State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security...
Transcript of State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security...
![Page 1: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/1.jpg)
State of Software Security Report
Volume 2
1
Jeff Ennis, CEH
Solutions Architect
Veracode
![Page 2: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/2.jpg)
Agenda
Background – Metrics, Distribution of Applications
Security of Applications
Third Party Risk
Summary
2
![Page 3: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/3.jpg)
Background – Basis for insights
For over three years, Veracode has been providing automated security
analysis of software to large and small enterprises across various industry
segments.
One of the residual effects is the wealth of security metrics derived from the
anonymized data across varied industries and types of applications.
These metrics offer valuable insights on the quality of application security and
issues related to the current state-of-practice and maturity of security in
software.
Veracode was founded in 2006 by application security experts from @stake,
Guardent, Symantec, and VeriSign.
Veracode provides automated security assessment capabilities in the cloud.
Automated techniques include static binary analysis and dynamic analysis.
Manual test data (if performed) is included in the analysis
3
![Page 4: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/4.jpg)
Enterprise
Industry vertical (enumerated)
Application
Application Supplier Type
(internal, purchased, outsourced,
open source)
Application Type
(Web facing / Non-web)
Assurance Level (1 to 5)
Language (enumerated)
Platform (enumerated)
Scan
Scan Number
Scan Date
Lines of Code
The Data Set + Metrics
Metrics
Flaw Count
FlawPercent
ApplicationCount
First Scan Acceptance Rate
Veracode Risk Adjusted Score
MeanTimeBetweenScans
Days to Remediation
Scans to Remediation
PCI pass/fail
SANS Top25 pass/fail
OWASP pass/fail
Two flavors: ’04 and ’07
4
2922 Applications and billions of lines of code
![Page 5: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/5.jpg)
SOSS Volume 2 Data Distribution
5
![Page 6: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/6.jpg)
6
Business Criticality (and Application Source)
![Page 7: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/7.jpg)
Security of Applications
7
![Page 8: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/8.jpg)
Internally Developed – Not So Much
8
76% of the code components of applications that were
labeled as internally developed were third-party
components (e.g. open source libraries, commercial
third-party libraries etc.)
![Page 9: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/9.jpg)
Application Security – Scanning Results (first submission)
The majority of software (provided by customers for scanning)
_______ Secure (Pass)
_______ Insecure (Fail)
9
![Page 10: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/10.jpg)
10
More than Half of Software Failed
![Page 11: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/11.jpg)
Majority compliant with OWASP Top 10?
11
![Page 12: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/12.jpg)
12
8 out of 10 Web Apps Do Not Comply with OWASP Top 10
![Page 13: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/13.jpg)
Most Prevalent Vulnerability?
13
• SQL Injection
•Cross-Site Scripting (XSS)
• Cryptographic Issues
• CRLF Injection
• Buffer Overflow
Flaw Percent = Flaw Count / Total
![Page 14: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/14.jpg)
Cross-site Scripting Remains the Most Prevalent
14
![Page 15: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/15.jpg)
Which Language Led in Exposure to XSS?
15
• Java
• .NET
What is the leading issue regarding C/C++ ?
• Crypto Issues
• Error Handling
• Buffer Overflow
![Page 16: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/16.jpg)
Cross-site Scripting Remains the Most Prevalent
16
![Page 17: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/17.jpg)
No single method of application security testing is
adequate by itself
17
![Page 18: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/18.jpg)
Applications with the Best First-Scan Acceptance Rate?
18
•Outsourced
•Open Source
•Internally Developed
•Commercial
![Page 19: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/19.jpg)
19
Internal Apps have Best First Scan Acceptance Rate
![Page 20: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/20.jpg)
Shortest Remediation Cycle?
20
• Outsourced
• Open Source
• Internally Developed
• Commercial
![Page 21: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/21.jpg)
21
Developers Repaired Security Vulnerabilities Quickly
![Page 22: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/22.jpg)
Financial Sector Spotlight
22
Security quality is
not commensurate
with Business
Criticality for
Financial Industry
applications
![Page 23: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/23.jpg)
Third-Party Assessments
23
![Page 24: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/24.jpg)
Suppliers of Cloud/Web Apps Most Frequently
Subjected to Third-party Risk Assessments
24
![Page 25: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/25.jpg)
Third-party Risk Assessments (more)
25
![Page 26: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/26.jpg)
Trends and Conclusions
26
• Lower than average SQL Injection and XSS prevalence in an app is
an indicator that the development team understands secure coding.
• Static analysis is being performed in addition to dynamic analysis
on web applications.
• First mobile app risks appearing in the wild. Both vulnerabilities
such as the PDF iOS 4 vulnerability used by jailbreakme.com and
mobile apps with trojan functionality.
• Backdoor (likely intentional) in critical software such as Seimens
SCADA product discovered and exploited
• Uptick in cloud based software being tested
• Overall, older platforms getting more mature SDLC as developers
take to mobile and cloud
![Page 27: State of Software Security Report Volume 2 · Veracode was founded in 2006 by application security experts from @stake, Guardent, Symantec, and VeriSign. Veracode provides automated](https://reader033.fdocuments.in/reader033/viewer/2022050501/5f9394cb24295121f2784290/html5/thumbnails/27.jpg)
Thank You
27
www.veracode.com