Hard to Port!

A Snapshot of the Vulnerability Landscape in 2015

Contents

• Who am I?• Why are we here?• How do we measure risk?• Where did you get these numbers?• 2015 Overview• Some thoughts!• Hard to what?• End

Who am I - Rahim JinaPresentDirector at edgescan™

PastHead of Security – Fonality, Los Angeles.Security Consultant – Evil Big 4, Dublin.

OWASPParticipator & Contributor since 2008

Application Security &Application Development : 11 Years

Why are we here?

How do we measure risk?

Continuous Testing

Full Stack –WebApps and Servers

Human verification of all vulnerabilities

Analytics and Metrics

Delta Analysis

Track improvement or decline

Why do an annual report?

“You cant improve what you cant measure”

What is most effective at reducing Risk?

What is the major Root Cause?

Are most Risks at the Application layer?

Are most Risks at the Server Layer*?

Quick wins to be more secure?

Average time to fix a high risk?

What does improvement look like?

* “Server Layer” is also software!!

Where did you get these numbers?

• December 2014 – November 2015• Assessing 000’s of Assets• Assets = Web applications & hosts

3.5

19

11.5 11

13.5

5.5

14.5

10.5

8

3

1 2 3 4 5 6 7 8 9 1 0

INDUSTRY SPLIT

2015 - Year in Review

2015 – Overview

Security by NumbersLikelihood of a vulnerability being discovered – Web Applications

Security by Numbers

Likelihood of a vulnerability being discovered (root cause) – Hosting Layer

Security by Numbers

Security by Numbers

Risk Density

Security by Numbers

Time-To-Remediationfor discovered Critical/High Risk issues

BEST CASE WORST CASE

Security by Numbers

2 out of every 3 servers contained high-medium risk SSL/TLS

cryptography weakness

Thoughts - Headers

HTTP Security Headers

Strict-Transport-Security Content-Security-Policy

X-Content-Type-Options X-XSS-Protection

Public-Key-PinsX-Frame-Options

Thoughts - Component security

Who wrote your code?

Who wrote the other code used by your code?

Who wrote the other code in the code used by your code?

Who wrote the code in the other code in the code used by your code?

Application Code

COTS (Commercial off the shelf

Outsourced development Sub-

Contractors

Bespoke outsourced

development

Bespoke Internal

development

Third Party API’s

Third Party Components

& Systems

Degrees of trustMore LESS

Thoughts - Software Food Chain

GithubSpecial

Random College Project

Thoughts - Component security

Building bricks – Frameworks / Components

(Spring, JQuery, Jade, Angular, Hibernate)

90% of application code is framework

63%* don’t monitor component security

* http://www.sonatype.com/about/2014-open-source-software-development-survey

Thoughts - Components

As of October 2015 -Spring (3.0-3.05) – CVE-2011-2894 – Code exe

7,000,000 downloads since vuln discovered

CVSS: 6.8

Apache Xerces2 – CVE-2009-2625 – DoS

4,000,000 downloads since vuln discovered

CVSS: 5

Apache Commons HttpClient 3.x - CVE-2012-5783 – MiTM

4,000,000 downloads since vuln discovered

CVSS: 4.9

Struts2 (2.0-2.3.5) – CVE-2013-2251-Remote Cmd Injection

179,050 downloads since vuln discovered

CVSS: 10

Thoughts – Patching & Component Management

“Of all the vulnerabilities discovered in 2015, 63% could have been mitigated via patch, configuration and component management combined.”

Thoughts – Patching & Component Management

Do you test for "dependency“ issues?

Does your patch management policy cover application dependencies?

What about layer 7!

Check out: https://github.com/jeremylong/DependencyCheck

Thoughts – Pushing Left

Customers who fared the ‘best’ were queried on their SDLC practices and utilised some or all of these throughout their SDLC and OPS:

Thoughts – Pushing Left

Fail Early – Fail Often!

Thoughts – Pushing Left

• Continuous Testing & DAST

• Continuous Integration & SAST

• Threat Modelling

• Dedicated security teams

• SecDevOps

• Continuous Asset Profiling & Monitoring → Component Management

Continuous Security Assessment Approach:

time

Thoughts – Pushing Left

Wrap-Up

• Organisational trends towards SecDevOps• DAST and SAST integration into the build

process• Security needs to be more than point-in-

time• Component Security is being overlooked• Maintenance and component security are

key -Full-Stack Patching!• Continuous testing for continuous

development

www.edgescan.com

© BCC Risk Advisory Ltd 2016.

Thanks

rahim@edgescan.com@rahimjina

edgescan™ 2015 Vulnerability Stats Report:

https://edgescan.com/2015-edgescan-stats-report.pdf