State of software security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 35

State of Software Security PowerPoint PPT Presentation


  • 35 Views
  • Uploaded on
  • Presentation posted in: General

State of Software Security. Jeff Ennis, CEH Solutions Architect Veracode. Agenda. Background – Metrics, Distribution of Applications Security of Applications Application Security - Industry Trends Summary. Background – Basis for insights.

Download Presentation

State of Software Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


State of software security

State of Software Security

Jeff Ennis, CEH

Solutions Architect

Veracode


Agenda

Agenda

Background – Metrics, Distribution of Applications

Security of Applications

Application Security - Industry Trends

Summary


Background basis for insights

Background – Basis for insights

For over three years, Veracode has been providing automated security analysis of software to large and small enterprises across various industry segments.

One of the residual effects is the wealth of security metrics derived from the anonymized data across varied industries and types of applications.

These metrics offer valuable insights on the quality of application security and issues related to the current state-of-practice and maturity of security in software.

Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign.

Veracode provides automated security assessment capabilities in the cloud. Automated techniques include static binary analysis and dynamic analysis. Manual test data (if performed) is included in the analysis


State of software security

The Data Set + Metrics

  • Enterprise

    • Industry vertical (enumerated)

  • Application

    • Application Supplier Type

    • (internal, purchased, outsourced,

    • open source)

    • Application Type

    • (Web facing / Non-web)

    • Assurance Level (1 to 5)

    • Language (enumerated)

    • Platform (enumerated)

  • Scan

    • Scan Number

    • Scan Date

    • Lines of Code

  • Metrics

    • Flaw Count

    • FlawPercent

    • ApplicationCount

    • First Scan Acceptance Rate

    • Veracode Risk Adjusted Score

    • MeanTimeBetweenScans

    • Days to Remediation

    • Scans to Remediation

    • PCI pass/fail

    • SANS Top25 pass/fail

    • OWASP pass/fail

    • Two flavors:  ’04 and ’07

1591 Applications and billions of lines of code


Sample distribution

Sample Distribution


State of software security

High Business Criticality does not drive all development projects “in-house.”

More than 30% of all applications rated High or Very High in business criticality

were sourced by Commercial software vendors


State of software security

What is the distribution of languages in your enterprise? Do you have the same testing methodologies and practices across your application portfolio?


Security of applications

Security of Applications


Application security scanning results

Application Security – Scanning Results

The majority of software (provided by customers for scanning)

_______ Secure (Pass)

_______ Insecure (Fail)


Majority of software is insecure

Majority of software is insecure

Pass: 42%

Fail: 58%

From all (self-selected) set of applications that were submitted to Veracode for assessment


Majority compliant with owasp top 10 or sans top 25

Majority compliant with OWASP Top 10 or SANS Top 25 ?


Majority not compliant with owasp top 10 or sans top 25

Majority not compliant with OWASP Top 10 or SANS Top 25


Applications with the best first scan acceptance rate

Applications with the Best First-Scan Acceptance Rate

  • Outsourced

  • Open Source

  • Internally Developed

  • Commercial


Internal apps have best first scan acceptance rate

Internal Apps have Best First Scan Acceptance Rate


Most common issues in applications percent of application affected

Most Common Issues in Applications (percent of application affected)

  • Cross-Site Scripting (XSS)

  • Cryptographic Issues

  • CRLF Injection

  • Buffer Overflow

  • SQL Injection


Cryptographic issues most common in applications

Cryptographic Issues Most Common in Applications


Most prevalent vulnerabilities

Most Prevalent Vulnerabilities

Flaw Percent = Flaw Count / Total

  • Cross-Site Scripting (XSS)

  • Cryptographic Issues

  • CRLF Injection

  • Buffer Overflow

  • SQL Injection


This yields a very different list

This yields a very Different List

Cross-site Scripting easy to fix but still most prevalent


Shortest remediation cycle

Shortest Remediation Cycle

  • Outsourced

  • Open Source

  • Internally Developed

  • Commercial


Commercial has longest remediation cycles

Commercial has longest remediation cycles

while Open Source is shortest

Average Time to Remediate: 59 days


Higher percentage of very high severity vulnerabilities

Higher percentage of “Very High” Severity Vulnerabilities:

  • Open Source

  • Commercial

Higher percentage of “High” Severity Vulnerabilities:

  • Open Source

  • Commercial


State of software security

Open Source applications had an equivalent percentage of Very High severity vulnerabilities (Buffer Overflows, Numeric Errors), but a higher percentage of High Severity vulnerabilities (SQL Injection)


Most dominant vulnerability across all supplier types

Most Dominant Vulnerability Across All Supplier Types

Open Source/Outsourced/Commercial/Internally Developed

  • Cross-Site Scripting (XSS)

  • Cryptographic Issues

  • CRLF Injection

  • Buffer Overflow

  • SQL Injection


State of software security

Vulnerability Distribution by Supplier


Most dominant vulnerability across languages

Most Dominant Vulnerability Across Languages

  • Java

  • .NET

  • C/C++

  • Cross-Site Scripting (XSS)

  • Cryptographic Issues

  • CRLF Injection

  • Buffer Overflow

  • SQL Injection


State of software security

Vulnerability Distribution by Language

Flaw Type by Input


Application security industry trends

Application Security - Industry Trends


Industry with best first submission rate

Industry with Best First Submission Rate

Finance-related

Government

Software-related

Other


Financial services and government fare best software not so much

Financial Services and Government fare best Software not so much


Most dominant vulnerability across all industries

Most Dominant Vulnerability Across All Industries

Financial-related/Government/Software-related

  • Cross-Site Scripting (XSS)

  • Cryptographic Issues

  • CRLF Injection

  • Buffer Overflow

  • SQL Injection


State of software security

Vulnerability Distribution by Industry


Summary recommendations

Summary - Recommendations

Most software is indeed very insecure.

Recommendation: Implement a comprehensive, risk-based application security program

2. Third-party software is a significant percentage of the enterprise software infrastructure,

and third-party components are a significant percentage of most applications.

Recommendation: Implement security acceptance criteria and policies for an approved list of

third-party suppliers, and conduct security testing on third-party components prior to integration

into the final application

3. Open source projects have comparable security, faster remediation times, and fewer

potential backdoors than Commercial or Outsourced software.

Recommendation: Test open source, outsourced, and commercial applications as rigorously as

you would test internally developed code. Do not buy into FUD regarding the use of open source

software in critical business applications.

4. A significant amount of Commercial and Open Source software is written in

C/C++ making it disproportionately susceptible to vulnerabilities that allow attackers to gain

control of systems.

Recommendation: Apply the same review methodologies across all languages and platforms.

Do not base your security review plan on ubiquity or complexity (or lack thereof).


Summary recommendations continued

Summary – Recommendations (continued)

5. The pervasiveness of easily remedied vulnerabilities indicates a lack of developer education on secure coding.

Recommendation: Implement specific developer training initiatives as part of your overall

security program

6. Software of all types from Finance and Government sectors was relatively more secure on first submission to Veracode for testing.

Recommendation: Follow the lead of other organizations with high risk profiles; review the steps they took to implement operating controls in complex environments

7. Outsourced software is assessed the least, suggesting the absence of contractual security

acceptance criteria.

Recommendation: Pay particular attention to security requirements when contracting for Outsourced development. Insist upon the authority to perform independent security testing and set a minimum acceptance criteria. This way you are not charged/billed for reworking code due to security defects.


Sneak preview state of software security volume 2

Sneak Preview – State of Software Security Volume 2

40% of an enterprise’s application inventory is comprised of 3rd party applications

30 – 70% of what customers classify as “internally developed” is in fact 3rd party

components and libraries

40% 3rd party applications + (30-70% 3rd party libraries) Internal applications = A lot of 3rd party code


Thank you

Thank You

Questions?


  • Login