State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.

Slides:



Advertisements
Similar presentations
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advertisements

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Requirements Engineering Processes – 2
Using Metrics to Reduce Cost of Re-work Dwight Lamppert Senior Test Manager Franklin Templeton.
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
The 4 T’s of Test Automation:
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Author: Julia Richards and R. Scott Hawley
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.
UNITED NATIONS Shipment Details Report – January 2006.
RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination. Introduction to the Business.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Public B2B Exchanges and Support Services
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
A presentation to the Board of Education
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
Addition Facts
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
Site Safety Plans PFN ME 35B.
B2B Solutions Study Summary Charts June – September 2013.
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Headquarters U.S.A.F. 1 Commodity Councils 101 NAME (S) SAF/AQCDATE.
Break Time Remaining 10:00.
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Identifying and Leveraging the Right Tools Clarity Financial Management.
Software testing.
PP Test Review Sections 6-1 to 6-6
1. 2 August Recommendation 9.1 of the Strategic Information Technology Advisory Committee (SITAC) report initiated the effort to create an Administrative.
Measuring the Economy’s Performance
2 |SharePoint Saturday New York City
Sample Service Screenshots Enterprise Cloud Service 11.3.
1 RA III - Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Buenos Aires, Argentina, 25 – 27 October 2006 Status of observing programmes in RA.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.
1..
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
© 2012 National Heart Foundation of Australia. Slide 2.
Adding Up In Chunks.
1 Impact Assessment. 2 Demographics 3 Sex and Age.
DSS Decision Support System Tutorial: An Instructional Tool for Using the DSS.
Addition 1’s to 20.
Model and Relationships 6 M 1 M M M M M M M M M M M M M M M M
25 seconds left…...
Subtraction: Adding UP
Week 1.
Chapter 10: The Traditional Approach to Design
Analyzing Genes and Genomes
Systems Analysis and Design in a Changing World, Fifth Edition
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
Essential Cell Biology
Clock will move after 1 minute
Intracellular Compartments and Transport
PSSA Preparation.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
Essential Cell Biology
SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO.
1 Chapter 13 Nuclear Magnetic Resonance Spectroscopy.
Energy Generation in Mitochondria and Chlorplasts
Select a time to count down from the clock above
By Rasmussen College. 1. What majors or programs do you offer? 2. What is the average length of your programs? 3. What percentage of your students graduate?
Murach’s OS/390 and z/OS JCLChapter 16, Slide 1 © 2002, Mike Murach & Associates, Inc.
Software Security Common Vulnerabilities Encoded During Development Chris Wysopal, CTO & Co-Founder, Veracode. ISACA Luncheon, 11:30am Tuesday, February.
Presentation transcript:

State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode

Agenda  Background – Metrics, Distribution of Applications  Security of Applications  Application Security - Industry Trends  Summary 2

Background – Basis for insights  For over three years, Veracode has been providing automated security analysis of software to large and small enterprises across various industry segments.  One of the residual effects is the wealth of security metrics derived from the anonymized data across varied industries and types of applications.  These metrics offer valuable insights on the quality of application security and issues related to the current state-of-practice and maturity of security in software.  Veracode was founded in 2006 by application security experts Guardent, Symantec, and VeriSign.  Veracode provides automated security assessment capabilities in the cloud. Automated techniques include static binary analysis and dynamic analysis. Manual test data (if performed) is included in the analysis 3

 Enterprise  Industry vertical (enumerated)  Application  Application Supplier Type (internal, purchased, outsourced, open source)  Application Type (Web facing / Non-web)  Assurance Level (1 to 5)  Language (enumerated)  Platform (enumerated)  Scan  Scan Number  Scan Date  Lines of Code The Data Set + Metrics  Metrics  Flaw Count  FlawPercent  ApplicationCount  First Scan Acceptance Rate  Veracode Risk Adjusted Score  MeanTimeBetweenScans  Days to Remediation  Scans to Remediation  PCI pass/fail  SANS Top25 pass/fail  OWASP pass/fail  Two flavors: ’04 and ’ Applications and billions of lines of code

Sample Distribution 5

High Business Criticality does not drive all development projects “in-house.” More than 30% of all applications rated High or Very High in business criticality were sourced by Commercial software vendors

What is the distribution of languages in your enterprise? Do you have the same testing methodologies and practices across your application portfolio?

Security of Applications 8

Application Security – Scanning Results The majority of software (provided by customers for scanning) _______ Secure (Pass) _______ Insecure (Fail) 9

Majority of software is insecure 10 Pass: 42% Fail: 58% From all (self-selected) set of applications that were submitted to Veracode for assessment

Majority compliant with OWASP Top 10 or SANS Top 25 ? 11

Majority not compliant with OWASP Top 10 or SANS Top 25 12

Applications with the Best First-Scan Acceptance Rate 13 Outsourced Open Source Internally Developed Commercial

Internal Apps have Best First Scan Acceptance Rate 14

Most Common Issues in Applications (percent of application affected) 15 Cross-Site Scripting (XSS) Cryptographic Issues CRLF Injection Buffer Overflow SQL Injection

Cryptographic Issues Most Common in Applications 16

Most Prevalent Vulnerabilities 17 Cross-Site Scripting (XSS) Cryptographic Issues CRLF Injection Buffer Overflow SQL Injection Flaw Percent = Flaw Count / Total

This yields a very Different List Cross-site Scripting easy to fix but still most prevalent 18

Shortest Remediation Cycle 19 Outsourced Open Source Internally Developed Commercial

Commercial has longest remediation cycles while Open Source is shortest 20 Average Time to Remediate: 59 days

Higher percentage of “Very High” Severity Vulnerabilities: 21 Open Source Commercial Higher percentage of “High” Severity Vulnerabilities: Open Source Commercial

Open Source applications had an equivalent percentage of Very High severity vulnerabilities (Buffer Overflows, Numeric Errors), but a higher percentage of High Severity vulnerabilities (SQL Injection)

Most Dominant Vulnerability Across All Supplier Types 23 Cross-Site Scripting (XSS) Cryptographic Issues CRLF Injection Buffer Overflow SQL Injection Open Source/Outsourced/Commercial/Internally Developed

Vulnerability Distribution by Supplier

Most Dominant Vulnerability Across Languages 25 Cross-Site Scripting (XSS) Cryptographic Issues CRLF Injection Buffer Overflow SQL Injection Java.NET C/C++

Vulnerability Distribution by Language Flaw Type by Input

Application Security - Industry Trends 27

Industry with Best First Submission Rate  Finance-related  Government  Software-related  Other 28

Financial Services and Government fare best Software not so much 29

Most Dominant Vulnerability Across All Industries 30 Cross-Site Scripting (XSS) Cryptographic Issues CRLF Injection Buffer Overflow SQL Injection Financial-related/Government/Software-related

Vulnerability Distribution by Industry

Summary - Recommendations 32 1.Most software is indeed very insecure. Recommendation: Implement a comprehensive, risk-based application security program 2. Third-party software is a significant percentage of the enterprise software infrastructure, and third-party components are a significant percentage of most applications. Recommendation: Implement security acceptance criteria and policies for an approved list of third-party suppliers, and conduct security testing on third-party components prior to integration into the final application 3. Open source projects have comparable security, faster remediation times, and fewer potential backdoors than Commercial or Outsourced software. Recommendation: Test open source, outsourced, and commercial applications as rigorously as you would test internally developed code. Do not buy into FUD regarding the use of open source software in critical business applications. 4. A significant amount of Commercial and Open Source software is written in C/C++ making it disproportionately susceptible to vulnerabilities that allow attackers to gain control of systems. Recommendation: Apply the same review methodologies across all languages and platforms. Do not base your security review plan on ubiquity or complexity (or lack thereof).

Summary – Recommendations (continued) The pervasiveness of easily remedied vulnerabilities indicates a lack of developer education on secure coding. Recommendation: Implement specific developer training initiatives as part of your overall security program 6. Software of all types from Finance and Government sectors was relatively more secure on first submission to Veracode for testing. Recommendation: Follow the lead of other organizations with high risk profiles; review the steps they took to implement operating controls in complex environments 7. Outsourced software is assessed the least, suggesting the absence of contractual security acceptance criteria. Recommendation: Pay particular attention to security requirements when contracting for Outsourced development. Insist upon the authority to perform independent security testing and set a minimum acceptance criteria. This way you are not charged/billed for reworking code due to security defects.

Sneak Preview – State of Software Security Volume % of an enterprise’s application inventory is comprised of 3 rd party applications 30 – 70% of what customers classify as “internally developed” is in fact 3 rd party components and libraries 40% 3 rd party applications + (30-70% 3 rd party libraries) Internal applications = A lot of 3 rd party code

Thank You Questions? 35

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.