data mining a mountain of
play

Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero - PowerPoint PPT Presentation

Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero Day Vulnerabilities The Data Set Applications from over 300 commercial and US government customers Scanned 9,910 applications over past 18 months Ranged in size


  1. Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero Day Vulnerabilities

  2. The Data Set • Applications from over 300 commercial and US government customers • Scanned 9,910 applications over past 18 months • Ranged in size from 100KB to 6GB • Software was pre-release and in production • Internally built, outsourced, and commercial ISV code

  3. ▸ Flaw counts ▸ Flaw percentages ▸ Application count ▸ Industry vertical ▸ Risk-adjusted ▸ Application rating supplier (internal, third- ▸ First scan Applicatio party, etc.) acceptance rate n Data ▸ Application type ▸ Time between ▸ Assurance level scans Enterpris ▸ Days to ▸ Language e Metrics remediation ▸ Platform ▸ Scans to remediation ▸ PCI-DSS (pass/ fail) ▸ Scan number ▸ CWE/SANS Top25 Scan ▸ Scan date (pass/fail) Data ▸ Lines of code ▸ OWASP Top Ten (pass/fail) ▸ Custom policies

  4. The latent Vulnerabiliesvs. The Attacks

  5. Top 5 Attacked Web Application Vulnerabilities

  6. Let’s take a closer look at the numbers

  7. Top 3 Vulnerabilities by Language

  8. Top 3 Vulnerabilities by Language

  9. Different developers deliver different vulns

  10. Different developers deliver different Vulnerability distribution by industry ulnerability distribution by industry vulns

  11. Are DEVELOPERs making any progress at eradicating cross- site scripting or sql injection?

  12. Dare we ask, How is the U.S. government sector doing?

  13. a) 34% What percentage of WEB b) 57% applications fail c) 86% OWASP TOP TEN? d) 99%

  14. Who is holding their software vendors accountable?

  15. So I hear you can run applications on smart phones?

  16. a) Receive an A When given an exam on b) Receive a B or worse application security c) Receive a C or fundamentals, worse over half of d) Fail (receive a D or developers… F)

  17. Q UESTIONS ? Chris Wysopal cwysopal@veracode. com @weldpond

Recommend


More recommend