Hard to Port!
A Snapshot of the Vulnerability Landscape in 2015
Contents
• Who am I?• Why are we here?• How do we measure risk?• Where did you get these numbers?• 2015 Overview• Some thoughts!• Hard to what?• End
Who am I - Rahim JinaPresentDirector at edgescan™
PastHead of Security – Fonality, Los Angeles.Security Consultant – Evil Big 4, Dublin.
OWASPParticipator & Contributor since 2008
Application Security &Application Development : 11 Years
Why are we here?
How do we measure risk?
Continuous Testing
Full Stack –WebApps and Servers
Human verification of all vulnerabilities
Analytics and Metrics
Delta Analysis
Track improvement or decline
Why do an annual report?
“You cant improve what you cant measure”
What is most effective at reducing Risk?
What is the major Root Cause?
Are most Risks at the Application layer?
Are most Risks at the Server Layer*?
Quick wins to be more secure?
Average time to fix a high risk?
What does improvement look like?
* “Server Layer” is also software!!
Where did you get these numbers?
• December 2014 – November 2015• Assessing 000’s of Assets• Assets = Web applications & hosts
3.5
19
11.5 11
13.5
5.5
14.5
10.5
8
3
1 2 3 4 5 6 7 8 9 1 0
INDUSTRY SPLIT
2015 - Year in Review
2015 – Overview
Security by NumbersLikelihood of a vulnerability being discovered – Web Applications
Security by Numbers
Likelihood of a vulnerability being discovered (root cause) – Hosting Layer
Security by Numbers
Security by Numbers
Risk Density
Security by Numbers
Time-To-Remediationfor discovered Critical/High Risk issues
BEST CASE WORST CASE
Security by Numbers
2 out of every 3 servers contained high-medium risk SSL/TLS
cryptography weakness
Thoughts - Headers
HTTP Security Headers
Strict-Transport-Security Content-Security-Policy
X-Content-Type-Options X-XSS-Protection
Public-Key-PinsX-Frame-Options
Thoughts - Component security
Who wrote your code?
Who wrote the other code used by your code?
Who wrote the other code in the code used by your code?
Who wrote the code in the other code in the code used by your code?
Application Code
COTS (Commercial off the shelf
Outsourced development Sub-
Contractors
Bespoke outsourced
development
Bespoke Internal
development
Third Party API’s
Third Party Components
& Systems
Degrees of trustMore LESS
Thoughts - Software Food Chain
GithubSpecial
Random College Project
Thoughts - Component security
Building bricks – Frameworks / Components
(Spring, JQuery, Jade, Angular, Hibernate)
90% of application code is framework
63%* don’t monitor component security
* http://www.sonatype.com/about/2014-open-source-software-development-survey
Thoughts - Components
As of October 2015 -Spring (3.0-3.05) – CVE-2011-2894 – Code exe
7,000,000 downloads since vuln discovered
CVSS: 6.8
Apache Xerces2 – CVE-2009-2625 – DoS
4,000,000 downloads since vuln discovered
CVSS: 5
Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM
4,000,000 downloads since vuln discovered
CVSS: 4.9
Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection
179,050 downloads since vuln discovered
CVSS: 10
Thoughts – Patching & Component Management
“Of all the vulnerabilities discovered in 2015, 63% could have been mitigated via patch, configuration and component management combined.”
Thoughts – Patching & Component Management
Do you test for "dependency“ issues?
Does your patch management policy cover application dependencies?
What about layer 7!
Check out: https://github.com/jeremylong/DependencyCheck
Thoughts – Pushing Left
Customers who fared the ‘best’ were queried on their SDLC practices and utilised some or all of these throughout their SDLC and OPS:
Thoughts – Pushing Left
Fail Early – Fail Often!
Thoughts – Pushing Left
• Continuous Testing & DAST
• Continuous Integration & SAST
• Threat Modelling
• Dedicated security teams
• SecDevOps
• Continuous Asset Profiling & Monitoring → Component Management
Continuous Security Assessment Approach:
time
Thoughts – Pushing Left
Wrap-Up
• Organisational trends towards SecDevOps• DAST and SAST integration into the build
process• Security needs to be more than point-in-
time• Component Security is being overlooked• Maintenance and component security are
key -Full-Stack Patching!• Continuous testing for continuous
development
www.edgescan.com
© BCC Risk Advisory Ltd 2016.
Thanks
[email protected]@rahimjina
edgescan™ 2015 Vulnerability Stats Report:
https://edgescan.com/2015-edgescan-stats-report.pdf