We See the Future and it’s Not Pretty Predicting the future using vulnerability data
, CTO & Co-founder, Veracode
What is the SoSS Report?
Copyright By PowCoder代写 加微信 powcoder
SoSS is the “BEFORE” Breach Reports are the “AFTER”
Dataset Overview
22,430 application builds from Jan 2011 to Jun 2012
Application Security Metrics
▸ Flaw counts
▸ Flaw percentages
▸ Application count
▸ Risk-adjusted rating
▸ First scan acceptance rate
▸ Time between scans
▸ Days to remediation
▸ Scans to remediation
▸ CWE/SANS Top25 (pass/fail)
▸ OWASP Top Ten (pass/fail)
▸ Custom policies
Application Metadata
▸ Industry vertical
▸ Application supplier
(internal, third- party, etc.)
▸ Application type
▸ Assurance level
▸ Language
▸ Platform
▸ Scan number
▸ Scan date
▸ Lines of code
▸ Flaw type
The latent Vulnerabilities vs.
The Attacks
Top 5 Attacked Web Application Vulnerabilities
Key Finding:
70% of applications failed to comply with enterprise security policies on first submission.
New applications have known and exploitable vulnerabilities
Build over Build Improvement
Key Finding:
SQL injection prevalence has plateaued, affecting approximately 32% of web applications.
Flat SQL injection trend suggests more attacks in 2013
Programming Language Selection Matters
Language Details
Java Applications
.Net Applications
PHP Applications
Cold Fusion
Prevalence of Apps With Flaws by Language
Command Injection
Directory Traversal
Crypto Issues
SQL Injection
ColdFusion PHP
1st to 2nd Test Improvement by Language
Command Injection
Directory Traversal
Crypto Issues
SQL Injection
PHP .NET Java
20% 30% 40% 50% 60%
Key Finding:
Cryptographic issues affect a sizeable portion of Android (64%) and iOS (58%) applications.
Key Findings:
70% of applications failed to comply with enterprise security policies on first submission.
SQL injection prevalence has plateaued, affecting approximately 32% of web applications.
Eradicating SQL injection in web applications remains a challenge as organizations make tradeoffs around what to remediate first.
Cryptographic issues affect a sizeable portion of Android (64%) and iOS (58%) applications.
Predictions:
Average CISO Tenure Continues to Decline.
The Rise of the Everyday Hacker
Decreased Job Satisfaction/ Higher Turn-over for Security Professionals.
Default Encryption, Not “Opt-in,” the Norm.
Questions?
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com