Beruflich Dokumente
Kultur Dokumente
Executive Summary
Aspect Security has been collecting application security data from our verification efforts, secure coding training programs, and application security program services for over a decade, and sharing it with our clients. In this report, Aspect reveals the results of extensive application security verification efforts over the past two years. The dataset spans thousands of risks from hundreds of applications, both internal and Internet-facing, across a broad range of organizations, including financial, banking, government, defense, ecommerce, transportation, and more. Organizations should take note of the following important results of our analysis: 98% of applications presented at least one application security risk, while the average application registered 22.4 risks. Authentication and Session Management risks affect 93% of applications and comprise 34% of application vulnerabilities, by far the most prevalent application security risk. Compared to automated tools, manual code review and penetration testing identify significantly more serious authentication, access control, and encryption risks. Secure coding training and eLearning cause a significant improvement in prevalence and severity of the risks discovered in applications. Application security risk profiles are remarkably similar across different industry sectors.
98% at Risk
Aspects Application Security Program (ASP) services help organizations develop practical and effective application security programs that include training, assurance, standards, security defenses, governance, organization structure, communications, and more. Our programs are custom designed for your culture, technology, and threat model and from the first months provide measurable evidence of cost-benefit.
The Data
To produce this report and protect our clients, we took a random sample of our 2011 and 2012 data. The dataset represents thousands of risks from hundreds of application verification efforts across a broad range of organizations, including financial, banking, government, defense, ecommerce, transportation, and more. Many of these organizations have trusted Aspect with the security of a portfolio of their most critical applications. The chart below shows how risks are distributed across the various security areas. As you can see, different sectors are fairly consistent in the distribution of risks that they produce.
Defense Contractor Education Finance Gaming Government Healthcare Insurance Non-Profit Publishing Retail Software Vendor
The applications in the dataset are typically large and complex, with custom authentication and authorization schemes, multiple backend connections and integration points, and considerable sensitive data. The majority are web and mobile applications, but the dataset includes rich-client applications, web-services, products, and more. There is a natural bias in our data towards applications that are critical to their business, as our clients tend to self-select the most important applications for our review. In fact, many of the applications we review are considered critical infrastructure. Our data covers applications written in a broad range of languages. In order of prevalence, the languages include Java, .NET, JavaScript, PHP, Python, C/C++, Classic ASP, Cold Fusion, Ruby, and more. We have looked for significant security differences between languages and cannot find anything interesting to report, except that it seems to be possible to write both secure and insecure applications in almost any language.
are fully verified, and our recommendations are practical and tailored. This allows you to fully understand the risk and saves a significant amount of time for your teams. Zero False Alarms Our process ensures that every risk has been carefully reviewed, reproduced, scored, and documented. This is an inherently manual process that requires an understanding of the business the application supports and some serious thought. Every one of our findings includes the exact location of the problem, a specific description of the risk to the business, and the exact steps to reproduce the issue. We also identify any architectural security issues that are leading to vulnerabilities. To help fix problems, we create specific tailored guidance to remediate each issue. If you are tired of chasing down false alarms, re-scoring vulnerabilities that dont take business context into account, and dealing with boilerplate remediation guidance, Aspects reviews will come as a welcome change. Aspects Application Security Verification services enable you to make informed decisions about application security risk and manage security spending effectively. Not only does this approach identify risks, but the process educates your development teams and contributes to the process of continuous improvement.
Data Collection
All of the data referenced in this report was collected and analyzed in Aspects internal Application Risk Management System (ARMS). We have been using and updating ARMS since 2003 to ensure coverage and consistency across all of our application security efforts. In addition to improving efficiency and protecting our data, ARMS ensures that we capture all the information necessary to help our clients understand the facts about their application security portfolio and make informed decisions. We have found ARMS to be an invaluable tool that greatly improves our process and results.
Results
On average, Aspect identifies 22.4 risks per application we review. As discussed above, many of these findings represent multiple vulnerabilities that share a common cause or remediation approach. For example, most or all XSS or SQL Injection issues are usually reported in a single finding. A primary goal of application security programs should be to lower the number of risks per application, particularly those with the highest severity. Almost 60% of the risks we identify are ranked as CRITICAL, HIGH, or MEDIUM risks once the specific likelihood and business impact have been scored. From a trending perspective, we see very little change in the distribution and criticality of these risks over the last 6 years. Providing secure coding training has a clear positive effect on application security performance. In some cases (where we have been able to measure the effect) software projects where more than half the developers have been through Aspects instructor-led courses or eLearning modules show as much as a 76% reduction in vulnerabilities in the code they produce. Aspect recently released a free self-assessment instrument called Secure Coder Analytics. You can create a free account at https://teamquiz.aspectsecurity.com and invite your developers to take a short randomized assessment of their secure coding abilities. The aggregate results show exactly where your teams secure coding weaknesses lie and allow us to focus our training on what really matters. Thousands of developers have participated and we will be publishing the details of what we have learned soon. Note that the distribution of risks in our dataset, shown in the bar to the right, differs from many other application security studies. Every approach to finding application security vulnerabilities has a bias. Tools tend to find problems that are easy for tools to find. People tend to find vulnerabilities they have mastered previously. As we described above, our combined approach, process, and supporting tools help us compensate for these biases.
As in previous years, our data clearly show that the key areas of authentication, authorization, input validation, and encryption are the most common risks. We believe that our disciplined process and largely manual approach is responsible for our ability to identify these flaws. These mechanisms are typically custom code that is difficult for tools to understand and diagnose. However, as shown below, these areas tend to produce the most critical risks, and should not be overlooked just because they are difficult to find with automation.
Note that Identification and Authentication is often combined with Session Management, and if we followed suit, that category would dominate the results at 34.9% of the risks we identified. This correlates with the number of authentication related breaches seen over the past few years. Related to the OWASP Top 10, a large chunk of the Input Validation and Encoding flaws we find are cross-site scripting, and the majority of database security flaws we find are SQL injection. Another way to think about the same data is to consider the likelihood that an application will be vulnerable to a risk in a particular security area. Overall, more than 98% of applications had at least one risk, and only 20% showed five or less vulnerabilities. The fact that the top six categories affect over 50% of the applications that Aspect verified is concerning. Combined with the fact that 80% of the applications we reviewed showed more than five risks shows that organizations are still struggling to get in front of application security. Still, the prevalence of application security risks is only part of the data necessary to form a strategy the severity of the problems is at least as important.
All Risks
Critical/High/Medium Only
Understanding the severity of risks isnt as easy as simply counting up prevalence numbers. Relying on prevalence alone can sometimes steer you in the wrong direction. The most obvious example is that Error Handling problems present in 51% of applications, yet they only produce a CRITICAL, HIGH, or MEDIUM risk in 8% of applications. Code Quality is another area where only a small percentage of the problems identified are CRITICAL, HIGH, or MEDIUM risk. There is no simple mapping from vulnerabilities to risk level. Our dataset represents a careful analysis of the business risk of each finding. Our dataset has risks at every severity level in every one of the security areas. This is critically important for organizations to take into account when prioritizing risks. Every risk scoring process must take into account the business context of the application. Otherwise the priorities could end up entirely backwards. For example, a SQL injection problem is frequently CRITICAL, but it might also be a LOW risk finding if the database is already public and only an administrator could possibly exploit the flaw. Just because a tool says a vulnerability is a high risk doesnt mean that it is. Only someone with an understanding of the business context can make that judgment.
Note 15%
High 12%
Low 30%
Medium 41%
On the next pages, we reveal the results of our attack and defense analysis. When we discover a vulnerability, we identify the attack technique that an attacker would use to exploit the vulnerability. Note that the attack technique we identify is often not the technique that we used to find the vulnerability, since we leverage the many advantages that we have over the attacker in finding vulnerabilities. Nevertheless, understanding the attack technique allows us to accurately score the likelihood that an attacker will find and exploit a vulnerability, taking into account the public awareness of the attack technique, the skills and experience required, the difficulty of performing the attack, and the likelihood of detection. We also detail the defenses (or security controls) we recommend to counter the risks that we uncover.
2%
4%
6%
8%
10%
12%
14%
Similarly, we capture extensive information about the recommended defense technique required to protect against attacks. The list of defensive techniques is quite long, as we are generally very specific about how fixes should be made to a particular application. Having application-specific tailored recommendations makes it easier for developers to remediate risks and pass retests. We were surprised to see Defend Against Brute Force at the top of the defense list, but our data is clear. Many applications are still not fully protected against attacks on authentication and session management defenses. The next three defenses are not a surprise however. Cross -Site Request Forgery Defense, Positive Input Validation, and Strong Cryptography are all frequent recommenda tions and important defenses for every application.
10
11
12