2013

[2013 GLOBAL APPLICATION SECURITY RISK REPORT]

Insights extracted from thousands of application security risks carefully identified, analyzed, scored, and documented for clients with critical application portfolios. Aspects verification efforts are primarily manual code review and manual security testing, and our results shine a light on the dangers of relying on highly automated approaches to application security.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

Executive Summary
Aspect Security has been collecting application security data from our verification efforts, secure coding training programs, and application security program services for over a decade, and sharing it with our clients. In this report, Aspect reveals the results of extensive application security verification efforts over the past two years. The dataset spans thousands of risks from hundreds of applications, both internal and Internet-facing, across a broad range of organizations, including financial, banking, government, defense, ecommerce, transportation, and more. Organizations should take note of the following important results of our analysis: 98% of applications presented at least one application security risk, while the average application registered 22.4 risks. Authentication and Session Management risks affect 93% of applications and comprise 34% of application vulnerabilities, by far the most prevalent application security risk. Compared to automated tools, manual code review and penetration testing identify significantly more serious authentication, access control, and encryption risks. Secure coding training and eLearning cause a significant improvement in prevalence and severity of the risks discovered in applications. Application security risk profiles are remarkably similar across different industry sectors.

98% of Applications Have At Least One Risk

98% at Risk

Aspects Application Security Program (ASP) services help organizations develop practical and effective application security programs that include training, assurance, standards, security defenses, governance, organization structure, communications, and more. Our programs are custom designed for your culture, technology, and threat model and from the first months provide measurable evidence of cost-benefit.

The Data
To produce this report and protect our clients, we took a random sample of our 2011 and 2012 data. The dataset represents thousands of risks from hundreds of application verification efforts across a broad range of organizations, including financial, banking, government, defense, ecommerce, transportation, and more. Many of these organizations have trusted Aspect with the security of a portfolio of their most critical applications. The chart below shows how risks are distributed across the various security areas. As you can see, different sectors are fairly consistent in the distribution of risks that they produce.

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

% of Risks Per Area By Sector

40% 35% 30% 25% 20% 15% 10% 5% 0%

Defense Contractor Education Finance Gaming Government Healthcare Insurance Non-Profit Publishing Retail Software Vendor

The applications in the dataset are typically large and complex, with custom authentication and authorization schemes, multiple backend connections and integration points, and considerable sensitive data. The majority are web and mobile applications, but the dataset includes rich-client applications, web-services, products, and more. There is a natural bias in our data towards applications that are critical to their business, as our clients tend to self-select the most important applications for our review. In fact, many of the applications we review are considered critical infrastructure. Our data covers applications written in a broad range of languages. In order of prevalence, the languages include Java, .NET, JavaScript, PHP, Python, C/C++, Classic ASP, Cold Fusion, Ruby, and more. We have looked for significant security differences between languages and cannot find anything interesting to report, except that it seems to be possible to write both secure and insecure applications in almost any language.

Aspect Risk Data and the OWASP Top Ten

Aspect Security has been contributing risk data to the OWASP Top Ten project for many years. Aspect created the OWASP Top 10 project in 2002 based on Aspect data and OWASP expert participation. Aspect has led the OWASP Top Ten effort through the 2003, 2004, 2007, 2010, and now 2013 releases. Starting in 2004, the project leveraged prevalence data from multiple sources to provide wider variety in the detection techniques, types of applications, and number of applications these prevalence metrics are based on. With each release, the Top Ten project has increased the number of contributors to this data set, and listed those contributors in the acknowledgement section. In 2010, the Top Ten project explicitly ranked the risks using factors including exploitability, prevalence, detectability, and impact. Currently, only the prevalence factor is based on the prevalence data that the project is able to collect from various sources. Future versions of the Top 10 can hopefully gather public metrics in these areas and use them to help rank those other factors.

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

Application Security Verification

To understand this report, its important to understand the source of the underlying data Aspects Verification Services. The goal of Aspects Application Security Verification efforts is to provide our clients with an understanding of the security risks associated with the target application. We believe that our largely manual approach provides the most accurate insight into application security possible. Methodology -- There are many different approaches to verifying security, and Aspect's process combines the strengths of automated tools, manual penetration testing, and code review. We have evolved our process over a decade of verifying critical enterprise applications and firmly believe it is the most cost-effective approach possible. In particular, using the source code allows us to be far more efficient at verifying design level security holes than other techniques. We report design flaws as well as implementation bugs, providing practical guidance on how to remediate the problem. Smart People, Great Tools -- Aspect focuses on verification, not hacking, to ensure that our reviews get coverage in the most costeffective manner possible. Our goal is to cover as much of the application code (and libraries) as possible, as much of the vulnerability space as possible, and the highest level of rigor possible. Our analysts are all skilled developers and architects that have decided to focus their efforts on security. We choose the most cost-effective strategy to verify each application. Our remediation advice is never boilerplate, but is tailored for the specific application and specific vulnerability. When development teams can quickly and accurately fix problems, we minimize the cost associated with application security vulnerabilities. Positive Approach -- We have found that negative approaches to application security over-focus on vulnerabilities and tend to provide weak coverage and minimal assurance. So, Aspect reviews verify that all the critical security controls are present, used properly, and configured properly. Our verifications not only find holes, but also provide assurance that your defenses are strong. One side-effect of our positive approach is that our findings do not always fall into the same categories as other vendors. Our findings are generally organized around the defenses associated with that vulnerability. In addition, we tend to combine similar findings to help our clients make more strategic remediation efforts. We do not inflate our risk counts, but focus on what will help our clients improve. Rather than listing dozens of SQL Injection or XSS vulnerabilities in a single application, Aspect tends to report a single finding for each pervasive problem, listing specific instances along with a recommended strategy for addressing the issue. Business Context: Another important distinction from other approaches is that Aspect incorporates an understanding of the business context of your application. Our findings are not generic reference material, but take into account the specifics of your implementation, environment, and business context. All of our findings

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

are fully verified, and our recommendations are practical and tailored. This allows you to fully understand the risk and saves a significant amount of time for your teams. Zero False Alarms Our process ensures that every risk has been carefully reviewed, reproduced, scored, and documented. This is an inherently manual process that requires an understanding of the business the application supports and some serious thought. Every one of our findings includes the exact location of the problem, a specific description of the risk to the business, and the exact steps to reproduce the issue. We also identify any architectural security issues that are leading to vulnerabilities. To help fix problems, we create specific tailored guidance to remediate each issue. If you are tired of chasing down false alarms, re-scoring vulnerabilities that dont take business context into account, and dealing with boilerplate remediation guidance, Aspects reviews will come as a welcome change. Aspects Application Security Verification services enable you to make informed decisions about application security risk and manage security spending effectively. Not only does this approach identify risks, but the process educates your development teams and contributes to the process of continuous improvement.

Data Collection
All of the data referenced in this report was collected and analyzed in Aspects internal Application Risk Management System (ARMS). We have been using and updating ARMS since 2003 to ensure coverage and consistency across all of our application security efforts. In addition to improving efficiency and protecting our data, ARMS ensures that we capture all the information necessary to help our clients understand the facts about their application security portfolio and make informed decisions. We have found ARMS to be an invaluable tool that greatly improves our process and results.

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

Results
On average, Aspect identifies 22.4 risks per application we review. As discussed above, many of these findings represent multiple vulnerabilities that share a common cause or remediation approach. For example, most or all XSS or SQL Injection issues are usually reported in a single finding. A primary goal of application security programs should be to lower the number of risks per application, particularly those with the highest severity. Almost 60% of the risks we identify are ranked as CRITICAL, HIGH, or MEDIUM risks once the specific likelihood and business impact have been scored. From a trending perspective, we see very little change in the distribution and criticality of these risks over the last 6 years. Providing secure coding training has a clear positive effect on application security performance. In some cases (where we have been able to measure the effect) software projects where more than half the developers have been through Aspects instructor-led courses or eLearning modules show as much as a 76% reduction in vulnerabilities in the code they produce. Aspect recently released a free self-assessment instrument called Secure Coder Analytics. You can create a free account at https://teamquiz.aspectsecurity.com and invite your developers to take a short randomized assessment of their secure coding abilities. The aggregate results show exactly where your teams secure coding weaknesses lie and allow us to focus our training on what really matters. Thousands of developers have participated and we will be publishing the details of what we have learned soon. Note that the distribution of risks in our dataset, shown in the bar to the right, differs from many other application security studies. Every approach to finding application security vulnerabilities has a bias. Tools tend to find problems that are easy for tools to find. People tend to find vulnerabilities they have mastered previously. As we described above, our combined approach, process, and supporting tools help us compensate for these biases.

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

As in previous years, our data clearly show that the key areas of authentication, authorization, input validation, and encryption are the most common risks. We believe that our disciplined process and largely manual approach is responsible for our ability to identify these flaws. These mechanisms are typically custom code that is difficult for tools to understand and diagnose. However, as shown below, these areas tend to produce the most critical risks, and should not be overlooked just because they are difficult to find with automation.

Distribution of Risks by Security Area

Identification and Authentication Input Validation and Encoding Sensitive Data Protection Session Management Access Control/Authorization Platform Security Error Handling Logging and Intrusion Detection Cross Site Request Forgery (CSRF) Code Quality Database Security System Availability - DOS Protection Accessing External Services 0.00% 5.3% 5.1% 4.4% 3.6% 2.8% 2.4% 2.2% 1.2% 5.00% 10.00% 15.00% 20.00% 25.00% 9.2% 11.8% 11.8% 17.0% 23.1%

Note that Identification and Authentication is often combined with Session Management, and if we followed suit, that category would dominate the results at 34.9% of the risks we identified. This correlates with the number of authentication related breaches seen over the past few years. Related to the OWASP Top 10, a large chunk of the Input Validation and Encoding flaws we find are cross-site scripting, and the majority of database security flaws we find are SQL injection. Another way to think about the same data is to consider the likelihood that an application will be vulnerable to a risk in a particular security area. Overall, more than 98% of applications had at least one risk, and only 20% showed five or less vulnerabilities. The fact that the top six categories affect over 50% of the applications that Aspect verified is concerning. Combined with the fact that 80% of the applications we reviewed showed more than five risks shows that organizations are still struggling to get in front of application security. Still, the prevalence of application security risks is only part of the data necessary to form a strategy the severity of the problems is at least as important.

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

Percentage of Applications with at Least One Risk by Security Area

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

All Risks

Critical/High/Medium Only

Understanding the severity of risks isnt as easy as simply counting up prevalence numbers. Relying on prevalence alone can sometimes steer you in the wrong direction. The most obvious example is that Error Handling problems present in 51% of applications, yet they only produce a CRITICAL, HIGH, or MEDIUM risk in 8% of applications. Code Quality is another area where only a small percentage of the problems identified are CRITICAL, HIGH, or MEDIUM risk. There is no simple mapping from vulnerabilities to risk level. Our dataset represents a careful analysis of the business risk of each finding. Our dataset has risks at every severity level in every one of the security areas. This is critically important for organizations to take into account when prioritizing risks. Every risk scoring process must take into account the business context of the application. Otherwise the priorities could end up entirely backwards. For example, a SQL injection problem is frequently CRITICAL, but it might also be a LOW risk finding if the database is already public and only an administrator could possibly exploit the flaw. Just because a tool says a vulnerability is a high risk doesnt mean that it is. Only someone with an understanding of the business context can make that judgment.

Risk Breakdown By Severity

Critical 2%

Note 15%

High 12%

Low 30%

Medium 41%

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

Attacks and Defenses

Understanding vulnerabilities (or weaknesses) is only a small part of application security risk assessment. This graphic from the OWASP Top Ten makes it clear that a risk also involves a lot of context from both the technological environment and the business.

On the next pages, we reveal the results of our attack and defense analysis. When we discover a vulnerability, we identify the attack technique that an attacker would use to exploit the vulnerability. Note that the attack technique we identify is often not the technique that we used to find the vulnerability, since we leverage the many advantages that we have over the attacker in finding vulnerabilities. Nevertheless, understanding the attack technique allows us to accurately score the likelihood that an attacker will find and exploit a vulnerability, taking into account the public awareness of the attack technique, the skills and experience required, the difficulty of performing the attack, and the likelihood of detection. We also detail the defenses (or security controls) we recommend to counter the risks that we uncover.

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

Prevalence of Attack Technique to Exploit Vulnerabilities

Web Parameter Tampering Cross-Site Scripting (XSS) Absolute Path Traversal Network Eavesdropping Password Management Attack Session ID Replay One-Click Attack Forced browsing Command Injection Cross-Site Request Forgery (CSRF) Account Management Attack Configuration File Exposure Browser Cache Exposure Cryptanalysis Log File Exposure Normal System Usage Brute force attack Network, Host, & Server Specific Attack Invocation Of Unauthorized Functionality Comsumption of Memory, CPU, Disk Space, Custom Authentication Cookie Manipulation Database Content Exposure Special Element Injection Code Injection Path Traversal WSDL Exposure Cache Poisoning HTTP Response Splitting Alternate XSS Syntax Argument Injection or Modification Account lockout attack Asymmetric resource consumption (amplification) LDAP Injection Backdoor Unvetted Native Code Blind SQL Injection Double Encoding Repudiation Attack HTTP Request Smuggling Host Header Manipulation 5.26% 4.30% 4.26% 4.23% 4.16% 3.62% 3.41% 2.67% 2.63% 2.56% 2.42% 2.38% 2.35% 1.60% 1.31% 0.71% 0.60% 0.50% 0.43% 0.43% 0.39% 0.32% 0.32% 0.32% 0.32% 0.28% 0.21% 0.18% 0.11% 0.11% 0.07% 0.04% 0.04% 0.04% 0.04% 7.50% 6.65% 9.28% 10.84% 13.15%

0% 9 2013 | Aspect Security, Inc.

2%

4%

6%

8%

10%

12%

14%

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

Similarly, we capture extensive information about the recommended defense technique required to protect against attacks. The list of defensive techniques is quite long, as we are generally very specific about how fixes should be made to a particular application. Having application-specific tailored recommendations makes it easier for developers to remediate risks and pass retests. We were surprised to see Defend Against Brute Force at the top of the defense list, but our data is clear. Many applications are still not fully protected against attacks on authentication and session management defenses. The next three defenses are not a surprise however. Cross -Site Request Forgery Defense, Positive Input Validation, and Strong Cryptography are all frequent recommenda tions and important defenses for every application.

10

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

Prevalence of Recommended Defense Techniques

Defend Against Brute Force Protect against spoofed (forged) requests Perform Positive Validation Encrypt Using Strong Cryptography Restrict Application Cookies To Secure Use HttpOnly on Session Cookie Prevent Data Harvesting Avoid Direct Object References Enforce Envrionment Access Control Disable Browser Cache Sensitive Data in Log Files Patch, Lockdown OS & Server Use SSL For Sensitive Information Failed Login Provides No Info Password Strength User Can't Change Query Intent Inform Users Of Last Login Keep Data out of Code Issue New Session ID On Login/Re-authentication Timeout (Inactivity and Absolute) Use Vetted Cryptographic Implementation Enforce Business Layer Access Control Ensure Redirect Destination Authorized Provide A Logout Function On Every Page User Password Storage Throttle Requests Validate Every Parameter Perform Boundary Validation Don't Deploy Debug/Test Code Password Change Process Limit Session Instances Keep Security Events Separate Eliminate Unused Code Don't Depend on Client Side Validation Password Recovery Least Privilege Sanitize User Input Use SSL Avoid Using Application Cookies HTML Entity Encode Output to Users (XSS Defense) Key Management Use SSL for Login Page Never Show Passwords Document Your Access Control Policy File Uploads / Downloads Validate All I/O to Dangerous Methods Log Errors Disable Unauthorized WSDL Access Invalidate Initial Account Activation Secrets Determine Error Causes Use Container Provided Sessions Require Reauthentication Upon Account Modification Avoid Hidden Fields Track Login Failures Securely Use a Separate Application for Administration Mitigate Lockout Attacks Use a common authentication mechanism Log Enough Events Use Strong Random Numbers Provide Security Documentation Defend Against Denial Of Service Avoid Custom "Remember Me" Authentication Cookies Generate Clean HTML Handle All Errors Use Safe Singletons Avoid Obsolete SSL Version Enforce Backend Access Control Protect E-mail Against Spamming And Phishing Gain Trust In Your Libraries Verify SSL Eliminate Malicious, Complex, and Dangerous Code Use a Logging Package Access Control Decision Based on Trusted Artifacts Minimize Access (If Using Application Cookies) Protect Cookies Smart Resource Allocation Enforce Presentation Layer Access Control Output Encoding Disable Autocomplete JavaScript Output Encode to Users (XSS Defense) Never Send Credentials or Secrets Via a Redirect Deny Access Until Specifically Granted Validate Host Header Restrict Session Cookie to a Domain/Path Encrypt Credentials in Transit Don't Disclose Session IDs Avoid Interpreted Code Use a Cryptographically Sealed Value Use Safe Interfaces Make Validation Mandatory Do Not Use User Controlled Info for Access Control Re-authenticate Before Highly Sensitive Functions Handle Services Errors Use Web Service Message Standards Protect Connection String DB Credentials 0% 4.55% 3.69% 3.54% 3.33% 2.86% 2.83% 2.61% 2.47% 2.33% 2.18% 2.04% 2.01% 1.93% 1.93% 1.83% 1.54% 1.54% 1.43% 1.43% 1.32% 1.25% 1.22% 1.22% 1.07% 1.00% 0.97% 0.93% 0.90% 0.86% 0.82% 0.82% 0.72% 0.68% 0.64% 0.61% 0.61% 0.61% 0.61% 0.61% 0.50% 0.47% 0.43% 0.43% 0.39% 0.39% 0.39% 0.39% 0.36% 0.36% 0.32% 0.29% 0.29% 0.29% 0.25% 0.25% 0.25% 0.25% 0.21% 0.21% 0.18% 0.18% 0.14% 0.14% 0.14% 0.11% 0.11% 0.11% 0.11% 0.11% 0.11% 0.07% 0.07% 0.07% 0.07% 0.07% 0.07% 0.07% 0.07% 0.07% 0.07% 0.04% 0.04% 0.04% 0.04% 0.04% 0.04% 0.04% 0.04% 0.04% 0.04% 0.04% 0.04% 2% 4% 6% 8% 10% 12% 14% 8.13% 7.27% 11.74%

11

2013 | Aspect Security, Inc.

2013 [GLOBAL APPLICATION SECURITY RISK REPORT]

The Future of Application Security

Traditional software assurance tools mostly cant handle JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development. Current static and dynamic tools require a lot of human expertise in order to get good results, and that approach doesnt scale very well, nor does it provide timely results. As software technologies and development practices continue to advance and evolve at a blistering pace, the problems of scale and speed are exacerbated. Aspect is working hard to find new ways to achieve application security in environments where software is built and deployed in rapid iterations. Our research has produced a new patented application security technology that we call Contrast. You can find out more and try it for free at http://contrastsecurity.com. Contrast departs from the traditional scan and fix mentality. Instead, Contrast uses instrumentation to continuously monitor applications during development, test, QA, and even production. Contrast is passive, so it can be used by ordinary software developers and testers, which allows it to scale quickly across an entire application portfolio. Also, Contrast provides results in real time, so developers can fix problems before they even commit a line of code. With Contrast, security experts can spend their time working on new security strategies, creating highassurance defenses, and keeping an eye on the threat. In addition to a broad set of built-in rules, Contrast can take custom application security policies and push them across an organizations entire codebase , effectively testing them all in parallel and in real time. The role of the application security expert is critical to organizations and must evolve to stay compatible with software development. Aspects proven products and services can ensure your organizations applications stay secure with practical, cost-effective results. To find out more, or talk to one of our application security experts, please contact us at http://aspectsecurity.com.

12

2013 | Aspect Security, Inc.