, Continuous Penetration Testing. edgescan... identified a large number of application security issues that previously were only identified by our SAST tool... edgescan client, March 2015 www.edgescan.com 2015. BCC Risk Advisory Ltd. www.bccriskadvisory.com

CONTINUOUS VULNERABILITY MANAGEMENT Email: info@edgescan.com Telephone: +353 (1) 681 5330 www.edgescan.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information