Data Mining a Mountain of Chris Wysopal CTO & Co-founder Zero Day Vulnerabilities
The Data Set • Applications from over 300 commercial and US government customers • Scanned 9,910 applications over past 18 months • Ranged in size from 100KB to 6GB • Software was pre-release and in production • Internally built, outsourced, and commercial ISV code
▸ Flaw counts ▸ Flaw percentages ▸ Application count ▸ Industry vertical ▸ Risk-adjusted ▸ Application rating supplier (internal, third- ▸ First scan Applicatio party, etc.) acceptance rate n Data ▸ Application type ▸ Time between ▸ Assurance level scans Enterpris ▸ Days to ▸ Language e Metrics remediation ▸ Platform ▸ Scans to remediation ▸ PCI-DSS (pass/ fail) ▸ Scan number ▸ CWE/SANS Top25 Scan ▸ Scan date (pass/fail) Data ▸ Lines of code ▸ OWASP Top Ten (pass/fail) ▸ Custom policies
The latent Vulnerabiliesvs. The Attacks
Top 5 Attacked Web Application Vulnerabilities
Let’s take a closer look at the numbers
Top 3 Vulnerabilities by Language
Top 3 Vulnerabilities by Language
Different developers deliver different vulns
Different developers deliver different Vulnerability distribution by industry ulnerability distribution by industry vulns
Are DEVELOPERs making any progress at eradicating cross- site scripting or sql injection?
Dare we ask, How is the U.S. government sector doing?
a) 34% What percentage of WEB b) 57% applications fail c) 86% OWASP TOP TEN? d) 99%
Who is holding their software vendors accountable?
So I hear you can run applications on smart phones?
a) Receive an A When given an exam on b) Receive a B or worse application security c) Receive a C or fundamentals, worse over half of d) Fail (receive a D or developers… F)
Q UESTIONS ? Chris Wysopal cwysopal@veracode. com @weldpond
Recommend
More recommend