State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.
-
Upload
georgia-channell -
Category
Documents
-
view
218 -
download
3
Transcript of State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.
State of Software Security
1
Jeff Ennis, CEHSolutions ArchitectVeracode
Agenda
Background – Metrics, Distribution of Applications
Security of Applications
Application Security - Industry Trends
Summary
2
Background – Basis for insights
For over three years, Veracode has been providing automated security analysis of software to large and small enterprises across various industry segments.
One of the residual effects is the wealth of security metrics derived from the anonymized data across varied industries and types of applications.
These metrics offer valuable insights on the quality of application security and issues related to the current state-of-practice and maturity of security in software.
Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign.
Veracode provides automated security assessment capabilities in the cloud. Automated techniques include static binary analysis and dynamic analysis. Manual test data (if performed) is included in the analysis
3
Enterprise Industry vertical (enumerated)
Application Application Supplier Type
(internal, purchased, outsourced,
open source) Application Type
(Web facing / Non-web) Assurance Level (1 to 5) Language (enumerated) Platform (enumerated)
Scan Scan Number Scan Date Lines of Code
The Data Set + Metrics
Metrics Flaw Count FlawPercent ApplicationCount First Scan Acceptance Rate Veracode Risk Adjusted Score MeanTimeBetweenScans Days to Remediation Scans to Remediation PCI pass/fail SANS Top25 pass/fail OWASP pass/fail Two flavors: ’04 and ’07
4
1591 Applications and billions of lines of code
34%
32%2%
32%
Applications by Industry
FinancialSoftwareGovernmentOther
30%
60%
8%2%
Applications by Supplier
CommercialInternally DevelopedOpen SourceOutsourced
Sample Distribution
47%
31%
22%
Applications by Language
JavaC/C++.NET
52%
38%
7%
2%
1%
Applications by Platform
JavaWintelLinuxSolarisMobile
5
High Business Criticality does not drive all development projects “in-house.” More than 30% of all applications rated High or Very High in business criticalitywere sourced by Commercial software vendors
What is the distribution of languages in your enterprise? Do you have the same testing methodologies and practices across your application portfolio?
Security of Applications
8
Application Security – Scanning Results
The majority of software (provided by customers for scanning)
_______ Secure (Pass)
_______ Insecure (Fail)
9
Majority of software is insecure
10
Pass: 42%
Fail: 58%
From all (self-selected) set of applications that were submitted to Veracode for assessment
Majority compliant with OWASP Top 10 or SANS Top 25 ?
11
Majority not compliant with OWASP Top 10 or SANS Top 25
12
Applications with the Best First-Scan Acceptance Rate
13
• Outsourced
• Open Source
• Internally Developed
• Commercial
Internal Apps have Best First Scan Acceptance Rate
14
Most Common Issues in Applications (percent of application affected)
15
• Cross-Site Scripting (XSS)
• Cryptographic Issues
• CRLF Injection
• Buffer Overflow
• SQL Injection
Cryptographic Issues Most Common in Applications
16
Most Prevalent Vulnerabilities
17
• Cross-Site Scripting (XSS)
• Cryptographic Issues
• CRLF Injection
• Buffer Overflow
• SQL Injection
Flaw Percent = Flaw Count / Total
This yields a very Different List
Cross-site Scripting easy to fix but still most prevalent
18
Shortest Remediation Cycle
19
• Outsourced
• Open Source
• Internally Developed
• Commercial
Commercial has longest remediation cycles
while Open Source is shortest
20
Average Time to Remediate: 59 days
Higher percentage of “Very High” Severity Vulnerabilities:
21
• Open Source
• Commercial
Higher percentage of “High” Severity Vulnerabilities:
• Open Source
• Commercial
Open Source applications had an equivalent percentage of Very High severity vulnerabilities (Buffer Overflows, Numeric Errors), but a higher percentage of High Severity vulnerabilities (SQL Injection)
Most Dominant Vulnerability Across All Supplier Types
23
• Cross-Site Scripting (XSS)
• Cryptographic Issues
• CRLF Injection
• Buffer Overflow
• SQL Injection
Open Source/Outsourced/Commercial/Internally Developed
Vulnerability Distribution by Supplier
Most Dominant Vulnerability Across Languages
25
• Cross-Site Scripting (XSS)
• Cryptographic Issues
• CRLF Injection
• Buffer Overflow
• SQL Injection
• Java• .NET• C/C++
Vulnerability Distribution by Language
Flaw Type by Input
Application Security - Industry Trends
27
Industry with Best First Submission Rate
Finance-related
Government
Software-related
Other
28
Financial Services and Government fare best Software not so much
29
Most Dominant Vulnerability Across All Industries
30
• Cross-Site Scripting (XSS)
• Cryptographic Issues
• CRLF Injection
• Buffer Overflow
• SQL Injection
Financial-related/Government/Software-related
Vulnerability Distribution by Industry
Summary - Recommendations
32
1. Most software is indeed very insecure.
Recommendation: Implement a comprehensive, risk-based application security program
2. Third-party software is a significant percentage of the enterprise software infrastructure, and third-party components are a significant percentage of most applications.
Recommendation: Implement security acceptance criteria and policies for an approved list of third-party suppliers, and conduct security testing on third-party components prior to integrationinto the final application
3. Open source projects have comparable security, faster remediation times, and fewerpotential backdoors than Commercial or Outsourced software.
Recommendation: Test open source, outsourced, and commercial applications as rigorously as you would test internally developed code. Do not buy into FUD regarding the use of open source software in critical business applications.
4. A significant amount of Commercial and Open Source software is written in C/C++ making it disproportionately susceptible to vulnerabilities that allow attackers to gain control of systems.
Recommendation: Apply the same review methodologies across all languages and platforms.Do not base your security review plan on ubiquity or complexity (or lack thereof).
Summary – Recommendations (continued)
33
5. The pervasiveness of easily remedied vulnerabilities indicates a lack of developer education on secure coding.
Recommendation: Implement specific developer training initiatives as part of your overall security program
6. Software of all types from Finance and Government sectors was relatively more secure on first submission to Veracode for testing.
Recommendation: Follow the lead of other organizations with high risk profiles; review the steps they took to implement operating controls in complex environments
7. Outsourced software is assessed the least, suggesting the absence of contractual securityacceptance criteria.
Recommendation: Pay particular attention to security requirements when contracting for Outsourced development. Insist upon the authority to perform independent security testing and set a minimum acceptance criteria. This way you are not charged/billed for reworking code due to security defects.
Sneak Preview – State of Software Security Volume 2
34
40% of an enterprise’s application inventory is comprised of 3rd party applications
30 – 70% of what customers classify as “internally developed” is in fact 3rd party components and libraries
40% 3rd party applications + (30-70% 3rd party libraries) Internal applications = A lot of 3rd party code
Thank You
Questions?
35