Upload File

we see the future and it isn’t pretty

35
We See the Future and It Isn’t Pretty Chris Eng Vice President of Research, Veracode June 5, 2013

Upload: others

Post on 21-Mar-2022

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: We See the Future and It Isn’t Pretty

We See the Future and It Isn’t Pretty

Chris Eng

Vice President of Research, Veracode

June 5, 2013

Page 2: We See the Future and It Isn’t Pretty

What is the SoSS Report?

SoSS is the “BEFORE” Breach Reports are the “AFTER”

Page 3: We See the Future and It Isn’t Pretty

Dataset Overview 22,430 application builds from Jan 2011 to Jun 2012

Page 4: We See the Future and It Isn’t Pretty
Page 5: We See the Future and It Isn’t Pretty

▸ Industry vertical

▸ Supplier (internal, third-party, open source, etc.)

▸ Application type

▸ Business criticality

▸ Language

▸ Platform

Application Metadata

▸ Scan number

▸ Scan date

▸ Lines of code

Scan Data

▸ Flaw counts

▸ Flaw percentages

▸ Application count

▸ Risk-adjusted rating

▸ First scan acceptance rate

▸ Time between scans

▸ Days to remediation

▸ Scans to remediation

▸ Team comparisons

▸ Custom policies

▸ PCI-DSS†

▸ CWE/SANS Top25†

▸ OWASP Top Ten†

Enterprise Metrics

† Pass/Fail only

Page 6: We See the Future and It Isn’t Pretty

Caveats

Customer base is already security-conscious

Bias toward business critical applications

Applications are at inconsistent phases in the SDLC

Not all flaws are easy to exploit

Analysis technology is continuously being improved

All security testing has False Negatives

Page 7: We See the Future and It Isn’t Pretty

Latent Vulnerabilities

vs. Attacks

Don’t copy and paste this slide, the margins are different on the left half

Page 8: We See the Future and It Isn’t Pretty

Top 5 Attacked Web Application Vulnerabilities

Page 9: We See the Future and It Isn’t Pretty

Key Finding

70% of applications failed to comply with enterprise security policies on first submission

Page 10: We See the Future and It Isn’t Pretty

New Applications have Known and Exploitable Vulnerabilities

Page 11: We See the Future and It Isn’t Pretty

Build Over Build Improvement

Page 12: We See the Future and It Isn’t Pretty

Key Finding

SQL injection prevalence has plateaued, affecting approximately 32% of web applications

Page 13: We See the Future and It Isn’t Pretty

Flat SQL Injection Trend Enables Ongoing Attacks in 2013

Page 14: We See the Future and It Isn’t Pretty
Page 15: We See the Future and It Isn’t Pretty

Programming Language Selection Matters

Page 16: We See the Future and It Isn’t Pretty
Page 17: We See the Future and It Isn’t Pretty

Language Details

Page 18: We See the Future and It Isn’t Pretty
Page 19: We See the Future and It Isn’t Pretty

Java Applications

Page 20: We See the Future and It Isn’t Pretty
Page 21: We See the Future and It Isn’t Pretty

.NET Applications

Page 22: We See the Future and It Isn’t Pretty
Page 23: We See the Future and It Isn’t Pretty

PHP Applications

Page 24: We See the Future and It Isn’t Pretty
Page 25: We See the Future and It Isn’t Pretty

ColdFusion Applications

Page 26: We See the Future and It Isn’t Pretty

Flaw Prevalence by Language

0% 20% 40% 60% 80% 100%

SQL Injection

XSS

Crypto Issues

Directory Traversal

Command Injection

ColdFusion

PHP

.NET

Java

Page 27: We See the Future and It Isn’t Pretty

Improvement by Language, 1st to 2nd Scan

0% 10% 20% 30% 40% 50% 60%

SQL Injection

XSS

Crypto Issues

Directory Traversal

Command Injection

PHP

.NET

Java

Page 28: We See the Future and It Isn’t Pretty
Page 29: We See the Future and It Isn’t Pretty

C/C++ Applications

Page 30: We See the Future and It Isn’t Pretty

Key Finding

Cryptographic issues affect a sizeable portion of Android (64%) and iOS (58%) applications

Page 31: We See the Future and It Isn’t Pretty
Page 32: We See the Future and It Isn’t Pretty
Page 33: We See the Future and It Isn’t Pretty
Page 34: We See the Future and It Isn’t Pretty

70% of applications failed to comply with enterprise security policies on first submission

SQL injection prevalence has plateaued, affecting approximately 32% of web applications

Eradicating SQL injection in web applications remains a challenge as organizations make tradeoffs around what to remediate first

Cryptographic issues affect a sizeable portion of Android (64%) and iOS (58%) applications

Average CISO tenure continues to decline

The rise of the “Everyday Hacker”

Decreased job satisfaction/ higher turnover for security professionals

Default encryption, not opt-in, will become the norm

Key Findings Predictions

Page 35: We See the Future and It Isn’t Pretty

Questions? Thank You!

@chriseng


Pretty woman walkin down the street Pretty woman, the kind I like to meet Pretty woman

Pretty Woman

CAN YOU SEE ALL THE PRETTY COLORS?? Are females genetically superior to males? Let’s find out!!

Pretty Woman - Oh Pretty Woman

Drugs and the Body—It Isn’t Pretty · El uso de la droga éxtasis causa que la persona cruja involuntariamente los dientes. Algunos consumidores necesitan usar protectores dentales

Basic Science Concepts Chapter 2 - dec.alaska.gov€¦ · that has mass (weight) and occupies space. And that’s just about everything, isn’t it? But it’s pretty obvious that

Drugs and the Body—It Isn’t Pretty - Scholasticheadsup.scholastic.com/sites/default/files/posters/DrugsBody_poste… · Tired and Moody A chemical called serotonin helps you stay

Pretty Woman - Oh Pretty Woman by Roy Orbison

This is my car. Here it is from another angle. (Isn’t my wife pretty?) Wow. Some of those cars don’t look too good

Recalling More Than aThan a Pretty Pretty PPPlacePlacelace ... › documents › parks › parks-trails › gates-other-woodstock .pdfThan aThan a Pretty Pretty PPPlacePlacelace War,

by Sarah Gancher - TheaterWorks...Place (MTC). Off-Broadway: I See You (The Flea); Through the Yellow Hour, Blind and That Pretty Pretty or The Rape Play (Rattlestick); premiere of

Drugs and the Body—It Isn’t Pretty - Scholastic · 2020-02-10 · Drugs and the Body—It Isn’t Pretty Nicotine. Heroin. Cocaine. Marijuana. Inhalants. Methamphetamine. Steroids

bumps around the sting site sharp pain up through my armpit a feeling like your throat is closing (but it isn’t) numbness pretty much anywhere. As

What a Face! We’ve all seen little kids get their first taste of something bitter (lemons, pickles, etc) and it’s funny. But it isn’t pretty, cute or

Not Too Pretty Pretty - Environmental Working Group

Pretty Pretty Princess Mini Session Event

AMA Sound/Noise Abatement RecommendationsAMA Sound/Noise Abatement Recommendations What is a pretty sound to us as modelers isn’t necessarily a pretty sound to our neighbors. This

LEXlexmatters.com/LEXGrassGreener.pdf · lawyer is pretty good, and the grass isn’t always greener on the other side. In reality, the glamour quickly wore off. I spent too much

Pretty Baby

Isn’t it time to see what you’ve been missing? · The world’s most sophisticated laser cataract surgery system Isn’t it time to see what you’ve been missing? ABOUT cataracts

Clarity vs. Purity: When it comes to water, what you see isn’t always what you get Mark Dzurko

AMA Sound/Noise Abatement Recommendations Doc 927 Noise Abatement Recom… · AMA Sound/Noise Abatement Recommendations What is a pretty sound to us as modelers isn’t necessarily

Isn’t it time? . . . Isn’t it time we all say . .

HOW AUTUMN GETS BIKINI READYd2rxohj08n82d5.cloudfront.net/.../21D_3DayQuickFix.pdf · The 3 Day Quick Fix can be pretty challenging, so be ready for it. And if it isn’t for you,

actingouttheatreco.orgactingouttheatreco.org/wp-content/.../I-feel-pretty... · Feel Pretty 172 (MARIA) who can that at - See the pret -ty girl in that mir - ror there: 180 cresc

23-Oct-15 Style. Why style matters Good style isn’t just to make your code “look pretty” The most critical factor in style is readability If a program

Innovation Isn’t PrettyInnovation isn’t pretty · 2018. 4. 11. · PowerPoint Presentation Author: Pete Lefebvre Created Date: 4/6/2018 9:37:34 AM

NATURAL HIGHS - WordPress.com · the landscape is (although it is pretty epic: the kind of place that makes you realise China isn’t all manufacturing towns, shimmering high-rises

I like to see people fall. I look pretty with long hair. Kentucky Wildcats Stink

VENDASTA RESOURCES Blog Post SEO Checklist€¦ · • Aim for a keyword density 2-3% (all keywords combined) • Make sure you put the user first—keyword stuffing isn’t pretty

Drugs and the Body—It Isn’t Pretty - Scholastic · El funcionamiento adecuado de la memoria a corto plazo es necesario para aprender y realizar tareas que requieran uno o dos

Prototype, Storyboards, Mindmeistermelissa/WEB/20162-docs/INF1802... · Storyboards Storyboarding isn’t about “pretty pictures” it’s about communicating ideas From Scott Klemmer:

PHOTOS BY ANTHEA ABNAKI. OOAKURA A K U R A See page 9 · I’m pretty sure there are no pretty ladies connecting callers in the Spot-swood Exchange! Also at present in Spotswood the

COLORCOLOR. COLORCOLOR Why do I see all those pretty colors?

rUnning The nUme rS - Professional Remodeler · “pretty pictures”; they want to see the “before” shots, too. And they want to see video testimonials from past customers in