How does Veracode look for the presence of frameworks in Java code? Because our customers upload the application packages that they deploy or distribute (as EARs, WARs, or JARs), we can observe the presence of framework classes, configuration files, and other artifacts in the application. We record the prevalence of the framework so that we can mine the anonymized data later. We resample the data every few months to get an idea of relative framework prevalence and to see if any trends can be observed.

Below is our most current Top 10 list for Java frameworks. This list is based on a sample of over 5400 customer applications and was sampled on December 7, 2011. Note that we have decomposed one of the larger framework families, Spring, into its component frameworks to get a better idea of the usage of its individual parts. The percentages reflect the number of Java applications (not individual scans) in which the framework was observed, so an application that was scanned multiple times only counts once in the rankings.

1. Spring MVC (23%)
2. Struts 1.x (15%)
3. Apache Axis (15%)
4. Apache Xerces (14%)
5. Hibernate (12%)
6. JDOM (12%)
7. Java Applet (8.1%)
8. Apache Velocity (7.9%)
9. Apache ORO (7.0%)
10. JAX-WS (6.5%)

A couple of interesting findings here. First, the relative prevalence of Spring MVC and Struts is unsurprising, but the fact that Struts 1.x is #2 on the list and Struts 2 is not even in the Top 10 is a little surprising. (It came in 24th in the overall rankings, in fact, showing up in just 1.8% of the Java applications scanned).

Second, it’s interesting to note that there are multiple frameworks for web services in the top ten, and that Axis appears to have an edge on popularity over JAX-WS.

Third, the relatively high number of applications scanned that contained Java applets was interesting. It’s hard to imagine that 8% of all Java applications have a customer facing applet. One is tempted to speculate that in many cases these applets are administrative interfaces to framework or server code that are left in the application distribution inadvertently or unknowingly, and thus that these represent potentially forgotten attack surfaces for the application.

We’re just starting to mine the data that we’re seeing regarding frameworks. I think that this data should be interesting to development teams looking to choose frameworks that are more widely used. From a security perspective, too, this is a useful reminder that applications rely on third party frameworks, and that some of these may come with their own attack surface (e.g. applets) that shouldn’t be forgotten when planning secure deployments.

1. New Data Protection Laws: “EU to Propose New Data Breach, Privacy Regulations” by Brian Prince (@threatpost). Over the weekend the European Union announced that they would soon be proposing new laws that would require companies that are impacted by cyber attacks / data breaches to inform authorities and customers within 24 hours. The legislation will primarily be focused on protecting online consumers by giving them more online privacy and information security rights. The EU also hopes that the proposed regulations will help simplify their data protection methods. It appears that the proposed laws will probably not go into effect for another two years.

2. SQL Injection Attacks: “Avoidable Attacks Cause Most Data Breaches” by Sophie Curtis (@SCurtiss). In this article, Sophie Curtis provides insight on the widespread lack of prevention against SQL injection hacks shown by many businesses. Curtis reports that businesses with underequipped or out-of-date cyber security methods are among the easiest targets for hackers and that these attacks cost billions of dollars while impacting millions of people annually. The article also provides insight on SQL injection attacks and measures that can be taken in preventing them.

3. Kelihos Botnet: “Microsoft: ‘Kelihos’ botnet master worked for AV vendor” by Ryan Naraine (@ryanaraine). Microsoft has identified the developer behind the “Kelihos” botnet that was responsible for countless spam emails, identity theft, stock scams, and more. According to Microsoft, the software developer is Andrey Sabelnikov, a Russian man who used to work for an antivirus/firewall/security software company. Sabelnikov has been accused of creating over 3,700 subdomains from a Czech free hosting site and using the subdomains to control the Kelihos botnet.

4. Data Privacy Day: “SSCC 81 – NCSA and Data Privacy Day” by Chester Wisniewski (@ChetWisniewski). Happy Data Privacy Day! In this article and podcast, Chet Wisniewski talks about the upcoming holiday (Data Privacy Day is officially January 28th) with Michael Kaiser of the National Cyber Security Alliance. The two discuss the role of the holiday in promoting privacy and cyber security awareness globally as well as what consumers should do to protect themselves.

5. Application Security: “Cover Your App: Five Lessons from Recent Data Breaches” by Scott Vernick (@HuffPostTech). The growing problem of cyber attacks has more and more consumers thinking about the security of their personal information online. Scott Vernick offers five excellent tips on measures consumers can take to protect their data in this article from the Huffington Post.

6. Smartphone Security: “Lookout’s New App Visualizes Mobile Security Threats As They Are Detected Around The World” by Leena Rao (@LeenaRao). As it continues to become more of an issue, we are seeing many companies releasing mobile security solutions. Earlier this week Lookout released a new app for Android users that allows them to monitor cyber attacks as they take place. The app also provides information on the top security threats that are taking place, and the breakdown of malware attacks vs. spyware attacks happening in real time. Products and applications like this will hopefully increase cyber attack awareness amongst smartphone users.

Q: Are you concerned about the merge to electronic healthcare records?

RC: Yes – part of the healthcare reform package has requirements that accelerate the reliance on electronic file records in medicine. There’s some real incentives in the bill that force the industry into doing it relatively quickly. The question in my mind is who the actor is in this case that would go after health care records. Is it a criminal or is it an espionage organization? I don’t know the motivation, but I do know that these enormous insurance companies and enormous medical centers have lots and lots of vulnerabilities because they’ve never looked systematically before and done real sophisticated security analysis – that’s the last thing a major medical center has been doing in the past. So yes it is a source of concern any time a new industry runs headlong into a reliance on IT systems it hasn’t been reliant before.

Q: Is it safe to assume that most attacks come from compromised servers? If so, are there any government agencies or companies that scan for vulnerabilities that notify that company of a server issue?

RC: The simple answer to that is no. The government does not run around scanning private company servers. In fact, unless you specifically sign up with a provider to do that, no one’s going to automatically do it for you.

Q: Would you please comment on what small businesses can do to learn more about what they can do to contribute to increasing security in their respective businesses?

RC: I’m going to say something here that may be a little counter intuitive and a bit controversial. I think small businesses should think about the cloud. I know some people say, “Oh the cloud is automatically insecure,” or, “the cloud is automatically less secure.” Well it depends on what you ask the cloud provider to do. If you’re truly a small business, you don’t have the time, you don’t have the expertise, you don’t have the money to defend yourself to the level of perhaps what you would be satisfied with. But a bunch of small and medium-sized companies going to a cloud provider together can have much better security than they can have individually. If, and this is the key thing, if they ask for it, and if they compare offerings on the criteria of a service, and of security, because if you just go to a cloud provider, they’ll say, “Oh yea, we did all of the security stuff,” and that will be the end of it. You get these situations where you get the cloud provider kind of believing it’s up to you to do your own security, and you think the cloud provider is doing it, so you have to be careful, you have to be explicit, you have to ask them what additional security you can buy from them, and how you have compare the security offerings’ among the cloud providers. But I would urge a small business owner to try to do that rather than try and secure it themselves.

Missed the webcast but still have questions and comments? We’d love to keep the discussion going, so please leave your comments below!

This well-attended webinar generated a huge volume of questions from attendees, so we’ve decided to cut it into two parts. Stay tuned for the second segment tomorrow, but in the mean time, be sure to download and view the full webinar so you can join in!

Q: What are the kinds of cyber attacks that enterprises need to be aware of and who are the threat actors?

Richard Clarke (RC): It sounds like it’s a pretty fundamental question, but it’s confusing a lot of people because particularly the media are putting out all these stories about attacks and every week there’s another major enterprise that’s been attacked and it all gets mixed up in the blender like it’s all the same thing, and it’s not… I think it’s important that we distinguish among the actors and among the kinds of attacks because you can’t really respond to the sort of generalized idea of a hack, you have to respond to the specifics of who is attacking and how they are doing it. So the way I look at it is – I think there are four different kinds of phenomenon we are dealing with. The easy way to remember the four categories is the word CHEW, the first letter of each of the four types, Crime, Hacktivisim, Espionage, and at least potentially, Cyberwar.

Q: What do recent cyber attacks have in common?

RC: We see that there is a growing sophistication, attackers are using multiple techniques in the same attack, they’re using social engineering, vulnerabilities in client-side applications, vulnerabilities in web servers, and they’re doing two stage attacks, where there will be a precursor attack at a supplier company, things like that.

Q: So why are software applications at risk?

Chris Wysopal (CW): Your web applications, mobile applications, your software infrastructure, are parts of this chain of attacks.
RC: Well I think it boils down to the fact that it works. When your target is somebody like Sony or Citibank, which spends a lot of money on antivirus software, firewalls, intrusion detection, intrusion prevention, and even two-factor authentication, and maybe relies on certificates – how else are you going to get in? That’s your mission, that’s your target, that’s what you were told to get into, and you tried to do it the straightforward way, but you’re not going to get in so you keep trying and you eventually end up going in through the applications, or you go in through a third-party and go through their applications… The thing we don’t really traditionally think about is applications.

Q: What are the essential measures of software security that organizations need to be aware of?

RC: One of the things that should be on the list of essentials, is to verify third party code. If you don’t know what’s in the code, or if you’re just trusting the vendor, then you’ve got a problem because now you have no idea what they’ve failed to do, what their standards are, and how they’ve vetted it. There are lots of routine mistakes that people make when writing code, everybody does, and any code package, no matter how small, is going to have some of those mistakes. If they don’t have a systematic way of finding them, you’re in trouble.

Missed the webcast but still have questions? Keep the conversation going in the comments below!

Many of the other nominees are blogs that the Veracode Marketing team regularly follows, and we’d like to encourage our readers to vote for their favorite blogs as well. Here are some of our picks:

• The New School of Information Security for “The Most Educational Security Blog”
• Rational Survivability for “The Most Entertaining Security Blog”
• Uncommon Sense Security for “The Blog that Best Represents the Security Industry”
• Exotic Liability for “Best Security Podcast”

Thanks for reading and don’t forget to cast your votes!

It is for this reason that we chose to include statistics from Android apps in our recently released State of Software Security report. The types of mobile apps our customers analyze are generally not the Angry Birds Rio kind but rather those that serve some commercial purpose. It could be apps for their employees to interact with some enterprise system or apps they make available to their customers to transact financial information or manage healthcare records. The figure below shows the distribution of Android apps submitted by different industry verticals. It is not surprising to see some of the top verticals due to the sensitivity of the data and transactions involved.

Our initial areas of focus for mobile apps has been Information Leakage (i.e. data exfiltration: transmitting potentially sensitive information off the device) and Cryptographic Issues. The table below shows the prevalence of these flaw categories. Each of these categories has a couple of different CWEs represented within it.

While Android may be a new platform, some of the security issues we found are reminiscent of old mistakes we have seen developers make. One example of this was the practice of hard-coding cryptographic keys directly into the application. Over 40% of Android apps contained at least one instance of this flaw, a higher rate than we observe across all non-Android Java applications (only 17% of all non-Android Java applications had at least one instance of hard-coded cryptographic keys). Ironically, a hard-coded key is much simpler to extract from a mobile app than from a J2EE web application since the application can simply be copied off the mobile device! The problem is, once these keys are compromised, any security mechanisms that depend on the secrecy of the keys are then rendered ineffective.

Also with regards to Cryptographic Issues, 61% of Android apps exhibited at least one instance of Insufficient Entropy. In Java applications this usually takes the form of using the statistical random number generator (RNG) rather than the cryptographic RNG. It’s a common mistake seen frequently in Java web applications and can be fixed with a single line of code.

Under Information Leakage, nearly a third of Android apps were transmitting at least one piece of information marked as potentially sensitive. However, measuring the security of mobile apps is dependent on understanding the gap between design and implementation. For example, is it a privacy leak if an application is transmitting your GPS location? If the application is FourSquare, probably not; sharing location information is core to its functionality. On the other hand, if the application is a flashlight app, then the use of GPS data may signify malicious behavior. Read more on this from my colleagues Chris Wysopal and Chris Eng in a recent Dark Reading Article, When Good Apps Go Bad.

Our recommendation to customers is to hold their mobile apps to the same security standards they apply to their enterprise apps. Learn from the common security errors we have seen developers make on older platforms and avoid those on newly authored mobile apps.

Veracode Security Guides

Data Security Resources

1. Zappos Attack: “Zappos Breach Notice: Lessons Learned,” by Tom Field (@SecurityEditor). Field interviews a privacy attorney as she provides her analysis and opinion of Zappos’ response. Points of interest include the decision to shut down the customer service phone lines and denying non-US locations access, the tone and language of the notice, and incident response planning advice for all organizations.

2. T-Mobile Information Leak: “Website weaknesses at fault in T-Mobile hacktivist attack,” by Robert Westervelt, (@rwestervelt). A group calling itself TeaMpOisoN, claimed to have employed SQL Injection in order to attack T-Mobile’s server and gain the names, email addresses, phone numbers, and passwords of employees, which they then posted online. This event occurred a week after Bill Bonnie, T-Mobile’s VP of Information Security, was on a panel focused on understanding the nature and breadth of threats facing organizations.

3. The Tenth Anniversary of Bill Gates’ Trustworthy Computing Memo: Christopher Budd (@ChristopherBudd) recaps the effects of the memo, and provides a unique insider’s view of the impact it had on Microsoft with “10 years after Bill Gate’s Trustworthy Computing memo: What it meant for Microsoft and why every tech company needs one.” David Coursey (@techinciter) muses on the situation today in his post “10 Years After Gates’ Trustworthy Computing Memo, We’re No Better Off,” , stating that “Gates’s ‘eventually’ is still on the horizon.”

4. Google Releases Chrome’s Security Principals: a ZDNet article, “Google shares Chrome browser security principals,” by Ryan Naraine (@ryanaraine), examines Chrome features that help keep hackers away. Following the editorial which highlights Chrome’s sandbox architecture, use of anti-exploit technologies, and a publically documented security handling process, an interesting stream of comments follows.

5. Oracle Critical Patches: Also by Ryan Naraine, “Oracle to ship 66 critical security patches” reports on Oracle’s most recent round of vulnerability fixes, six of which affect its flagship database server, and two of which are labeled as “high risk,” due to a successful attack that caused a significant threat.

6. Symantec Source Code Breach: “Symantec source code breach saga continues,” by Paul Ducklin (@duckblog). Details of Symantec’s new admission of a 2006 hack that lead to the capture of the source code for several of their leading commercial and enterprise products. The Head of Technology, Asia Pacific for Sophos provides his perspective on the occurrences.

Is there anything we missed? As always, please share your thoughts and comments with us and enjoy your weekend!

Veracode Security Guides

Data Security Resources

He examines the impact of this trend on the adoption of cloud platforms, and what this means for the security of applications being migrated to the cloud. The post sheds light on some of the vulnerabilities in applications that are becoming more prevalent, and also reveals interesting stats on high profile data breaches in 2011. Evan highlights the importance of application security testing in the cloud, and the need to implement testing solutions that are delivered quickly, accurately and at a price point that makes this a valued service.

Read the full post here.

Veracode Security Guides

Data Security Resources

Quick intro to SOPA: Simply put, SOPA (Stop Online Privacy Act) and its companion PIPA (Protect IP Act) are two anti-piracy bills intended to strengthen protections against copyright infringement and IP theft. SOPA battles the menace of piracy and intends to protect content creators by requiring that rogue sites be blocked by ISPs, prevented from using online payment services and removed from search engines.

Proponents of SOPA believe this is a worthy goal and would push search engines and other service providers to take a more active stance against copyright violation. On the other hand, the biggest concern appears to be that in the long-term, SOPA could have unintended consequences such as potentially hurting innocent companies, and hindering the process of free speech.

Here are the links to a few posts on SOPA that provide a more factual take on this subject:

How SOPA would affect you, Declan McCullagh, CNET

SOPA and PIPA: Just the Facts, Jared Newman, PC World:

SOPA: The Gloves Come Off, Dan Mitchell, CNN Money

In addition, one of my colleagues heard a piece on NPR when driving into work today that addressed SOPA from both sides of the fence. The founder of Reddit.com was quoted as saying that SOPA would stifle innovation by making it cost prohibitive for new Internet companies to launch. A representative from the Arts community talked about the need for the protection this act can offer. He gave an example of a low budget filmmaker having difficulty raising funds if once complete that movie can be easily pirated and distributed on the Internet.

What are your thoughts on SOPA? Do you believe this would be the end of the free Internet? What would happen if this bill should pass? Would it have any noticeable effect on stemming piracy?

Veracode Security Guides

Data Security Resources

Captain @stake Steve Roge was selling manual code reviews to Fidelity for $150 per hour and every consultant who worked on the project hated him because they didn’t want to sit in a cube with a pencil reviewing code line by line. Steve believes this was the shift when folks like Fidelity started to look for automated solutions because they wanted to go deeper and broader on their application inventory and knew angry consultants wouldn’t scale.

Chris Eng was a security consultant at @stake, delivering web application penetration tests and product security assessments for large enterprises and ISVs. On the date in question, he was pen testing a network appliance, poking around at WebSphere bugs, and gearing up for a product assessment at Macromedia (now Adobe). The interesting thing about that assessment was that we were testing against a beta version of the product. So while many companies were still doing all their security testing post-release -– or not at all -– Macromedia already understood the value of pushing security further back into the SDLC. This was pretty rare at the time.

Tim Jarrett. On January 15, 2002, I was in business school and had just accepted a job offer from Microsoft. At the time it was a very different company–hip deep in the fallout from the antitrust suit and the consent decree; having just launched Windows XP; figuring out where it was going on the web (remember Passport)? And the taking of a deep breath that the Trustworthy Computing memo signaled was the biggest sign that things were different at Microsoft.

And yet not. It’s important to remember that a big part of the context of TWC was the launch of .NET and the services around it (remember Passport)? Microsoft was positioning Passport (fka Hailstorm) as the solution for the Privacy component of their Availability, Security, Privacy triad, so TWC was at least partly a positioning memo for that new technology. And it’s pretty clear that they hadn’t thought through all the implications of the stance they were taking: witness BillG’s declaration that “Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code”. While .NET may have eliminated or mitigated the security issues related to memory management that Microsoft was drowning in at the time, it didn’t do anything fundamentally different with respect to web vulnerabilities like cross-site scripting or SQL injection.

But there was one thing about the TWC memo that was different and new and that did signal a significant shift at Microsoft: Gates’ assertion that “when we face a choice between adding features and resolving security issues, we need to choose security.” As an emerging product manager, that was an important principle for me to absorb–security needs to be considered as a requirement alongside user facing features and needs to be prioritized accordingly. It’s a lesson that the rest of the industry is still learning.

Tyler Shields had left a dot com startup in the fall of 2001 and was in transition to a consulting career with @stake on January 15, 2002. On the specific date that the memo was released, Tyler was employed by a large national security consulting firm and was embedded within the United States Postal Service. Tyler was conducting incident response and forensics engagements on one of the worlds largest networks. Incident response was a mix of constant preparation and occasional frantic engagements. It felt way too responsive.

The Trustworthy Computing Memo motivated Tyler to begin a transition, from incident response and forensics, to application security related research. In Tyler’s eyes, it was becoming clear that secure code was going to be the key to a secure future. At the end of the day, exploits, flaws, vulnerabilities, and security issues generally trace back to an error in code. Attacking the root cause of the problem would provide the most return on the security problem that was rapidly developing. Tyler joined @stake in the fall of 2002 and helped them become the premier application consulting company of the 2000s.

Mark Kriegsman. By January 2002, I had sold my Internet startup (Clearway Technologies), and I was looking around for what I thought the Next Big Thing would be. Within a couple of months, I would join Christien at @stake, shaping and building “SAF”, which would it turn become Veracode’s flagship offering in static binary testing. Given the successes of the last ten years, I’d say “AppSec” was indeed the Next Big Thing!

Christien Rioux was working at @stake, starting the CVS repository for the reboot of the ‘undeveloper studio’ project that he had been working on for two full years already that came to be known as ‘SAF’, the ‘Software Analysis Framework’. Christien was just given clearance by the CEO to hire his first two developers, Mark Kriegsman and Dan Garcia, both of whom have remained either fully or partly employed by Veracode ten years later. Christien had hair and it was blue!

Where were you 10 years ago? We’d love to hear your stories – add them to the comments section.

Veracode Security Guides

Data Security Resources